| CCI-001545 |
The organization defines a frequency for reviewing and updating the access control policy. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Access Control Policy And Procedures |
AC-1 |
AC-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the access control policy and associated access controls; and
b. Reviews and updates the current:
1. Access control policy [Assignment: organization-defined frequency]; and
2. Access control procedures [Assignment: organization-defined frequency]. |
| CCI-001546 |
The organization defines a frequency for reviewing and updating the access control procedures. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Access Control Policy And Procedures |
AC-1 |
AC-1.10 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the access control policy and associated access controls; and
b. Reviews and updates the current:
1. Access control policy [Assignment: organization-defined frequency]; and
2. Access control procedures [Assignment: organization-defined frequency]. |
| CCI-000001 |
The organization develops an access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
The organization conducting the inspection/assessment obtains and examines the access control policy to ensure the organization being inspected/assessed develops and documents an access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
The organization being inspected/assessed develops and documents an access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
Access Control Policy And Procedures |
AC-1 |
AC-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the access control policy and associated access controls; and
b. Reviews and updates the current:
1. Access control policy [Assignment: organization-defined frequency]; and
2. Access control procedures [Assignment: organization-defined frequency]. |
| CCI-000004 |
The organization develops procedures to facilitate the implementation of the access control policy and associated access controls. |
The organization conducting the inspection/assessment obtains and examines the procedures to facilitate the implementation of the access control policy and associated access controls to ensure the organization being inspected/assessed develops and documents procedures to facilitate the implementation of the access control policy and associated access controls. |
The organization being inspected/assessed develops and documents procedures to facilitate the implementation of the access control policy and associated access controls. |
Access Control Policy And Procedures |
AC-1 |
AC-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the access control policy and associated access controls; and
b. Reviews and updates the current:
1. Access control policy [Assignment: organization-defined frequency]; and
2. Access control procedures [Assignment: organization-defined frequency]. |
| CCI-000002 |
The organization disseminates the access control policy to organization-defined personnel or roles. |
The organization conducting the inspection/assessment examines the access control policy via the organization's information sharing capability to ensure the organization being inspected/assessed disseminates the policy to all personnel.
DoD has defined the personnel or roles as all personnel. |
The organization being inspected/assessed disseminates via an information sharing capability to all personnel.
DoD has defined the personnel or roles as all personnel. |
Access Control Policy And Procedures |
AC-1 |
AC-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the access control policy and associated access controls; and
b. Reviews and updates the current:
1. Access control policy [Assignment: organization-defined frequency]; and
2. Access control procedures [Assignment: organization-defined frequency]. |
| CCI-000003 |
The organization reviews and updates the access control policy in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit trail of reviews and updates to ensure the organization being inspected/assessed annually reviews and updates the access control policy.
DoD has defined the frequency as annually. |
The organization being inspected/assessed annually reviews and updates the access control policy.
The organization must maintain review and update activity as an audit trail.
DoD has defined the frequency as annually. |
Access Control Policy And Procedures |
AC-1 |
AC-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the access control policy and associated access controls; and
b. Reviews and updates the current:
1. Access control policy [Assignment: organization-defined frequency]; and
2. Access control procedures [Assignment: organization-defined frequency]. |
| CCI-000005 |
The organization disseminates the procedures to facilitate access control policy and associated access controls to the organization-defined personnel or roles. |
The organization conducting the inspection/assessment examines the procedures to facilitate access control policy and associated access controls via the organization's information sharing capability to ensure the organization being inspected/assessed disseminates the procedures to all personnel.
DoD has defined the personnel or roles as all personnel. |
The organization being inspected/assessed disseminates via an information sharing capability to all personnel the procedures to facilitate access control policy and associated access controls.
DoD has defined the personnel or roles as all personnel. |
Access Control Policy And Procedures |
AC-1 |
AC-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the access control policy and associated access controls; and
b. Reviews and updates the current:
1. Access control policy [Assignment: organization-defined frequency]; and
2. Access control procedures [Assignment: organization-defined frequency]. |
| CCI-000006 |
The organization reviews and updates the access control procedures in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit trail of reviews and updates to ensure the organization being inspected/assessed annually reviews and updates the access control procedures.
DoD has defined the frequency as annually. |
The organization being inspected/assessed annually reviews and updates the access control procedures.
The organization must maintain review and update activity as an audit trail.
DoD has defined the frequency as annually. |
Access Control Policy And Procedures |
AC-1 |
AC-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the access control policy and associated access controls; and
b. Reviews and updates the current:
1. Access control policy [Assignment: organization-defined frequency]; and
2. Access control procedures [Assignment: organization-defined frequency]. |
| CCI-001547 |
The organization defines the frequency on which it will review information system accounts for compliance with account management requirements. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at a minimum, annually. |
DoD has defined the frequency as at a minimum, annually. |
Account Management |
AC-2 |
AC-2.23 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-000007 |
The organization manages information system accounts by identifying account types (i.e., individual, group, system, application, guest/anonymous, and temporary). |
|
|
|
|
|
|
|
| CCI-000008 |
The organization establishes conditions for group membership. |
The organization conducting the inspection/assessment obtains and examines the documented conditions for adding accounts as members of groups to ensure that the conditions are established. |
The organization being inspected/assessed documents conditions for adding accounts as members of groups. |
Account Management |
AC-2 |
AC-2.4 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-000009 |
The organization manages information system accounts by identifying authorized users of the information system and specifying access privileges. |
|
|
|
|
|
|
|
| CCI-000010 |
The organization requires approvals by organization-defined personnel or roles for requests to create information system accounts. |
The organization conducting the inspection/assessment obtains and examines the audit trail of approvals to ensure that the organization being inspected/assessed implements a process for the ISSM or ISSO to approve information system account requests.
DoD has defined the personnel or roles as the ISSM or ISSO. |
The organization being inspected/assessed implements a process for the ISSM or ISSO to approve information system account requests.
The organization being inspected/assessed maintains an audit trail of approvals.
DoD has defined the personnel or roles as the ISSM or ISSO. |
Account Management |
AC-2 |
AC-2.11 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-000011 |
The organization creates, enables, modifies, disables, and removes information system accounts in accordance with organization-defined procedures or conditions. |
The organization conducting the inspection/assessment obtains and examines the audit trail of account maintenance activities to ensure the organization being inspected/assessed implements account maintenance processes to create, enable, modify, disable, remove, and track information system accounts in accordance with procedures or conditions defined in AC-2, 2121. |
The organization being inspected/assessed implements account maintenance processes to create, enable, modify, disable, and remove information system accounts in accordance with procedures or conditions defined in AC-2, 2121.
The organization being inspected/assessed maintains an audit trail of account maintenance activities. |
Account Management |
AC-2 |
AC-2.13 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-000012 |
The organization reviews information system accounts for compliance with account management requirements per organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit trail of reviews to ensure the organization being inspected/assessed implements a process to review information system accounts for compliance with account management requirements at a minimum, annually.
DoD has defined the frequency as at a minimum, annually. |
The organization being inspected/assessed implements a process to review information system accounts for compliance with account management requirements at a minimum, annually.
The organization being inspected/assessed maintains an audit trail of reviews.
DoD has defined the frequency as at a minimum, annually. |
Account Management |
AC-2 |
AC-2.22 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-000013 |
The organization manages information system accounts by notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or need-to-know/need-to-share changes. |
|
|
|
|
|
|
|
| CCI-000014 |
The organization manages information system accounts by granting access to the system based on a valid access authorization; intended system usage; and other attributes as required by the organization or associated missions/business functions. |
|
|
|
|
|
|
|
| CCI-000015 |
The organization employs automated mechanisms to support the information system account management functions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to employ automated mechanisms to support the information system account management functions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 000015. |
The organization being inspected/assessed configures the information system to employ automated mechanisms to support the information system account management functions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 000015. |
Account Management | Automated System Account Management |
AC-2 (1) |
AC-2(1).1 |
The use of automated mechanisms can include, for example: using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using telephonic notification to report atypical system account usage. |
The organization employs automated mechanisms to support the management of information system accounts. |
| CCI-000016 |
The information system automatically removes or disables temporary accounts after an organization-defined time period for each type of account. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to automatically remove or disable temporary accounts after 72 hours.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 000016.
DoD has defined the time period as 72 hours. |
The organization being inspected/assessed configures the information system to automatically remove or disable temporary accounts after 72 hours.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 000016.
DoD has defined the time period as 72 hours. |
Account Management | Removal Of Temporary / Emergency Accounts |
AC-2 (2) |
AC-2(2).1 |
This control enhancement requires the removal of both temporary and emergency accounts automatically after a predefined period of time has elapsed, rather than at the convenience of the systems administrator. |
The information system automatically [Selection: removes; disables] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. |
| CCI-000017 |
The information system automatically disables inactive accounts after an organization-defined time period. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to disable inactive accounts after 35 days.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 000017.
DoD has defined the time period as 35 days. |
The organization being inspected/assessed configures the information system to disable inactive accounts after 35 days.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 000017.
DoD has defined the time period as 35 days. |
Account Management | Disable Inactive Accounts |
AC-2 (3) |
AC-2(3).1 |
|
The information system automatically disables inactive accounts after [Assignment: organization-defined time period]. |
| CCI-000018 |
The information system automatically audits account creation actions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to automatically audit account creation actions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 18. |
The organization being inspected/assessed configures the information system to automatically audit account creation actions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 18. |
Account Management | Automated Audit Actions |
AC-2 (4) |
AC-2(4).1 |
Related controls: AU-2, AU-12. |
The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]. |
| CCI-000019 |
The organization requires that users log out in accordance with the organization-defined time period of inactivity or description of when to log out. |
The organization conducting the inspection/assessment obtains and examines the user policies to ensure that users are required to log out at the end of the users standard work period unless otherwise defined in formal organizational policy and IAW conditions defined in AC-2 (5) CCI 2133.
DoD has defined the time period as at the end of the users standard work period unless otherwise defined in formal organizational policy. |
The organization being inspected/assessed documents in the user policies that users are required to log out at the end of the users standard work period unless otherwise defined in formal organizational policy and IAW conditions defined in AC-2 (5) CCI 2133.
DoD has defined the time period as at the end of the users standard work period unless otherwise defined in formal organizational policy. |
Account Management | Inactivity Logout |
AC-2 (5) |
AC-2(5).2 |
Related control: SC-23. |
The organization requires that users log out when [Assignment: organization-defined time-period of expected inactivity or description of when to log out]. |
| CCI-000020 |
The information system dynamically manages user privileges and associated access authorizations. |
|
|
|
|
|
|
|
| CCI-000237 |
The organization manages information system accounts by specifically authorizing and monitoring the use of guest/anonymous accounts and temporary accounts. |
|
|
|
|
|
|
|
| CCI-000208 |
The organization determines normal time-of-day and duration usage for information system accounts. |
|
|
|
|
|
|
|
| CCI-001361 |
The organization defines a time period after which temporary accounts are automatically terminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 72 hours.
The time period of 72 hours applies to temporary user accounts. |
DoD has defined the time period as 72 hours.
The time period of 72 hours applies to temporary user accounts. |
Account Management | Removal Of Temporary / Emergency Accounts |
AC-2 (2) |
AC-2(2).2 |
This control enhancement requires the removal of both temporary and emergency accounts automatically after a predefined period of time has elapsed, rather than at the convenience of the systems administrator. |
The information system automatically [Selection: removes; disables] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. |
| CCI-001365 |
The organization defines a time period after which emergency accounts are automatically terminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as never.
The time period of never applies to emergency admin accounts. |
DoD has defined the time period as never.
The time period of never applies to emergency admin accounts. |
Account Management | Removal Of Temporary / Emergency Accounts |
AC-2 (2) |
AC-2(2).3 |
This control enhancement requires the removal of both temporary and emergency accounts automatically after a predefined period of time has elapsed, rather than at the convenience of the systems administrator. |
The information system automatically [Selection: removes; disables] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. |
| CCI-000217 |
The organization defines a time period after which inactive accounts are automatically disabled. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 35 days. |
DoD has defined the time period as 35 days. |
Account Management | Disable Inactive Accounts |
AC-2 (3) |
AC-2(3).2 |
|
The information system automatically disables inactive accounts after [Assignment: organization-defined time period]. |
| CCI-001403 |
The information system automatically audits account modification actions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to automatically audit account modification actions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1403. |
The organization being inspected/assessed configures the information system to automatically audit account modification actions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1403. |
Account Management | Automated Audit Actions |
AC-2 (4) |
AC-2(4).2 |
Related controls: AU-2, AU-12. |
The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]. |
| CCI-001404 |
The information system automatically audits account disabling actions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to automatically audit account disabling actions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1404. |
The organization being inspected/assessed configures the information system to automatically audit account disabling actions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1404. |
Account Management | Automated Audit Actions |
AC-2 (4) |
AC-2(4).3 |
Related controls: AU-2, AU-12. |
The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]. |
| CCI-001405 |
The information system automatically audits account removal actions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to automatically audit account removal actions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1405. |
The organization being inspected/assessed configures the information system to automatically audit account removal actions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1405. |
Account Management | Automated Audit Actions |
AC-2 (4) |
AC-2(4).4 |
Related controls: AU-2, AU-12. |
The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]. |
| CCI-001406 |
The organization defines a time period of expected inactivity when users are required to log out. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as at the end of the users standard work period unless otherwise defined in formal organizational policy. |
DoD has defined the time period as at the end of the users standard work period unless otherwise defined in formal organizational policy. |
Account Management | Inactivity Logout |
AC-2 (5) |
AC-2(5).3 |
Related control: SC-23. |
The organization requires that users log out when [Assignment: organization-defined time-period of expected inactivity or description of when to log out]. |
| CCI-001407 |
The organization administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles. |
The organization conducting the inspection/assessment obtains and examines documented processes for privileged user account creation to ensure the organization being inspected/assessed administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles. |
The organization being inspected/assessed documents and implements a process to administer privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles. |
Account Management | Role-Based Schemes |
AC-2 (7) |
AC-2(7).2 |
Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. These privileged roles include, for example, key management, account management, network and system administration, database administration, and web administration. |
The organization:
(a) Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;
(b) Monitors privileged role assignments; and
(c) Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate. |
| CCI-001354 |
The organization manages information system accounts by deactivating temporary accounts that are no longer required. |
|
|
|
|
|
|
|
| CCI-001355 |
The organization manages information system accounts by deactivating accounts of terminated or transferred users. |
|
|
|
|
|
|
|
| CCI-001356 |
The organization monitors for atypical usage of information system accounts. |
|
|
|
|
|
|
|
| CCI-001357 |
The organization reports atypical usage to designated organizational officials. |
|
|
|
|
|
|
|
| CCI-001358 |
The organization establishes privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles. |
The organization conducting the inspection/assessment obtains and examines documented processes for privileged user account creation to ensure the organization being inspected/assessed establishes privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles. |
The organization being inspected/assessed documents and implements a process to establish privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles. |
Account Management | Role-Based Schemes |
AC-2 (7) |
AC-2(7).1 |
Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. These privileged roles include, for example, key management, account management, network and system administration, database administration, and web administration. |
The organization:
(a) Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;
(b) Monitors privileged role assignments; and
(c) Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate. |
| CCI-001359 |
The organization tracks privileged role assignments. |
|
|
|
|
|
|
|
| CCI-001360 |
The organization monitors privileged role assignments. |
The organization conducting the inspection/assessment obtains and examines the audit trail of monitoring to ensure the organization being inspected/assessed monitors privileged role assignments. |
The organization being inspected/assessed implements a process to monitor privileged role assignments.
The organization must maintain an audit trail of monitoring. |
Account Management | Role-Based Schemes |
AC-2 (7) |
AC-2(7).3 |
Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. These privileged roles include, for example, key management, account management, network and system administration, database administration, and web administration. |
The organization:
(a) Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;
(b) Monitors privileged role assignments; and
(c) Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate. |
| CCI-001682 |
The information system automatically removes or disables emergency accounts after an organization-defined time period for each type of account. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to never automatically remove or disable emergency accounts.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1682.
DoD has defined the time period as never. |
The organization being inspected/assessed configures the information system to never automatically remove or disable emergency accounts.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1682.
DoD has defined the time period as never.
|
Account Management | Removal Of Temporary / Emergency Accounts |
AC-2 (2) |
AC-2(2).4 |
This control enhancement requires the removal of both temporary and emergency accounts automatically after a predefined period of time has elapsed, rather than at the convenience of the systems administrator. |
The information system automatically [Selection: removes; disables] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. |
| CCI-001683 |
The information system notifies organization-defined personnel or roles for account creation actions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to notify the system administrator and ISSO for account creation actions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1683.
DoD has defined the personnel or roles as the system administrator and ISSO. |
The organization being inspected/assessed configures the information system to notify the system administrator and ISSO for account creation actions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1683.
DoD has defined the personnel or roles as the system administrator and ISSO. |
Account Management | Automated Audit Actions |
AC-2 (4) |
AC-2(4).5 |
Related controls: AU-2, AU-12. |
The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]. |
| CCI-001684 |
The information system notifies organization-defined personnel or roles for account modification actions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to notify the system administrator and ISSO for account modification actions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1684.
DoD has defined the personnel or roles as the system administrator and ISSO. |
The organization being inspected/assessed configures the information system to notify the system administrator and ISSO for account modification actions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1684.
DoD has defined the personnel or roles as the system administrator and ISSO. |
Account Management | Automated Audit Actions |
AC-2 (4) |
AC-2(4).6 |
Related controls: AU-2, AU-12. |
The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]. |
| CCI-001685 |
The information system notifies organization-defined personnel or roles for account disabling actions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to notify the system administrator and ISSO for account disabling actions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1685.
DoD has defined the personnel or roles as the system administrator and ISSO. |
The organization being inspected/assessed configures the information system to notify the system administrator and ISSO for account disabling actions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1685.
DoD has defined the personnel or roles as the system administrator and ISSO. |
Account Management | Automated Audit Actions |
AC-2 (4) |
AC-2(4).7 |
Related controls: AU-2, AU-12. |
The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]. |
| CCI-001686 |
The information system notifies organization-defined personnel or roles for account removal actions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to notify the system administrator and ISSO for account removal actions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1686.
DoD has defined the personnel or roles as the system administrator and ISSO. |
The organization being inspected/assessed configures the information system to notify the system administrator and ISSO for account removal actions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1686.
DoD has defined the personnel or roles as the system administrator and ISSO. |
Account Management | Automated Audit Actions |
AC-2 (4) |
AC-2(4).8 |
Related controls: AU-2, AU-12. |
The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]. |
| CCI-001548 |
The organization defines the information flow control policies for controlling the flow of information within the system. |
The organization conducting the inspection/assessment obtains and examines the documented information flow control policies to ensure the organization being inspected/assessed defines the information flow control policies for controlling the flow of information within the system.
DoD has determined the information flow control policies are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information flow control policies for controlling the flow of information within the system.
DoD has determined the information flow control policies are not appropriate to define at the Enterprise level. |
Information Flow Enforcement |
AC-4 |
AC-4.3 |
Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and security labels.
Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18. |
The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. |
| CCI-001549 |
The organization defines the information flow control policies for controlling the flow of information between interconnected systems. |
The organization conducting the inspection/assessment obtains and examines the documented information flow control policies to ensure the organization being inspected/assessed defines the information flow control policies for controlling the flow of information between interconnected systems.
DoD has determined the information flow control policies are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information flow control policies for controlling the flow of information between interconnected systems.
DoD has determined the information flow control policies are not appropriate to define at the Enterprise level. |
Information Flow Enforcement |
AC-4 |
AC-4.4 |
Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and security labels.
Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18. |
The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. |
| CCI-001550 |
The organization defines approved authorizations for controlling the flow of information within the system. |
The organization conducting the inspection/assessment obtains and examines the documented approved authorizations to ensure the organization being inspected/assessed defines approved authorizations for controlling the flow of information within the system. |
The organization being inspected/assessed defines and documents approved authorizations for controlling the flow of information within the system. |
Information Flow Enforcement |
AC-4 |
AC-4.5 |
Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and security labels.
Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18. |
The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. |
| CCI-001551 |
The organization defines approved authorizations for controlling the flow of information between interconnected systems. |
The organization conducting the inspection/assessment obtains and examines the documented approved authorizations to ensure the organization being inspected/assessed defines approved authorizations for controlling the flow of information between interconnected systems. |
The organization being inspected/assessed defines and documents approved authorizations for controlling the flow of information between interconnected systems. |
Information Flow Enforcement |
AC-4 |
AC-4.6 |
Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and security labels.
Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18. |
The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. |
| CCI-001552 |
The organization defines policy that allows or disallows information flows based on changing conditions or operational considerations. |
|
|
|
|
|
|
|
| CCI-001553 |
The organization defines the security policy filters that privileged administrators have the capability to enable/disable. |
The organization conducting the inspection/assessment obtains and examines the documented security policy filters to ensure the organization being inspected/assessed defines the security policy filters that privileged administrators have the capability to enable/disable.
DoD has determined the security policy filters are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security policy filters that privileged administrators have the capability to enable/disable.
DoD has determined the security policy filters are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Enable/Disable Security Policy Filters |
AC-4 (10) |
AC-4(10).2 |
For example, as allowed by the information system authorization, administrators can enable security policy filters to accommodate approved data types. |
The information system provides the capability for privileged administrators to enable/disable [Assignment: organization-defined security policy filters] under the following conditions: [Assignment: organization-defined conditions]. |
| CCI-001554 |
The organization defines the security policy filters that privileged administrators have the capability to configure. |
The organization conducting the inspection/assessment obtains and examines the documented security policy filters to ensure the organization being inspected/assessed defines the security policy filters that privileged administrators have the capability to configure.
DoD has determined the security policy filters are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security policy filters that privileged administrators have the capability to configure.
DoD has determined the security policy filters are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Configuration Of Security Policy Filters |
AC-4 (11) |
AC-4(11).2 |
For example, to reflect changes in security policies, administrators can change the list of “dirty words” that security policy mechanisms check in accordance with the definitions provided by organizations. |
The information system provides the capability for privileged administrators to configure [Assignment: organization-defined security policy filters] to support different security policies. |
| CCI-001555 |
The information system uniquely identifies destination domains for information transfer. |
|
|
|
|
|
|
|
| CCI-001556 |
The information system uniquely authenticates destination domains for information transfer. |
|
|
|
|
|
|
|
| CCI-001557 |
The information system tracks problems associated with the information transfer. |
|
|
|
|
|
|
|
| CCI-000025 |
The information system enforces information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions. |
|
|
|
|
|
|
|
| CCI-000026 |
The information system uses protected processing domains to enforce organization-defined information flow control policies as a basis for flow control decisions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to use protected processing domains to enforce information flow control policies defined in AC-4 (2), CCI 2191 as a basis for flow control decisions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 000026. |
The organization being inspected/assessed configures the information system to use protected processing domains to enforce information flow control policies defined in AC-4 (2), CCI 2191 as a basis for flow control decisions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 000026. |
Information Flow Enforcement | Processing Domains |
AC-4 (2) |
AC-4(2).1 |
Within information systems, protected processing domains are processing spaces that have controlled interactions with other processing spaces, thus enabling control of information flows between these spaces and to/from data/information objects. A protected processing domain can be provided, for example, by implementing domain and type enforcement. In domain and type enforcement, information system processes are assigned to domains; information is identified by types; and information flows are controlled based on allowed information accesses (determined by domain and type), allowed signaling among domains, and allowed process transitions to other domains. |
The information system uses protected processing domains to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.
|
| CCI-000027 |
The information system enforces dynamic information flow control based on organization-defined policies. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce dynamic information flow control based on policies defined in AC-4 (3), CCI 2192.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 27. |
The organization being inspected/assessed configures the information system to enforce dynamic information flow control based on policies defined in AC-4 (3), CCI 2192.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 27. |
Information Flow Enforcement | Dynamic Information Flow Control |
AC-4 (3) |
AC-4(3).1 |
Organizational policies regarding dynamic information flow control include, for example, allowing or disallowing information flows based on changing conditions or mission/operational considerations. Changing conditions include, for example, changes in organizational risk tolerance due to changes in the immediacy of mission/business needs, changes in the threat environment, and detection of potentially harmful or adverse events. Related control: SI-4. |
The information system enforces dynamic information flow control based on [Assignment: organization-defined policies]. |
| CCI-000028 |
The information system prevents encrypted information from bypassing content-checking mechanisms by employing organization-defined procedures or methods. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prevent encrypted information from bypassing content-checking mechanisms by employing procedures or methods defined in AC-4 (4), CCI 2193.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 28. |
The organization being inspected/assessed configures the information system to prevent encrypted information from bypassing content-checking mechanisms by employing procedures or methods defined in AC-4 (4), CCI 2193.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 28. |
Information Flow Enforcement | Content Check Encrypted Information |
AC-4 (4) |
AC-4(4).1 |
Related control: SI-4. |
The information system prevents encrypted information from bypassing content-checking mechanisms by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method]]. |
| CCI-000029 |
The information system enforces organization-defined limitations on the embedding of data types within other data types. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce limitations defined in AC-4 (5), CCI 1415 on the embedding of data types within other data types.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 29. |
The organization being inspected/assessed configures the information system to enforce limitations defined in AC-4 (5), CCI 1415 on the embedding of data types within other data types.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 29. |
Information Flow Enforcement | Embedded Data Types |
AC-4 (5) |
AC-4(5).1 |
Embedding data types within other data types may result in reduced flow control effectiveness. Data type embedding includes, for example, inserting executable files as objects within word processing files, inserting references or descriptive information into a media file, and compressed or archived data types that may include multiple embedded data types. Limitations on data type embedding consider the levels of embedding and prohibit levels of data type embedding that are beyond the capability of the inspection tools. |
The information system enforces [Assignment: organization-defined limitations] on embedding data types within other data types. |
| CCI-000030 |
The information system enforces information flow control based on organization-defined metadata. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce information flow control based on metadata defined in AC-4 (6), CCI 2194.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 30. |
The organization being inspected/assessed configures the information system to enforce information flow control based on metadata defined in AC-4 (6), CCI 2194.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 30. |
Information Flow Enforcement | Metadata |
AC-4 (6) |
AC-4(6).1 |
Metadata is information used to describe the characteristics of data. Metadata can include structural metadata describing data structures (e.g., data format, syntax, and semantics) or descriptive metadata describing data contents (e.g., age, location, telephone number). Enforcing allowed information flows based on metadata enables simpler and more effective flow control. Organizations consider the trustworthiness of metadata with regard to data accuracy (i.e., knowledge that the metadata values are correct with respect to the data), data integrity (i.e., protecting against unauthorized changes to metadata tags), and the binding of metadata to the data payload (i.e., ensuring sufficiently strong binding techniques with appropriate levels of assurance). Related controls: AC-16, SI-7. |
The information system enforces information flow control based on [Assignment: organization-defined metadata].
|
| CCI-000031 |
The information system enforces organization-defined one-way flows using hardware mechanisms. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce one-way flows defined in AC-4 (7), CCI 1416 using hardware mechanisms.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 31. |
The organization being inspected/assessed configures the information system to enforce one-way flows defined in AC-4 (7), CCI 1416 using hardware mechanisms.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 31. |
Information Flow Enforcement | One-Way Flow Mechanisms |
AC-4 (7) |
AC-4(7).1 |
|
The information system enforces [Assignment: organization-defined one-way flows] using hardware mechanisms. |
| CCI-000032 |
The information system enforces information flow control using organization-defined security policy filters as a basis for flow control decisions for organization-defined information flows. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce information flow control using security policy filters defined in AC-4 (8), CCI 1417 as a basis for flow control decisions for all information flows.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 32.
DoD has defined the information flows as all information flows. |
The organization being inspected/assessed configures the information system to enforce information flow control using security policy filters defined in AC-4 (8), CCI 1417 as a basis for flow control decisions for all information flows.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 32.
DoD has defined the information flows as all information flows. |
Information Flow Enforcement | Security Policy Filters |
AC-4 (8) |
AC-4(8).1 |
Organization-defined security policy filters can address data structures and content. For example, security policy filters for data structures can check for maximum file lengths, maximum field sizes, and data/file types (for structured and unstructured data). Security policy filters for data content can check for specific words (e.g., dirty/clean word filters), enumerated values or data value ranges, and hidden content. Structured data permits the interpretation of data content by applications. Unstructured data typically refers to digital information without a particular data structure or with a data structure that does not facilitate the development of rule sets to address the particular sensitivity of the information conveyed by the data or the associated flow enforcement decisions. Unstructured data consists of: (i) bitmap objects that are inherently non language-based (i.e., image, video, or audio files); and (ii) textual objects that are based on written or printed languages (e.g., commercial off-the-shelf word processing documents, spreadsheets, or emails). Organizations can implement more than one security policy filter to meet information flow control objectives (e.g., employing clean word lists in conjunction with dirty word lists may help to reduce false positives). |
The information system enforces information flow control using [Assignment: organization-defined security policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]. |
| CCI-000033 |
The information system enforces the use of human review for organization-defined security policy filters when the system is not capable of making an information flow control decision. |
|
|
|
|
|
|
|
| CCI-000034 |
The information system provides the capability for a privileged administrator to enable/disable organization-defined security policy filters under organization-defined conditions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide the capability for a privileged administrator to enable/disable security policy filters defined in AC-4 (10), CCI 1553 under conditions defined in AC-4 (10), CCI 2199.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 34. |
The organization being inspected/assessed configures the information system to provide the capability for a privileged administrator to enable/disable security policy filters defined in AC-4 (10), CCI 1553 under conditions defined in AC-4 (10), CCI 2199.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 34. |
Information Flow Enforcement | Enable/Disable Security Policy Filters |
AC-4 (10) |
AC-4(10).1 |
For example, as allowed by the information system authorization, administrators can enable security policy filters to accommodate approved data types. |
The information system provides the capability for privileged administrators to enable/disable [Assignment: organization-defined security policy filters] under the following conditions: [Assignment: organization-defined conditions]. |
| CCI-000035 |
The information system provides the capability for privileged administrators to configure the organization-defined security policy filters to support different security policies. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide the capability for privileged administrators to configure the security policy filters defined in AC-4 (11), CCI 1554 to support different security policies.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 35. |
The organization being inspected/assessed configures the information system to provide the capability for privileged administrators to configure the security policy filters defined in AC-4 (11), CCI 1554 to support different security policies.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 35. |
Information Flow Enforcement | Configuration Of Security Policy Filters |
AC-4 (11) |
AC-4(11).1 |
For example, to reflect changes in security policies, administrators can change the list of “dirty words” that security policy mechanisms check in accordance with the definitions provided by organizations. |
The information system provides the capability for privileged administrators to configure [Assignment: organization-defined security policy filters] to support different security policies. |
| CCI-000218 |
The information system, when transferring information between different security domains, identifies information flows by data type specification and usage. |
|
|
|
|
|
|
|
| CCI-000219 |
The information system, when transferring information between different security domains, decomposes information into organization-defined policy-relevant subcomponents for submission to policy enforcement mechanisms. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to decompose information into policy-relevant subcomponents defined in AC-4 (13), CCI 2202 for submission to policy enforcement mechanisms when transferring information between different security domains
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 219. |
The organization being inspected/assessed configures the information system to decompose information into policy-relevant subcomponents defined in AC-4 (13), CCI 2202 for submission to policy enforcement mechanisms when transferring information between different security domains
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 219. |
Information Flow Enforcement | Decomposition Into Policy-Relevant Subcomponents |
AC-4 (13) |
AC-4(13).1 |
Policy enforcement mechanisms apply filtering, inspection, and/or sanitization rules to the policy-relevant subcomponents of information to facilitate flow enforcement prior to transferring such information to different security domains. Parsing transfer files facilitates policy decisions on source, destination, certificates, classification, attachments, and other security-related component differentiators. |
The information system, when transferring information between different security domains, decomposes information into [Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms. |
| CCI-000221 |
The information system enforces security policies regarding information on interconnected systems. |
|
|
|
|
|
|
|
| CCI-000223 |
The information system binds security attributes to information to facilitate information flow policy enforcement. |
|
|
|
|
|
|
|
| CCI-000224 |
The information system tracks problems associated with the security attribute binding. |
|
|
|
|
|
|
|
| CCI-001414 |
The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce approved authorizations for controlling the flow of information between interconnected systems based on information flow control policies defined in AC-4, CCI 1549.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1414. |
The organization being inspected/assessed configures the information system to enforce approved authorizations for controlling the flow of information between interconnected systems based on information flow control policies defined in AC-4, CCI 1549.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1414. |
Information Flow Enforcement |
AC-4 |
AC-4.2 |
Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and security labels.
Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18. |
The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. |
| CCI-001415 |
The organization defines limitations for the embedding of data types within other data types. |
The organization conducting the inspection/assessment obtains and examines the documented limitations to ensure the organization being inspected/assessed defines the limitations of the embedding of data types within other data types.
DoD has determined the limitations are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the limitations of the embedding of data types within other data types.
DoD has determined the limitations are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Embedded Data Types |
AC-4 (5) |
AC-4(5).2 |
Embedding data types within other data types may result in reduced flow control effectiveness. Data type embedding includes, for example, inserting executable files as objects within word processing files, inserting references or descriptive information into a media file, and compressed or archived data types that may include multiple embedded data types. Limitations on data type embedding consider the levels of embedding and prohibit levels of data type embedding that are beyond the capability of the inspection tools. |
The information system enforces [Assignment: organization-defined limitations] on embedding data types within other data types. |
| CCI-001416 |
The organization defines one-way information flows to be enforced by the information system. |
The organization conducting the inspection/assessment obtains and examines the documented one-way information flows to ensure the organization being inspected/assessed defines one-way information flows to be enforced by the information system.
DoD has determined the one-way information flow is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents one-way information flows to be enforced by the information system.
DoD has determined the one-way information flow is not appropriate to define at the Enterprise level. |
Information Flow Enforcement | One-Way Flow Mechanisms |
AC-4 (7) |
AC-4(7).2 |
|
The information system enforces [Assignment: organization-defined one-way flows] using hardware mechanisms. |
| CCI-001417 |
The organization defines security policy filters to be enforced by the information system and used as a basis for flow control decisions. |
The organization conducting the inspection/assessment obtains and examines the documented security policy filters to ensure the organization being inspected/assessed defines security policy filters to be enforced by the information system and used as a basis for flow control decisions.
DoD has determined the security policy filters are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents security policy filters to be enforced by the information system and used as a basis for flow control decisions.
DoD has determined the security policy filters are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Security Policy Filters |
AC-4 (8) |
AC-4(8).2 |
Organization-defined security policy filters can address data structures and content. For example, security policy filters for data structures can check for maximum file lengths, maximum field sizes, and data/file types (for structured and unstructured data). Security policy filters for data content can check for specific words (e.g., dirty/clean word filters), enumerated values or data value ranges, and hidden content. Structured data permits the interpretation of data content by applications. Unstructured data typically refers to digital information without a particular data structure or with a data structure that does not facilitate the development of rule sets to address the particular sensitivity of the information conveyed by the data or the associated flow enforcement decisions. Unstructured data consists of: (i) bitmap objects that are inherently non language-based (i.e., image, video, or audio files); and (ii) textual objects that are based on written or printed languages (e.g., commercial off-the-shelf word processing documents, spreadsheets, or emails). Organizations can implement more than one security policy filter to meet information flow control objectives (e.g., employing clean word lists in conjunction with dirty word lists may help to reduce false positives). |
The information system enforces information flow control using [Assignment: organization-defined security policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]. |
| CCI-001418 |
The organization defines security policy filters for which the information system enforces the use of human review. |
|
|
|
|
|
|
|
| CCI-001368 |
The information system enforces approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce approved authorizations for controlling the flow of information within the system based on information flow control policies defined in AC-4, CCI 1548.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1368. |
The organization being inspected/assessed configures the information system to enforce approved authorizations for controlling the flow of information within the system based on information flow control policies defined in AC-4, CCI 1548.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1368. |
Information Flow Enforcement |
AC-4 |
AC-4.1 |
Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and security labels.
Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18. |
The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. |
| CCI-001371 |
The organization defines information security policy filters requiring fully enumerated formats which are to be implemented when transferring information between different security domains. |
The organization conducting the inspection/assessment obtains and examines the documented information security policy filters to ensure the organization being inspected/assessed defines. information security policy filters requiring fully enumerated formats which are to be implemented when transferring information between different security domains.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents information security policy filters requiring fully enumerated formats which are to be implemented when transferring information between different security domains.
DoD has determined the information security policy filters are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Security Policy Filter Constraints |
AC-4 (14) |
AC-4(14).1 |
Data structure and content restrictions reduce the range of potential malicious and/or unsanctioned content in cross-domain transactions. Security policy filters that restrict data structures include, for example, restricting file sizes and field lengths. Data content policy filters include, for example: (i) encoding formats for character sets (e.g., Universal Character Set Transformation Formats, American Standard Code for Information Interchange); (ii) restricting character data fields to only contain alpha-numeric characters; (iii) prohibiting special characters; and (iv) validating schema structures. |
The information system, when transferring information between different security domains, implements [Assignment: organization-defined security policy filters] requiring fully enumerated formats that restrict data structure and content. |
| CCI-001372 |
The information system, when transferring information between different security domains, implements organization-defined security policy filters requiring fully enumerated formats that restrict data structure and content. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement security policy filters defined in AC-4 (14), CCI 1371 requiring fully enumerated formats that restrict data structure and content.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1372. |
The organization being inspected/assessed configures the information system to implement security policy filters defined in AC-4 (14), CCI 1371 requiring fully enumerated formats that restrict data structure and content.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1372. |
Information Flow Enforcement | Security Policy Filter Constraints |
AC-4 (14) |
AC-4(14).2 |
Data structure and content restrictions reduce the range of potential malicious and/or unsanctioned content in cross-domain transactions. Security policy filters that restrict data structures include, for example, restricting file sizes and field lengths. Data content policy filters include, for example: (i) encoding formats for character sets (e.g., Universal Character Set Transformation Formats, American Standard Code for Information Interchange); (ii) restricting character data fields to only contain alpha-numeric characters; (iii) prohibiting special characters; and (iv) validating schema structures. |
The information system, when transferring information between different security domains, implements [Assignment: organization-defined security policy filters] requiring fully enumerated formats that restrict data structure and content. |
| CCI-001373 |
The information system, when transferring information between different security domains, examines the information for the presence of organization-defined unsanctioned information. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to examine the information for the presence of unsanctioned information defined in AC-4 (15), CCI 2203 when transferring information between different security domains.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1373. |
The organization being inspected/assessed configures the information system to examine the information for the presence of unsanctioned information defined in AC-4 (15), CCI 2203 when transferring information between different security domains.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1373. |
Information Flow Enforcement | Detection Of Unsanctioned Information |
AC-4 (15) |
AC-4(15).1 |
Detection of unsanctioned information includes, for example, checking all information to be transferred for malicious code and dirty words. Related control: SI-3. |
The information system, when transferring information between different security domains, examines the information for the presence of [Assignment: organized-defined unsanctioned information] and prohibits the transfer of such information in accordance with the [Assignment: organization-defined security policy]. |
| CCI-001374 |
The information system, when transferring information between different security domains, prohibits the transfer of organization-defined unsanctioned information in accordance with the organization-defined security policy. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prohibit the transfer of unsanctioned information defined in AC-4 (15), CCI 2203 in accordance with the security policy defined in AC-4 (15), CCI 2204.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1374. |
The organization being inspected/assessed configures the information system to prohibit the transfer of unsanctioned information defined in AC-4 (15), CCI 2203 in accordance with the security policy defined in AC-4 (15), CCI 2204.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1374. |
Information Flow Enforcement | Detection Of Unsanctioned Information |
AC-4 (15) |
AC-4(15).2 |
Detection of unsanctioned information includes, for example, checking all information to be transferred for malicious code and dirty words. Related control: SI-3. |
The information system, when transferring information between different security domains, examines the information for the presence of [Assignment: organized-defined unsanctioned information] and prohibits the transfer of such information in accordance with the [Assignment: organization-defined security policy]. |
| CCI-001376 |
The information system uniquely identifies source domains for information transfer. |
|
|
|
|
|
|
|
| CCI-001377 |
The information system uniquely authenticates source domains for information transfer. |
|
|
|
|
|
|
|
| CCI-001558 |
The organization defines the security functions (deployed in hardware, software, and firmware) for which access must be explicitly authorized. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the security functions as all functions not publicly accessible. |
DoD has defined the security functions as all functions not publicly accessible. |
Least Privilege | Authorize Access To Security Functions |
AC-6 (1) |
AC-6(1).1 |
Security functions include, for example, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Security-relevant information includes, for example, filtering rules for routers/firewalls, cryptographic key management information, configuration parameters for security services, and access control lists. Explicitly authorized personnel include, for example, security administrators, system and network administrators, system security officers, system maintenance personnel, system programmers, and other privileged users. Related controls: AC-17, AC-18, AC-19. |
The organization explicitly authorizes access to [Assignment: organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information]. |
| CCI-000038 |
The organization explicitly authorizes access to organization-defined security functions and security-relevant information. |
|
|
|
|
|
|
|
| CCI-000039 |
The organization requires that users of information system accounts or roles, with access to organization-defined security functions or security-relevant information, use non-privileged accounts, or roles, when accessing nonsecurity functions. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed requires that users of information system accounts or roles, with access to any privileged security functions or security-relevant information, use non-privileged accounts, or roles, when accessing nonsecurity functions.
DoD has defined the security functions and security-relevant information as any privileged security functions or security-relevant information. |
The organization being inspected/assessed documents and implements a process to require that users of information system accounts or roles, with access to any privileged security functions or security-relevant information, use non-privileged accounts, or roles, when accessing nonsecurity functions.
DoD has defined the security functions and security-relevant information as any privileged security functions or security-relevant information. |
Least Privilege | Non-Privileged Access For Nonsecurity Functions |
AC-6 (2) |
AC-6(2).1 |
This control enhancement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. Related control: PL-4. |
The organization requires that users of information system accounts, or roles, with access to [Assignment: organization-defined security functions or security-relevant information], use non-privileged accounts or roles, when accessing nonsecurity functions. |
| CCI-000040 |
The organization audits any use of privileged accounts, or roles, with access to organization-defined security functions or security-relevant information, when accessing other system functions. |
|
|
|
|
|
|
|
| CCI-000041 |
The organization authorizes network access to organization-defined privileged commands only for organization-defined compelling operational needs. |
The organization conducting the inspection/assessment obtains and examines a sampling of network access authorizations to ensure the organization being inspected/assessed authorizes network access to privileged commands defined in AC-6 (3), CCI 1420 only for compelling operational needs defined in AC-6 (3), CCI 2224. |
The organization being inspected/assessed authorizes network access to privileged commands defined in AC-6 (3), CCI 1420 only for compelling operational needs defined in AC-6 (3), CCI 2224. |
Least Privilege | Network Access To Privileged Commands |
AC-6 (3) |
AC-6(3).1 |
Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device). Related control: AC-17. |
The organization authorizes network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and documents the rationale for such access in the security plan for the information system. |
| CCI-000042 |
The organization documents the rationale for authorized network access to organization-defined privileged commands in the security plan for the information system. |
The organization conducting the inspection/assessment obtains and examines the documented rationale to ensure the organization being inspected/assessed documents the rationale for authorized network access to privileged commands defined in AC-6 (3), CCI 1420 in the security plan for the information system. |
The organization being inspected/assessed documents the rationale for authorized network access to privileged commands defined in AC-6 (3), CCI 1420 in the security plan for the information system. |
Least Privilege | Network Access To Privileged Commands |
AC-6 (3) |
AC-6(3).2 |
Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device). Related control: AC-17. |
The organization authorizes network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and documents the rationale for such access in the security plan for the information system. |
| CCI-000225 |
The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. |
The organization conducting the inspection/assessment obtains and examines the documented processes to ensure that the organization being inspected/assessed implements the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. |
The organization being inspected/assessed documents and implements the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. |
Least Privilege |
AC-6 |
AC-6.1 |
Organizations employ least privilege for specific duties and information systems. The principle of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions/business functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational information systems. Related controls: AC-2, AC-3, AC-5, CM-6, CM-7, PL-2. |
The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. |
| CCI-000226 |
The information system provides the capability for a privileged administrator to configure organization-defined security policy filters to support different security policies. |
|
|
|
|
|
|
|
| CCI-001419 |
The organization defines the security functions or security-relevant information to which users of information system accounts, or roles, have access. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the security functions and security-relevant information as any privileged security functions or security-relevant information. |
DoD has defined the security functions and security-relevant information as any privileged security functions or security-relevant information. |
Least Privilege | Non-Privileged Access For Nonsecurity Functions |
AC-6 (2) |
AC-6(2).2 |
This control enhancement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. Related control: PL-4. |
The organization requires that users of information system accounts, or roles, with access to [Assignment: organization-defined security functions or security-relevant information], use non-privileged accounts or roles, when accessing nonsecurity functions. |
| CCI-001420 |
The organization defines the privileged commands to which network access is to be authorized only for organization-defined compelling operational needs. |
The organization conducting the inspection/assessment obtains and examines the documented privileged commands to ensure the organization being inspected/assessed defines the privileged commands to which network access is to be authorized only for organization-defined compelling operational needs.
DoD has determined the privileged commands are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the privileged commands to which network access is to be authorized only for organization-defined compelling operational needs.
DoD has determined the privileged commands are not appropriate to define at the Enterprise level. |
Least Privilege | Network Access To Privileged Commands |
AC-6 (3) |
AC-6(3).3 |
Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device). Related control: AC-17. |
The organization authorizes network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and documents the rationale for such access in the security plan for the information system. |
| CCI-001421 |
The organization limits authorization to super user accounts on the information system to designated system administration personnel. |
|
|
|
|
|
|
|
| CCI-001422 |
The organization prohibits privileged access to the information system by non-organizational users. |
The organization conducting the inspection/assessment obtains and examines the access authorization process as well as a sampling of information system access agreements to ensure that the organization being inspected/assessed prohibits privileged access to the information system by non-organizational users. |
The organization being inspected/assessed implements as a step in the access authorization process, a check to prohibit privileged access to the information system by non-organizational users. |
Least Privilege | Privileged Access By Non-Organizational Users |
AC-6 (6) |
AC-6(6).1 |
Related control: IA-8. |
The organization prohibits privileged access to the information system by non-organizational users. |
| CCI-001559 |
The organization identifies the individuals authorized to change the value of associated security attributes. |
The organization conducting the inspection/assessment obtains and examines the documented individuals to ensure the organization being inspected/assessed identifies the individuals authorized to change the value of associated security attributes. |
The organization being inspected/assessed identifies and documents the individuals authorized to change the value of associated security attributes. |
Security Attributes | Attribute Value Changes By Authorized Individuals |
AC-16 (2) |
AC-16(2).2 |
The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information. Therefore, it is important for information systems to be able to limit the ability to create or modify security attributes to authorized individuals. Related controls: AC-6, AU-2. |
The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security attributes. |
| CCI-001560 |
The organization identifies individuals (or processes acting on behalf of individuals) authorized to associate organization-defined security attributes with organization-defined objects. |
The organization conducting the inspection/assessment obtains and examines the documented individuals to ensure the organization being inspected/assessed identifies individuals (or processes acting on behalf of individuals) authorized to associate security attributes defined in AC-16 (4), CCI 2288 with objects defined in AC-16 (4), CCI 2287. |
The organization being inspected/assessed identifies and documents individuals (or processes acting on behalf of individuals) authorized to associate security attributes defined in AC-16 (4), CCI 2288 with objects defined in AC-16 (4), CCI 2287. |
Security Attributes | Association Of Attributes By Authorized Individuals |
AC-16 (4) |
AC-16(4).1 |
The support provided by information systems can vary to include: (i) prompting users to select specific security attributes to be associated with specific information objects; (ii) employing automated mechanisms for categorizing information with appropriate attributes based on defined policies; or (iii) ensuring that the combination of selected security attributes selected is valid. Organizations consider the creation, deletion, or modification of security attributes when defining auditable events. |
The information system supports the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals). |
| CCI-001424 |
The information system dynamically associates security attributes with organization-defined subjects in accordance with organization-defined security policies as information is created and combined. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to dynamically associates security attributes with the subjects defined in AC-16 (1), CCI 2274 in accordance with the security policies defined in AC-16 (1), CCI 2273 as information is created and combined.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1424. |
The organization being inspected/assessed configures the information system to dynamically associates security attributes with the subjects defined in AC-16 (1), CCI 2274 in accordance with the security policies defined in AC-16 (1), CCI 2273 as information is created and combined.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1424. |
Security Attributes | Dynamic Attribute Association |
AC-16 (1) |
AC-16(1).1 |
Dynamic association of security attributes is appropriate whenever the security characteristics of information changes over time. Security attributes may change, for example, due to information aggregation issues (i.e., the security characteristics of individual information elements are different from the combined elements), changes in individual access authorizations (i.e., privileges), and changes in the security category of information. Related control: AC-4. |
The information system dynamically associates security attributes with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies] as information is created and combined. |
| CCI-001425 |
The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to change the value of associated security attributes. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provides authorized individuals (or processes acting on behalf of individuals) the capability to change the value of associated security attributes.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1425. |
The organization being inspected/assessed configures the information system to provide authorized individuals (or processes acting on behalf of individuals) the capability to change the value of associated security attributes.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1425. |
Security Attributes | Attribute Value Changes By Authorized Individuals |
AC-16 (2) |
AC-16(2).1 |
The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information. Therefore, it is important for information systems to be able to limit the ability to create or modify security attributes to authorized individuals. Related controls: AC-6, AU-2. |
The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security attributes. |
| CCI-001426 |
The information system maintains the binding of security attributes to information with sufficient assurance that the information--attribute association can be used as the basis for automated policy actions. |
|
|
|
|
|
|
|
| CCI-001427 |
The information system allows authorized users to associate security attributes with information. |
|
|
|
|
|
|
|
| CCI-001428 |
The information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify organization-identified special dissemination, handling, or distribution instructions using organization-identified human-readable, standard naming conventions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to display security attributes in human readable form on each object that the system transmits to output devices to identify special dissemination, handling, or distribution instructions defined in AC-16 (5), CCI 1429 using human readable, standard naming conventions defined in AC-16 (5), CCI 1430.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1428. |
The organization being inspected/assessed configures the information system to display security attributes in human readable form on each object that the system transmits to output devices to identify special dissemination, handling, or distribution instructions defined in AC-16 (5), CCI 1429 using human readable, standard naming conventions defined in AC-16 (5), CCI 1430.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1428. |
Security Attributes | Attribute Displays For Output Devices |
AC-16 (5) |
AC-16(5).1 |
Information system outputs include, for example, pages, screens, or equivalent. Information system output devices include, for example, printers and video displays on computer workstations, notebook computers, and personal digital assistants. |
The information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify [Assignment: organization-identified special dissemination, handling, or distribution instructions] using [Assignment: organization-identified human-readable, standard naming conventions]. |
| CCI-001429 |
The organization identifies special dissemination, handling, or distribution instructions for identifying security attributes on output. |
DoD has defined the instructions as for instructions relating to classification, special dissemination, handling, or distribution instructions IAW DODI 5200.1R; for SCI and SAP, IAW Controlled Access Program Coordination Office (CAPCO) register. For all other instructions, not appropriate to define at the Enterprise level.
The organization conducting the inspection/assessment obtains and examines the documented instructions not relating to classification to ensure the organization being inspected/assessed identifies special dissemination, handling, or distribution instructions for identifying security attributes on output. |
DoD has defined the instructions as for instructions relating to classification, special dissemination, handling, or distribution instructions IAW DODI 5200.1R; for SCI and SAP, IAW Controlled Access Program Coordination Office (CAPCO) register. For all other instructions, not appropriate to define at the Enterprise level.
The organization being inspected/assessed defines and documents special dissemination, handling, or distribution instructions not relating to classification, for identifying security attributes on output. |
Security Attributes | Attribute Displays For Output Devices |
AC-16 (5) |
AC-16(5).2 |
Information system outputs include, for example, pages, screens, or equivalent. Information system output devices include, for example, printers and video displays on computer workstations, notebook computers, and personal digital assistants. |
The information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify [Assignment: organization-identified special dissemination, handling, or distribution instructions] using [Assignment: organization-identified human-readable, standard naming conventions]. |
| CCI-001430 |
The organization identifies human-readable, standard naming conventions for identifying security attributes on output. |
DoD has defined the human readable, standard naming conventions for security attributes relating to classification as human readable, standard naming conventions IAW DODI 5200.1R; for TS SCI, IAW Controlled Access Program Coordination Office (CAPCO) register. For all other security attributes, not appropriate to define at the Enterprise level.
The organization conducting the inspection/assessment obtains and examines the documented security attributes not relating to classification to ensure the organization being inspected/assessed identifies human readable, standard naming conventions for identifying security attributes on output. |
DoD has defined the human readable, standard naming conventions for security attributes relating to classification as human readable, standard naming conventions IAW DODI 5200.1R; for TS SCI, IAW Controlled Access Program Coordination Office (CAPCO) register. For all other security attributes, not appropriate to define at the Enterprise level.
The organization being inspected/assessed defines and documents all other security attributes not relating to classification. |
Security Attributes | Attribute Displays For Output Devices |
AC-16 (5) |
AC-16(5).3 |
Information system outputs include, for example, pages, screens, or equivalent. Information system output devices include, for example, printers and video displays on computer workstations, notebook computers, and personal digital assistants. |
The information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify [Assignment: organization-identified special dissemination, handling, or distribution instructions] using [Assignment: organization-identified human-readable, standard naming conventions]. |
| CCI-001396 |
The organization defines security attributes for which the information system supports and maintains the bindings for information in storage. |
|
|
|
|
|
|
|
| CCI-001397 |
The organization defines security attributes for which the information system supports and maintains the bindings for information in process. |
|
|
|
|
|
|
|
| CCI-001398 |
The organization defines security attributes for which the information system supports and maintains the bindings for information in transmission. |
|
|
|
|
|
|
|
| CCI-001399 |
The information system supports and maintains the binding of organization-defined security attributes to information in storage. |
|
|
|
|
|
|
|
| CCI-001400 |
The information system supports and maintains the binding of organization-defined security attributes to information in process. |
|
|
|
|
|
|
|
| CCI-001401 |
The information system supports and maintains the binding of organization-defined security attributes to information in transmission. |
|
|
|
|
|
|
|
| CCI-001561 |
The organization defines managed access control points for remote access to the information system. |
The organization conducting the inspection/assessment obtains and examines the documented managed access points to ensure the organization being inspected/assessed defines managed access control points for remote access to the information system. |
The organization being inspected/assessed defines and documents managed access control points for remote access to the information system. |
Remote Access | Managed Access Control Points |
AC-17 (3) |
AC-17(3).2 |
Limiting the number of access control points for remote accesses reduces the attack surface for organizations. Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections. Related control: SC-7. |
The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points. |
| CCI-001562 |
The organization defines the appropriate action(s) to be taken if an unauthorized remote connection is discovered. |
|
|
|
|
|
|
|
| CCI-000063 |
The organization defines allowed methods of remote access to the information system. |
The organization conducting the inspection/assessment obtains and examines the documented methods to ensure the organization being inspected/assessed defines allowed methods of remote access to the information system.
DoD has determined the allowed methods of remote access are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the allowed methods of remote access to the information system.
The methods should be defined IAW ports, protocols, and service requirements, as well as access control requirements for any STIGs applicable to the technology in use.
DoD has determined the allowed methods of remote access are not appropriate to define at the Enterprise level. |
Remote Access |
AC-17 |
AC-17.1 |
Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4. |
The organization:
a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
b. Authorizes remote access to the information system prior to allowing such connections. |
| CCI-000064 |
The organization establishes usage restrictions and implementation guidance for each allowed remote access method. |
|
|
|
|
|
|
|
| CCI-000065 |
The organization authorizes remote access to the information system prior to allowing such connections. |
The organization conducting the inspection/assessment obtains and examines the audit trail of authorizations to ensure the organization being inspected/assessed authorizes remote access to the information system prior to allowing such connections. |
The organization being inspected/assessed authorizes remote access to the information system prior to allowing such connections.
The organization must maintain an audit trail of authorizations. |
Remote Access |
AC-17 |
AC-17.5 |
Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4. |
The organization:
a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
b. Authorizes remote access to the information system prior to allowing such connections. |
| CCI-000066 |
The organization enforces requirements for remote connections to the information system. |
|
|
|
|
|
|
|
| CCI-000067 |
The information system monitors remote access methods. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to monitor remote access methods.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 67. |
The organization being inspected/assessed configures the information system to monitor remote access methods.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 67. |
Remote Access | Automated Monitoring / Control |
AC-17 (1) |
AC-17(1).1 |
Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). Related controls: AU-2, AU-12. |
The information system monitors and controls remote access methods. |
| CCI-000068 |
The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement cryptographic mechanisms to protect the confidentiality of remote access sessions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 68. |
The organization being inspected/assessed configures the information system to implement cryptographic mechanisms to protect the confidentiality of remote access sessions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 68. |
Remote Access | Protection Of Confidentiality / Integrity Using Encryption |
AC-17 (2) |
AC-17(2).1 |
The encryption strength of mechanism is selected based on the security categorization of the information. Related controls: SC-8, SC-12, SC-13. |
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. |
| CCI-000069 |
The information system routes all remote accesses through an organization-defined number of managed network access control points. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to route all remote accesses through the number of managed network access control points defined in AC-17 (3), CCI 2315.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 69. |
The organization being inspected/assessed configures the information system to route all remote accesses through the number of managed network access control points defined in AC-17 (3), CCI 2315.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 69. |
Remote Access | Managed Access Control Points |
AC-17 (3) |
AC-17(3).1 |
Limiting the number of access control points for remote accesses reduces the attack surface for organizations. Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections. Related control: SC-7. |
The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points. |
| CCI-000070 |
The organization authorizes the execution of privileged commands via remote access only for organization-defined needs. |
The organization conducting the inspection/assessment obtains and examines the audit trail of authorizations to ensure the organization being inspected/assessed authorizes the execution of privileged commands via remote access only for needs defined in AC-17 (4), CCI 2317. |
The organization being inspected/assessed authorizes the execution of privileged commands via remote access only for needs defined in AC-17 (4), CCI 2317.
The organization being inspected/assessed maintains an audit trail of authorizations. |
Remote Access | Privileged Commands/ Access |
AC-17 (4) |
AC-17(4).1 |
Related control: AC-6. |
The organization:
(a) Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and
(b) Documents the rationale for such access in the security plan for the information system. |
| CCI-000071 |
The organization monitors for unauthorized remote connections to the information system on an organization-defined frequency. |
|
|
|
|
|
|
|
| CCI-000072 |
The organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure that the organization being inspected/assessed ensures that users protect information about remote access mechanisms from unauthorized use and disclosure. |
The organization being inspected/assessed implements and documents a process to ensure that users protect information about remote access mechanisms from unauthorized use and disclosure. |
Remote Access | Protection Of Information |
AC-17 (6) |
AC-17(6).1 |
Related controls: AT-2, AT-3, PS-6. |
The organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure. |
| CCI-000079 |
The organization ensures that remote sessions for accessing an organization-defined list of security functions and security-relevant information employ organization-defined additional security measures. |
|
|
|
|
|
|
|
| CCI-001431 |
The organization defines a frequency for monitoring for unauthorized remote connections to the information system. |
|
|
|
|
|
|
|
| CCI-001432 |
The organization takes appropriate action if an unauthorized remote connection to the information system is discovered. |
|
|
|
|
|
|
|
| CCI-001433 |
The organization defines a list of security functions and security-relevant information that for remote access sessions have organization-defined security measures employed and are audited. |
|
|
|
|
|
|
|
| CCI-001434 |
The organization defines additional security measures to be employed when an organization-defined list of security functions and security-relevant information is accessed remotely. |
|
|
|
|
|
|
|
| CCI-001435 |
The organization defines networking protocols within the information system deemed to be nonsecure. |
|
|
|
|
|
|
|
| CCI-001436 |
The organization disables organization-defined networking protocols within the information system deemed to be nonsecure except for explicitly identified components in support of specific operational requirements. |
|
|
|
|
|
|
|
| CCI-001437 |
The organization documents the rationale for the execution of privileged commands and access to security-relevant information in the security plan for the information system. |
|
|
|
|
|
|
|
| CCI-001453 |
The information system implements cryptographic mechanisms to protect the integrity of remote access sessions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement cryptographic mechanisms to protect the integrity of remote access sessions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1453. |
The organization being inspected/assessed configures the information system to implement cryptographic mechanisms to protect the integrity of remote access sessions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1453. |
Remote Access | Protection Of Confidentiality / Integrity Using Encryption |
AC-17 (2) |
AC-17(2).2 |
The encryption strength of mechanism is selected based on the security categorization of the information. Related controls: SC-8, SC-12, SC-13. |
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. |
| CCI-001454 |
The organization ensures that remote sessions for accessing an organization-defined list of security functions and security-relevant information are audited. |
|
|
|
|
|
|
|
| CCI-001455 |
The organization explicitly identifies components needed in support of specific operational requirements. |
|
|
|
|
|
|
|
| CCI-001402 |
The organization monitors for unauthorized remote access to the information system. |
|
|
|
|
|
|
|
| CCI-001563 |
The organization defines the appropriate action(s) to be taken if an unauthorized wireless connection is discovered. |
|
|
|
|
|
|
|
| CCI-001438 |
The organization establishes usage restrictions for wireless access. |
The organization conducting the inspection/assessment obtains and examines documented usage restrictions to ensure the organization being inspected/assessed establishes usage restrictions for wireless access. |
The organization being inspected/assessed establishes and documents usage restrictions for wireless access. |
Wireless Access |
AC-18 |
AC-18.1 |
Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication. Related controls: AC-2, AC-3, AC-17, AC-19, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, PL-4, SI-4. |
The organization:
a. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and
b. Authorizes wireless access to the information system prior to allowing such connections. |
| CCI-001439 |
The organization establishes implementation guidance for wireless access. |
The organization conducting the inspection/assessment obtains and examines the documented implementation guidance to ensure the organization being inspected/assessed establishes implementation guidance for wireless access. |
The organization being inspected/assessed establishes and documents implementation guidance for wireless access. |
Wireless Access |
AC-18 |
AC-18.2 |
Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication. Related controls: AC-2, AC-3, AC-17, AC-19, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, PL-4, SI-4. |
The organization:
a. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and
b. Authorizes wireless access to the information system prior to allowing such connections. |
| CCI-001440 |
The organization monitors for unauthorized wireless access to the information system. |
|
|
|
|
|
|
|
| CCI-001441 |
The organization authorizes wireless access to the information system prior to allowing such connections. |
The organization conducting the inspection/assessment obtains and examines the audit trail of authorizations to ensure the organization being inspected/assessed authorizes wireless access to the information system prior to allowing such connections. |
The organization being inspected/assessed authorizes wireless access to the information system prior to allowing such connections.
The organization must maintain an audit trail of authorizations. |
Wireless Access |
AC-18 |
AC-18.4 |
Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication. Related controls: AC-2, AC-3, AC-17, AC-19, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, PL-4, SI-4. |
The organization:
a. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and
b. Authorizes wireless access to the information system prior to allowing such connections. |
| CCI-001442 |
The organization enforces requirements for wireless connections to the information system. |
|
|
|
|
|
|
|
| CCI-001443 |
The information system protects wireless access to the system using authentication of users and/or devices. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to protect wireless access to the system using authentication of users and/or devices.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1443. |
The organization being inspected/assessed configures the information system to protect wireless access to the system using authentication of users and/or devices.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1443. |
Wireless Access | Authentication And Encryption |
AC-18 (1) |
AC-18(1).1 |
Related controls: SC-8, SC-13. |
The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. |
| CCI-001444 |
The information system protects wireless access to the system using encryption. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to protect wireless access to the system using encryption.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1444. |
The organization being inspected/assessed configures the information system to protect wireless access to the system using encryption.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1444. |
Wireless Access | Authentication And Encryption |
AC-18 (1) |
AC-18(1).2 |
Related controls: SC-8, SC-13. |
The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. |
| CCI-001445 |
The organization monitors for unauthorized wireless connections to the information system on an organization-defined frequency. |
|
|
|
|
|
|
|
| CCI-001446 |
The organization scans for unauthorized wireless access points on an organization-defined frequency. |
|
|
|
|
|
|
|
| CCI-001447 |
The organization defines a frequency of monitoring for unauthorized wireless connections to information system, including scans for unauthorized wireless access points. |
|
|
|
|
|
|
|
| CCI-001448 |
The organization takes appropriate action if an unauthorized wireless connection is discovered. |
|
|
|
|
|
|
|
| CCI-001449 |
The organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment.
The organization conducting the inspection/assessment obtains and examines a sampling of information systems to ensure that any internally embedded wireless networking capabilities are disabled unless a documented need exists. |
The organization being inspected/assessed documents and implements a process to disable wireless networking capabilities internally embedded within information system components prior to issuance and deployment when not intended for use. |
Wireless Access | Disable Wireless Networking |
AC-18 (3) |
AC-18(3).1 |
Related control: AC-19. |
The organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment. |
| CCI-001450 |
The organization does not allow users to independently configure wireless networking capabilities. |
|
|
|
|
|
|
|
| CCI-001451 |
The organization selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries. |
The organization conducting the inspection/assessment obtains and examines the documentation from radio antenna installation to ensure that the organization being inspected/assessed selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries. |
The organization being inspected/assessed documents and implements a process to select radio antennas and calibrate transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries. |
Wireless Access | Antennas / Transmission Power Levels |
AC-18 (5) |
AC-18(5).1 |
Actions that may be taken by organizations to limit unauthorized use of wireless communications outside of organization-controlled boundaries include, for example: (i) reducing the power of wireless transmissions so that the transmissions are less likely to emit a signal that can be used by adversaries outside of the physical perimeters of organizations; (ii) employing measures such as TEMPEST to control wireless emanations; and (iii) using directional/beam forming antennas that reduce the likelihood that unintended receivers will be able to intercept signals. Prior to taking such actions, organizations can conduct periodic wireless surveys to understand the radio frequency profile of organizational information systems as well as other systems that may be operating in the area. Related control: PE-19. |
The organization selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries. |
| CCI-001564 |
The organization defines the frequency of security awareness and training policy reviews and updates. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropritate but at least within 10 years of date of issuance. |
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
Security Awareness And Training Policy And Procedures |
AT-1 |
AT-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency]. |
| CCI-001565 |
The organization defines the frequency of security awareness and training procedure reviews and updates. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropriate. |
DoD has defined the frequency as reviewed annually - updated as appropriate. |
Security Awareness And Training Policy And Procedures |
AT-1 |
AT-1.10 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency]. |
| CCI-000100 |
The organization develops and documents a security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01.
Comment:
The organization's use of their higher command policy/procedures meets this requirement if more stringent. |
DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01.
Comment:
DoDD 8570.01 will be updated with DoDD 8140 once signed.
The organization's use of their higher command policy/procedures meets this requirement if more stringent. |
Security Awareness And Training Policy And Procedures |
AT-1 |
AT-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency]. |
| CCI-000101 |
The organization disseminates a security awareness and training policy to organization-defined personnel or roles. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. |
DoD disseminates DoDD 8570.01 organization-wide via the DoD Issuances website.
http://www.dtic.mil/whs/directives/corres/dir.html |
Security Awareness And Training Policy And Procedures |
AT-1 |
AT-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency]. |
| CCI-000102 |
The organization reviews and updates the current security awareness and training policy in accordance with organization-defined frequency. |
DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. |
DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. |
Security Awareness And Training Policy And Procedures |
AT-1 |
AT-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency]. |
| CCI-000103 |
The organization develops and documents procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. |
DoD develops and documents procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls within DoDD 8570.01. DISA's DoD IA awareness CBT is the DoD baseline standard.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. |
Security Awareness And Training Policy And Procedures |
AT-1 |
AT-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency]. |
| CCI-000104 |
The organization disseminates security awareness and training procedures to organization-defined personnel or roles. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01.
DoD has defined the roles as organizational personnel with security awareness and training responsibilities. |
DoD disseminates DoDD 8570.01 organization-wide via the DoD Issuances website.
http://www.dtic.mil/whs/directives/corres/dir.html
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01.
DoD has defined the roles as organizational personnel with security awareness and training responsibilities. |
Security Awareness And Training Policy And Procedures |
AT-1 |
AT-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency]. |
| CCI-000105 |
The organization reviews and updates the current security awareness and training procedures in accordance with an organization-defined frequency. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01.
DoD has defined the frequency as annually. |
DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01.
DoD has defined the frequency as annually. |
Security Awareness And Training Policy And Procedures |
AT-1 |
AT-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency]. |
| CCI-001566 |
The organization provides organization-defined personnel or roles with initial training in the employment and operation of physical security controls. |
The organization conducting the inspection/assessment obtains and examines:
1. Documentation of physical security controls that require training.
2. Documented list of personnel defined in AT-3 (2), CCI 2051
3. Ensures identified personnel have received the initial training. |
The organization being inspected/assessed:
1. Identifies and documents physical security controls that require training.
2. Identifies the personnel defined in AT-3 (2), CCI 2051
3. Ensures designated personnel receive this training.
4. Maintains and monitors records of personnel who have received this training. |
Security Training | Physical Security Controls |
AT-3 (2) |
AT-3(2).1 |
Physical security controls include, for example, physical access control devices, physical intrusion alarms, monitoring/surveillance equipment, and security guards (deployment and operating procedures). Organizations identify personnel with specific roles and responsibilities associated with physical security controls requiring specialized training. Related controls: PE-2, PE-3, PE-4, PE-5. |
The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls. |
| CCI-001567 |
The organization provides organization-defined personnel or roles with refresher training in the employment and operation of physical security controls in accordance with the organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines:
1. Documentation of physical security controls that require training.
2. Documented list of personnel defined in AT-3 (2), CCI 2051
3. Ensures identified personnel have received training annually.
DoD has defined the frequency as annual. |
The organization being inspected/assessed:
1. Identifies and documents physical security controls that require training.
2. Identifies personnel defined in AT-3 (2), CCI 2051
3. Ensures designated personnel receive this training annually
4. Maintains and monitors records of personnel who have received this training.
DoD has defined the frequency as annual. |
Security Training | Physical Security Controls |
AT-3 (2) |
AT-3(2).2 |
Physical security controls include, for example, physical access control devices, physical intrusion alarms, monitoring/surveillance equipment, and security guards (deployment and operating procedures). Organizations identify personnel with specific roles and responsibilities associated with physical security controls requiring specialized training. Related controls: PE-2, PE-3, PE-4, PE-5. |
The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls. |
| CCI-001568 |
The organization defines a frequency for providing employees with refresher training in the employment and operation of physical security controls. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annual. |
DoD has defined the frequency as annual. |
Security Training | Physical Security Controls |
AT-3 (2) |
AT-3(2).3 |
Physical security controls include, for example, physical access control devices, physical intrusion alarms, monitoring/surveillance equipment, and security guards (deployment and operating procedures). Organizations identify personnel with specific roles and responsibilities associated with physical security controls requiring specialized training. Related controls: PE-2, PE-3, PE-4, PE-5. |
The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls. |
| CCI-000108 |
The organization provides role-based security training to personnel with assigned security roles and responsibilities before authorizing access to the information system or performing assigned duties. |
DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DISA's DoD IA awareness CBT for privileged users is the DoD baseline standard.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. |
DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DISA's DoD IA awareness CBT for privileged users is the DoD baseline standard.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. |
Role-Based Security Training |
AT-3 |
AT-3.1 |
Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition/procurement officials, information system managers, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies. Related controls: AT-2, AT-4, PL-4, PS-7, SA-3, SA-12, SA-16. |
The organization provides role-based security training to personnel with assigned security roles and responsibilities:
a. Before authorizing access to the information system or performing assigned duties;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-000109 |
The organization provides role-based security training to personnel with assigned security roles and responsibilities when required by information system changes. |
The organization conducting the inspection/assessment obtains and examines documented records (IAW AT-4) of their privileged users training. |
Privileged user type Security-related education/training available through DISA IASE (e.g. VTE, Skill Soft, other professional sources) meets the provision of this control.
The organization being inspected/assessed may define specific requirements within the above listed sources for their personnel. |
Role-Based Security Training |
AT-3 |
AT-3.2 |
Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition/procurement officials, information system managers, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies. Related controls: AT-2, AT-4, PL-4, PS-7, SA-3, SA-12, SA-16. |
The organization provides role-based security training to personnel with assigned security roles and responsibilities:
a. Before authorizing access to the information system or performing assigned duties;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-000110 |
The organization provides refresher role-based security training to personnel with assigned security roles and responsibilities in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines documented records (IAW AT-4) of their privileged users training.
|
Privileged user type Security-related education/training available through DISA IASE (e.g. VTE, Skill Soft, other professional sources) meets the provision of this control.
The organization being inspected/assessed may define specific requirements within the above listed sources for their personnel.
|
Role-Based Security Training |
AT-3 |
AT-3.3 |
Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition/procurement officials, information system managers, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies. Related controls: AT-2, AT-4, PL-4, PS-7, SA-3, SA-12, SA-16. |
The organization provides role-based security training to personnel with assigned security roles and responsibilities:
a. Before authorizing access to the information system or performing assigned duties;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-000111 |
The organization defines a frequency for providing refresher role-based security training. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Role-Based Security Training |
AT-3 |
AT-3.4 |
Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition/procurement officials, information system managers, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies. Related controls: AT-2, AT-4, PL-4, PS-7, SA-3, SA-12, SA-16. |
The organization provides role-based security training to personnel with assigned security roles and responsibilities:
a. Before authorizing access to the information system or performing assigned duties;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-001481 |
The organization provides organization-defined personnel or roles with initial training in the employment and operation of environmental controls. |
The organization conducting the inspection/assessment obtains and examines:
1. Documentation of environmental controls that require training.
2. Documented list of personnel defined in AT-3 (1), CCI 2050
3. Ensures identified personnel have received the initial training. |
The organization being inspected/assessed:
1. Identifies and documents environmental controls that require training.
2. Identifies the personnel defined in AT-3 (1), CCI 2050
3. Ensures designated personnel receive this training.
4. Maintains and monitors records of personnel who have received this training. |
Security Training | Environmental Controls |
AT-3 (1) |
AT-3(1).1 |
Environmental controls include, for example, fire suppression and detection devices/systems, sprinkler systems, handheld fire extinguishers, fixed fire hoses, smoke detectors, temperature/humidity, HVAC, and power within the facility. Organizations identify personnel with specific roles and responsibilities associated with environmental controls requiring specialized training. Related controls: PE-1, PE-13, PE-14, PE-15. |
The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls. |
| CCI-001482 |
The organization provides organization-defined personnel or roles with refresher training in the employment and operation of environmental controls in accordance with the organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines: 1. Documentation of environmental controls that require training.
2. Documented list of personnel defined in AT-3 (1), CCI 2050
3. Ensures identified personnel have received training annually.
DoD has defined the frequency as annually. |
The organization being inspected/assessed:
1. Identifies and documents environmental controls that require training.
2. Identifies the personnel defined in AT-3 (1), CCI 2050
3. Ensures designated personnel receive this training annually
4. Maintains and monitors records of personnel who have received this training.
DoD has defined the frequency as annually. |
Security Training | Environmental Controls |
AT-3 (1) |
AT-3(1).2 |
Environmental controls include, for example, fire suppression and detection devices/systems, sprinkler systems, handheld fire extinguishers, fixed fire hoses, smoke detectors, temperature/humidity, HVAC, and power within the facility. Organizations identify personnel with specific roles and responsibilities associated with environmental controls requiring specialized training. Related controls: PE-1, PE-13, PE-14, PE-15. |
The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls. |
| CCI-001483 |
The organization defines a frequency for providing employees with refresher training in the employment and operation of environmental controls. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annual. |
DoD has defined the frequency as annual. |
Security Training | Environmental Controls |
AT-3 (1) |
AT-3(1).3 |
Environmental controls include, for example, fire suppression and detection devices/systems, sprinkler systems, handheld fire extinguishers, fixed fire hoses, smoke detectors, temperature/humidity, HVAC, and power within the facility. Organizations identify personnel with specific roles and responsibilities associated with environmental controls requiring specialized training. Related controls: PE-1, PE-13, PE-14, PE-15. |
The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls. |
| CCI-001569 |
The organization defines the frequency on which it will review and update the audit and accountability policy. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Audit And Accountability Policy And Procedures |
AU-1 |
AU-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy [Assignment: organization-defined frequency]; and
2. Audit and accountability procedures [Assignment: organization-defined frequency]. |
| CCI-001570 |
The organization defines the frequency on which it will review and update the audit and accountability procedures. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Audit And Accountability Policy And Procedures |
AU-1 |
AU-1.10 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy [Assignment: organization-defined frequency]; and
2. Audit and accountability procedures [Assignment: organization-defined frequency]. |
| CCI-000117 |
The organization develops and documents an audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
The organization conducting the inspection/assessment obtains and examines the audit and accountability policy to ensure that the audit and accountability policy addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
The organization being inspected/assessed develops and documents an audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
Audit And Accountability Policy And Procedures |
AU-1 |
AU-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy [Assignment: organization-defined frequency]; and
2. Audit and accountability procedures [Assignment: organization-defined frequency]. |
| CCI-000118 |
The organization disseminates a formal, documented, audit and accountability policy to elements within the organization having associated audit and accountability roles and responsibilities. |
|
|
|
|
|
|
|
| CCI-000119 |
The organization reviews and updates the audit and accountability policy on an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit trail of reviews and updates to ensure the organization being inspected/assessed reviews and updates the audit and accountability policy annually.
DoD has defined the frequency as annually. |
The organization being inspected/assessed reviews and updates the audit and accountability policy annually.
The organization must maintain an audit trail of reviews and updates. Any changes or acceptance of the document without change must be captured in the audit trail.
DoD has defined the frequency as annually. |
Audit And Accountability Policy And Procedures |
AU-1 |
AU-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy [Assignment: organization-defined frequency]; and
2. Audit and accountability procedures [Assignment: organization-defined frequency]. |
| CCI-000120 |
The organization develops and documents procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls. |
The organization conducting the inspection/assessment obtains and examines the audit and accountability procedures to ensure that the procedures facilitate the implementation of the audit and accountability policy and associated audit and accountability controls. |
The organization being inspected/assessed develops and documents procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls. |
Audit And Accountability Policy And Procedures |
AU-1 |
AU-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy [Assignment: organization-defined frequency]; and
2. Audit and accountability procedures [Assignment: organization-defined frequency]. |
| CCI-000121 |
The organization disseminates formal, documented, procedures to elements within the organization having associated audit and accountability roles and responsibilities. |
|
|
|
|
|
|
|
| CCI-000122 |
The organization reviews and updates the audit and accountability procedures on an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit trail of reviews and updates to ensure the organization being inspected/assessed reviews and updates the audit and accountability procedures annually.
DoD has defined the frequency as annually. |
The organization being inspected/assessed reviews and updates the audit and accountability procedures annually.
The organization must maintain an audit trail of reviews and updates. Any changes or acceptance of the document without change must be captured in the audit trail.
DoD has defined the frequency as annually. |
Audit And Accountability Policy And Procedures |
AU-1 |
AU-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy [Assignment: organization-defined frequency]; and
2. Audit and accountability procedures [Assignment: organization-defined frequency]. |
| CCI-001571 |
The organization defines the information system auditable events. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the information system auditable events as successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g. classification levels). Successful and unsuccessful logon attempts, Privileged activities or other system level access, Starting and ending time for user access to the system, Concurrent logons from different workstations, Successful and unsuccessful accesses to objects, All program initiations, All direct access to the information system. All account creations, modifications, disabling, and terminations. All kernel module load, unload, and restart. |
DoD has defined the information system auditable events as successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g. classification levels). Successful and unsuccessful logon attempts, Privileged activities or other system level access, Starting and ending time for user access to the system, Concurrent logons from different workstations, Successful and unsuccessful accesses to objects, All program initiations, All direct access to the information system. All account creations, modifications, disabling, and terminations. All kernel module load, unload, and restart. |
Audit Events |
AU-2 |
AU-2.2 |
An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures. Related controls: AC-6, AC-17, AU-3, AU-12, MA-4, MP-2, MP-4, SI-4. |
The organization:
a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];
b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;
c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and
d. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event]. |
| CCI-000123 |
The organization determines the information system must be capable of auditing an organization-defined list of auditable events. |
The organization conducting the inspection/assessment obtains and examines the documentation of the auditable events to ensure the information system is capable of auditing the:
- successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g. Classification levels),
- Successful and unsuccessful logon attempts,
- Privileged activities or other system level access,
- Starting and ending time for user access to the system,
- Concurrent logons from different workstations,
- Successful and unsuccessful accesses to objects,
- All program initiations,
- All direct access to the information system,
- All account creations, modifications, disabling, and terminations,
- All kernel module load, unload, and restart.
DoD has defined the information system auditable events as successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g. classification levels). Successful and unsuccessful logon attempts, Privileged activities or other system level access, Starting and ending time for user access to the system, Concurrent logons from different workstations, Successful and unsuccessful accesses to objects, All program initiations, All direct access to the information system. All account creations, modifications, disabling, and terminations. All kernel module load, unload, and restart. |
The organization being inspected/assessed determines whether the information system is capable of auditing:
- successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g. Classification levels),
- Successful and unsuccessful logon attempts,
- Privileged activities or other system level access,
- Starting and ending time for user access to the system,
- Concurrent logons from different workstations,
- Successful and unsuccessful accesses to objects,
- All program initiations,
- All direct access to the information system,
- All account creations, modifications, disabling, and terminations,
- All kernel module load, unload, and restart. The organization must document those auditable events that are not captured.
DoD has defined the information system auditable events as successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g. classification levels). Successful and unsuccessful logon attempts, Privileged activities or other system level access, Starting and ending time for user access to the system, Concurrent logons from different workstations, Successful and unsuccessful accesses to objects, All program initiations, All direct access to the information system. All account creations, modifications, disabling, and terminations. All kernel module load, unload, and restart. |
Audit Events |
AU-2 |
AU-2.1 |
An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures. Related controls: AC-6, AC-17, AU-3, AU-12, MA-4, MP-2, MP-4, SI-4. |
The organization:
a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];
b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;
c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and
d. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event]. |
| CCI-000124 |
The organization coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events. |
The organization conducting the inspection/assessment obtains and examines the audit and accountability policy and procedures as well as artifacts of the coordination to determine if coordination is necessary and if necessary, whether it has been performed. |
The organization being inspected/assessed documents and implements within the audit and accountability policy and procedures, a process to coordinate the additional auditable events. The objective is to enhance mutual support and to help guide the selection of auditable events.
The organization must maintain artifacts of the coordination.
|
Audit Events |
AU-2 |
AU-2.3 |
An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures. Related controls: AC-6, AC-17, AU-3, AU-12, MA-4, MP-2, MP-4, SI-4. |
The organization:
a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];
b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;
c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and
d. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event]. |
| CCI-000125 |
The organization provides a rationale for why the list of auditable events is deemed to be adequate to support after-the-fact investigations of security incidents. |
The organization conducting the inspection/assessment obtains and examines the audit and accountability policy and procedures to ensure the organization being inspected/assess has defined the auditable system events, rationale for the selection, and that the organization has defined how the auditable events will support after-action investigations of security events. |
The organization being inspected/assessed documents in the audit and accountability policy the list of auditable system events, the organization provides clearly stated rationale for the selection of each system event. The rationale will support any after-action investigations of security event. |
Audit Events |
AU-2 |
AU-2.4 |
An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures. Related controls: AC-6, AC-17, AU-3, AU-12, MA-4, MP-2, MP-4, SI-4. |
The organization:
a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];
b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;
c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and
d. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event]. |
| CCI-000126 |
The organization determines that the organization-defined subset of the auditable events defined in AU-2 are to be audited within the information system. |
The organization conducting the inspection/assessment reviews the documented audit process as well as audit logs to ensure that the organization being inspected/assessed audits all auditable events defined in AU-2 (a) per occurrence.
DoD has defined the actions as all auditable events defined in AU-2 (a) per occurrence.
|
The organization conducting the inspection/assessment reviews the documented audit process as well as audit logs to ensure that the organization being inspected/assessed audits all auditable events defined in AU-2 (a) per occurrence.
DoD has defined the actions as all auditable events defined in AU-2 (a) per occurrence.
|
Audit Events |
AU-2 |
AU-2.5 |
An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures. Related controls: AC-6, AC-17, AU-3, AU-12, MA-4, MP-2, MP-4, SI-4. |
The organization:
a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];
b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;
c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and
d. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event]. |
| CCI-000127 |
The organization reviews and updates the list of organization-defined audited events on an organization-defined frequency. |
The organization conducting the inspection/assessment reviews the audit trail showing reviews and updates to the list of audited events to ensure that the list is reviewed and updated annually or more frequently upon changes to situational awareness of threats or vulnerabilities.
DoD has defined the frequency as annually or more frequently upon changes to situational awareness of threats or vulnerabilities. |
The organization being inspected/assessed will conduct reviews of the list of auditable events as defined in AU-2 (d), CCI 1485 annually or more frequently upon changes to situational awareness of threats or vulnerabilities. The organization will generate and maintain an audit trail to document the completion of the review and update actions.
DoD has defined the frequency as annually or more frequently upon changes to situational awareness of threats or vulnerabilities. |
Audit Events | Reviews And Updates |
AU-2 (3) |
AU-2(3).1 |
Over time, the events that organizations believe should be audited may change. Reviewing and updating the set of audited events periodically is necessary to ensure that the current set is still necessary and sufficient. |
The organization reviews and updates the audited events [Assignment: organization-defined frequency]. |
| CCI-000128 |
The organization includes execution of privileged functions in the list of events to be audited by the information system. |
|
|
|
|
|
|
|
| CCI-000129 |
The organization defines in the auditable events that the information system must be capable of auditing based on a risk assessment and mission/business needs. |
|
|
|
|
|
|
|
| CCI-001484 |
The organization defines frequency of (or situation requiring) auditing for each identified event. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as all auditable events defined in AU-2 (a) per occurrence. |
DoD has defined the frequency as all auditable events defined in AU-2 (a) per occurrence. |
Audit Events |
AU-2 |
AU-2.6 |
An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures. Related controls: AC-6, AC-17, AU-3, AU-12, MA-4, MP-2, MP-4, SI-4. |
The organization:
a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];
b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;
c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and
d. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event]. |
| CCI-001485 |
The organization defines the events which are to be audited on the information system on an organization-defined frequency of (or situation requiring) auditing for each identified event. |
The organization conducting the inspection/assessment obtains and examines
the documented list of events which are to be audited on the information system to ensure those events have been defined.
DoD has determined that the events are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents events which are to be audited on the information system. Events should be selected from the events the information system is capable of auditing as defined in AU-2 (a) and should be based on ongoing risk assessments of current threat information and environment.
DoD has determined that the events are not appropriate to define at the Enterprise level. |
Audit Events |
AU-2 |
AU-2.7 |
An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures. Related controls: AC-6, AC-17, AU-3, AU-12, MA-4, MP-2, MP-4, SI-4. |
The organization:
a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];
b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;
c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and
d. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event]. |
| CCI-001486 |
The organization defines a frequency for reviewing and updating the list of organization-defined auditable events. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually or more frequently upon changes to situational awareness of threats or vulnerabilities. |
DoD has defined the frequency as annually or more frequently upon changes to situational awareness of threats or vulnerabilities. |
Audit Events | Reviews And Updates |
AU-2 (3) |
AU-2(3).2 |
Over time, the events that organizations believe should be audited may change. Reviewing and updating the set of audited events periodically is necessary to ensure that the current set is still necessary and sufficient. |
The organization reviews and updates the audited events [Assignment: organization-defined frequency]. |
| CCI-001572 |
The organization defines the personnel or roles to be alerted in the event of an audit processing failure. |
The organization conducting the inspection/assessment obtains and examines the documented list of personnel or roles who should be alerted in the event of audit processing failure to ensure the organization being inspected/assessed has either defined additional personnel or roles, or identified that there are no additional personnel or roles.
DoD has defined the personnel or roles as at a minimum, the SCA and ISSO. |
The organization being inspected/assessed defines and documents any personnel or roles, in addition to the SCA and ISSO, who shall be alerted in the event of audit processing failure. If there are no additional personnel or roles, the organization must also document that.
DoD has defined the personnel or roles as at a minimum, the SCA and ISSO. |
Response To Audit Processing Failures |
AU-5 |
AU-5.2 |
Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. Related controls: AU-4, SI-12. |
The information system:
a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and
b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)]. |
| CCI-001573 |
The organization defines whether to reject or delay network traffic that exceeds organization-defined thresholds. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the action to take as delay. |
DoD has defined the action to take as delay. |
Response To Audit Processing Failures | Configurable Traffic Volume Thresholds |
AU-5 (3) |
AU-5(3).2 |
Organizations have the capability to reject or delay the processing of network communications traffic if auditing such traffic is determined to exceed the storage capacity of the information system audit function. The rejection or delay response is triggered by the established organizational traffic volume thresholds which can be adjusted based on changes to audit storage capacity. |
The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity and [Selection: rejects; delays] network traffic above those thresholds. |
| CCI-001574 |
The information system rejects or delays, as defined by the organization, network traffic which exceed the organization-defined thresholds. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to delay network communications traffic exceeding the thresholds defined in AU-5 (3), CCI 1859.
DoD has defined the action to take as delay.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1574. |
The organization being inspected/assessed configures the information system to delay network communications traffic exceeding the thresholds defined in AU-5 (3), CCI 1859.
DoD has defined the action to take as delay.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1574. |
Response To Audit Processing Failures | Configurable Traffic Volume Thresholds |
AU-5 (3) |
AU-5(3).3 |
Organizations have the capability to reject or delay the processing of network communications traffic if auditing such traffic is determined to exceed the storage capacity of the information system audit function. The rejection or delay response is triggered by the established organizational traffic volume thresholds which can be adjusted based on changes to audit storage capacity. |
The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity and [Selection: rejects; delays] network traffic above those thresholds. |
| CCI-000139 |
The information system alerts designated organization-defined personnel or roles in the event of an audit processing failure. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to alert at a minimum, the SCA and ISSO in the event of an audit processing failure.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 139.
DoD has defined the personnel or roles as at a minimum, the SCA and ISSO. |
The organization being inspected/assessed configures the information system to alert at a minimum, the SCA and ISSO in the event of an audit processing failure.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 139.
DoD has defined the personnel or roles as at a minimum, the SCA and ISSO. |
Response To Audit Processing Failures |
AU-5 |
AU-5.1 |
Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. Related controls: AU-4, SI-12. |
The information system:
a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and
b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)]. |
| CCI-000140 |
The information system takes organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records). |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to take actions as defined in AU-5, CCI 1490 upon audit failure.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 140. |
The organization being inspected/assessed configures the information system to take actions as defined in AU-5, CCI 1490 upon audit failure.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 140. |
Response To Audit Processing Failures |
AU-5 |
AU-5.3 |
Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. Related controls: AU-4, SI-12. |
The information system:
a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and
b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)]. |
| CCI-000143 |
The information system provides a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity. |
|
|
|
|
|
|
|
| CCI-000144 |
The information system provides a real-time alert when organization-defined audit failure events occur. |
|
|
|
|
|
|
|
| CCI-000145 |
The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity by delaying or rejecting network traffic which exceeds the organization-defined thresholds. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to delay network communications traffic exceeding the thresholds defined in AU-5 (3), CCI 1859.
DoD has defined the action to take as delay.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 145. |
The organization being inspected/assessed configures the information system to delay network communications traffic exceeding the thresholds defined in AU-5 (3), CCI 1859.
DoD has defined the action to take as delay.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 145. |
Response To Audit Processing Failures | Configurable Traffic Volume Thresholds |
AU-5 (3) |
AU-5(3).1 |
Organizations have the capability to reject or delay the processing of network communications traffic if auditing such traffic is determined to exceed the storage capacity of the information system audit function. The rejection or delay response is triggered by the established organizational traffic volume thresholds which can be adjusted based on changes to audit storage capacity. |
The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity and [Selection: rejects; delays] network traffic above those thresholds. |
| CCI-000146 |
The organization defines the percentage of maximum audit record storage capacity that when exceeded, a warning is provided. |
|
|
|
|
|
|
|
| CCI-000147 |
The organization defines the audit failure events requiring real-time alerts. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the audit failure events as all. |
DoD has defined the audit failure events as all. |
Response To Audit Processing Failures | Real-Time Alerts |
AU-5 (2) |
AU-5(2).1 |
Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less). |
The information system provides an alert in [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring real-time alerts]. |
| CCI-001343 |
The information system invokes a system shutdown in the event of an audit failure, unless an alternative audit capability exists. |
|
|
|
|
|
|
|
| CCI-001490 |
The organization defines actions to be taken by the information system upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records). |
The organization conducting the inspection/assessment obtains and examines the documented actions to ensure the organization being inspected/assessed has defined the actions to be taken by the information system upon audit failure.
DoD has determined that the actions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed will define and document actions to be taken by the information system upon audit failure. The organization shall consider trade-offs between the needs for system availability and audit integrity when defining the actions.
Unless availability is an overriding concern, the default action should be to shut down the information system.
DoD has determined that the actions are not appropriate to define at the Enterprise level. |
Response To Audit Processing Failures |
AU-5 |
AU-5.4 |
Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. Related controls: AU-4, SI-12. |
The information system:
a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and
b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)]. |
| CCI-001575 |
The organization defines the system or system component for storing audit records that is a different system or system component than the system or component being audited. |
The organization conducting the inspection/assessment obtains and examines
the information system or media documentation addressing the storage of backups of information system audit records; information system audit records; and any other relevant documents or records.
The purpose of the reviews is to ensure the organization has defined and documented a system or storage media different from the system or media being audited. |
The organization being inspected/assessed defines and documents a system or storage media that will be used to store information system audit data different and separate from the system or media generating the audit data. |
Protection Of Audit Information | Audit Backup On Separate Physical Systems / Components |
AU-9 (2) |
AU-9(2).3 |
This control enhancement helps to ensure that a compromise of the information system being audited does not also result in a compromise of the audit records. Related controls: AU-4, AU-5, AU-11. |
The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited. |
| CCI-000162 |
The information system protects audit information from unauthorized access. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to disallow unauthorized access to audit information.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 162. |
The organization being inspected/assessed configures the information system to disallow unauthorized access to audit information.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 162. |
Protection Of Audit Information |
AU-9 |
AU-9.1 |
Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls. Related controls: AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6. |
The information system protects audit information and audit tools from unauthorized access, modification, and deletion. |
| CCI-000163 |
The information system protects audit information from unauthorized modification. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to disallow unauthorized modification of audit information.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 163. |
The organization being inspected/assessed configures the information system to disallow unauthorized modification of audit information.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 163. |
Protection Of Audit Information |
AU-9 |
AU-9.2 |
Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls. Related controls: AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6. |
The information system protects audit information and audit tools from unauthorized access, modification, and deletion. |
| CCI-000164 |
The information system protects audit information from unauthorized deletion. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to disallow unauthorized deletion of audit information.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 164. |
The organization being inspected/assessed configures the information system to disallow unauthorized deletion of audit information.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 164. |
Protection Of Audit Information |
AU-9 |
AU-9.3 |
Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls. Related controls: AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6. |
The information system protects audit information and audit tools from unauthorized access, modification, and deletion. |
| CCI-000165 |
The information system writes audit records to hardware-enforced, write-once media. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to write audit records to hardware-enforced, write-once media.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 165. |
The organization being inspected/assessed configures the information system to write audit records to hardware-enforced, write-once media.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 165. |
Protection Of Audit Information | Hardware Write-Once Media |
AU-9 (1) |
AU-9(1).1 |
This control enhancement applies to the initial generation of audit trails (i.e., the collection of audit records that represents the audit information to be used for detection, analysis, and reporting purposes) and to the backup of those audit trails. The enhancement does not apply to the initial generation of audit records prior to being written to an audit trail. Write-once, read-many (WORM) media includes, for example, Compact Disk-Recordable (CD-R) and Digital Video Disk-Recordable (DVD-R). In contrast, the use of switchable write-protection media such as on tape cartridges or Universal Serial Bus (USB) drives results in write-protected, but not write-once, media. Related controls: AU-4, AU-5. |
The information system writes audit trails to hardware-enforced, write-once media. |
| CCI-001348 |
The information system backs up audit records on an organization-defined frequency onto a different system or system component than the system or component being audited. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to back up audit records at least every seven days.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1348.
DoD has defined the frequency as every seven days. |
The organization being inspected/assessed configures the information system to back up audit records at least every seven days.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1348.
DoD has defined the frequency as every seven days. |
Protection Of Audit Information | Audit Backup On Separate Physical Systems / Components |
AU-9 (2) |
AU-9(2).1 |
This control enhancement helps to ensure that a compromise of the information system being audited does not also result in a compromise of the audit records. Related controls: AU-4, AU-5, AU-11. |
The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited. |
| CCI-001349 |
The organization defines a frequency for backing up system audit records onto a different system or system component than the system or component being audited. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every seven days. |
DoD has defined the frequency as every seven days. |
Protection Of Audit Information | Audit Backup On Separate Physical Systems / Components |
AU-9 (2) |
AU-9(2).2 |
This control enhancement helps to ensure that a compromise of the information system being audited does not also result in a compromise of the audit records. Related controls: AU-4, AU-5, AU-11. |
The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited. |
| CCI-001350 |
The information system implements cryptographic mechanisms to protect the integrity of audit information. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to implement cryptographic mechanisms to protect the integrity of audit information.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1350. |
The organization being inspected/assessed configures the information system to implement cryptographic mechanisms to protect the integrity of audit information.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1350. |
Protection Of Audit Information | Cryptographic Protection |
AU-9 (3) |
AU-9(3).1 |
Cryptographic mechanisms used for protecting the integrity of audit information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. Related controls: AU-10, SC-12, SC-13. |
The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools. |
| CCI-001351 |
The organization authorizes access to management of audit functionality to only an organization-defined subset of privileged users. |
The organization conducting the inspection/assessment obtains and examines the documentation of access authorizations for the management of audit functionality to ensure only the subset of privileged users defined in AU-9 (4), CCI 1894 have been granted access authorization. |
The organization being inspected/assessed authorizes access to the management of audit functionality to only the subset of privileged users defined in AU-9 (4), CCI 1894. |
Protection Of Audit Information | Access By Subset Of Privileged Users |
AU-9 (4) |
AU-9(4).2 |
Individuals with privileged access to an information system and who are also the subject of an audit by that system, may affect the reliability of audit information by inhibiting audit activities or modifying audit records. This control enhancement requires that privileged access be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges. Related control: AC-5. |
The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users]. |
| CCI-001352 |
The organization protects the audit records of non-local accesses to privileged accounts and the execution of privileged functions. |
|
|
|
|
|
|
|
| CCI-001493 |
The information system protects audit tools from unauthorized access. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to disallow unauthorized access to audit tools.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1493. |
The organization being inspected/assessed configures the information system to disallow unauthorized access to audit tools.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1493. |
Protection Of Audit Information |
AU-9 |
AU-9.4 |
Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls. Related controls: AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6. |
The information system protects audit information and audit tools from unauthorized access, modification, and deletion. |
| CCI-001494 |
The information system protects audit tools from unauthorized modification. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to disallow unauthorized modification of audit tools.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1494. |
The organization being inspected/assessed configures the information system to disallow unauthorized modification of audit tools.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1494. |
Protection Of Audit Information |
AU-9 |
AU-9.5 |
Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls. Related controls: AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6. |
The information system protects audit information and audit tools from unauthorized access, modification, and deletion. |
| CCI-001495 |
The information system protects audit tools from unauthorized deletion. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to disallow unauthorized deletion of audit tools.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1495. |
The organization being inspected/assessed configures the information system to disallow unauthorized deletion of audit tools.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1495. |
Protection Of Audit Information |
AU-9 |
AU-9.6 |
Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls. Related controls: AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6. |
The information system protects audit information and audit tools from unauthorized access, modification, and deletion. |
| CCI-001496 |
The information system implements cryptographic mechanisms to protect the integrity of audit tools. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to implement cryptographic mechanisms to protect the integrity of audit tools.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1496. |
The organization being inspected/assessed configures the information system to implement cryptographic mechanisms to protect the integrity of audit tools.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1496. |
Protection Of Audit Information | Cryptographic Protection |
AU-9 (3) |
AU-9(3).2 |
Cryptographic mechanisms used for protecting the integrity of audit information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. Related controls: AU-10, SC-12, SC-13. |
The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools. |
| CCI-001576 |
The information system produces a system-wide (logical or physical) audit trail of information system audit records. |
|
|
|
|
|
|
|
| CCI-001577 |
The organization defines the information system components from which audit records are to be compiled into the system-wide audit trail. |
The organization conducting the inspection/assessment obtains and examines the system-wide audit trail documentation to ensure the organization being inspected/assessed maintains a current list of information system components.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed will define and document the information system components from which audit records are to be compiled into the system-wide audit trail. The organization will periodically update this list to ensure it is current.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
Audit Generation | System-Wide / Time-Correlated Audit Trail |
AU-12 (1) |
AU-12(1).3 |
Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances. Related controls: AU-8, AU-12. |
The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail]. |
| CCI-000169 |
The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components. |
The organization conducting the inspection/assessment examines the information system to ensure that all information system and network components provide audit record generation capability for the auditable events defined in AU-2 a.
DoD has defined the information system components as all information system and network components. |
The organization being inspected/assessed acquires or designs all information system and network components that provide audit record generation capability for the auditable events defined in AU-2 a.
DoD has defined the information system components as all information system and network components. |
Audit Generation |
AU-12 |
AU-12.1 |
Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records. Related controls: AC-3, AU-2, AU-3, AU-6, AU-7. |
The information system:
a. Provides audit record generation capability for the auditable events defined in AU-2 at [Assignment: organization-defined information system components];
b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and
c. Generates audit records for the audited events defined in AU-2 with the content defined in AU-3. |
| CCI-000171 |
The information system allows organization-defined personnel or roles to select which auditable events are to be audited by specific components of the information system. |
The organization conducting the inspection/assessment examines a sampling of information system components and confirms that the individuals capable of selecting auditable events are the ISSM or individuals appointed by the ISSM.
DoD has defined the personnel or roles as the ISSM or individuals appointed by the ISSM. |
The organization being inspected/assessed configures the information system to ensure that only the ISSM or individuals appointed by the ISSM select which auditable events are to be audited by specific components of the information system.
DoD has defined the personnel or roles as the ISSM or individuals appointed by the ISSM. |
Audit Generation |
AU-12 |
AU-12.3 |
Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records. Related controls: AC-3, AU-2, AU-3, AU-6, AU-7. |
The information system:
a. Provides audit record generation capability for the auditable events defined in AU-2 at [Assignment: organization-defined information system components];
b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and
c. Generates audit records for the audited events defined in AU-2 with the content defined in AU-3. |
| CCI-000172 |
The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. |
The organization conducting the inspection/assessment examines the information system to ensure that the system generates audit records for the events defined in AU-2 d with the content defined in AU-3.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 172. |
The organization being inspected/assessed configures the information system to generate audit records for the events defined in AU-2 d with the content defined in AU-3.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 172. |
Audit Generation |
AU-12 |
AU-12.5 |
Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records. Related controls: AC-3, AU-2, AU-3, AU-6, AU-7. |
The information system:
a. Provides audit record generation capability for the auditable events defined in AU-2 at [Assignment: organization-defined information system components];
b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and
c. Generates audit records for the audited events defined in AU-2 with the content defined in AU-3. |
| CCI-000173 |
The organization defines the level of tolerance for relationship between time stamps of individual records in the audit trail that will be used for correlation. |
The organization conducting the inspection/assessment reviews the organization's audit and accountability policy and procedures addressing audit record generation and retention; information system audit configuration settings and associated documentation; information system audit records; and any other relevant documents or records. The objective is to validate the organization has defined and documented its level of tolerance for variation in the time stamps applied to the audit data generated by the organization's information systems.
DoD has determined that the level of tolerance is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed will define and document their level of tolerance for variation in the time stamps applied to the audit data generated by the organization's information systems.
DoD has determined that the level of tolerance is not appropriate to define at the Enterprise level. |
Audit Generation | System-Wide / Time-Correlated Audit Trail |
AU-12 (1) |
AU-12(1).1 |
Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances. Related controls: AU-8, AU-12. |
The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail]. |
| CCI-000174 |
The information system compiles audit records from organization-defined information system components into a system-wide (logical or physical) audit trail that is time-correlated to within an organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail. |
The organization conducting the inspection/assessment examines the information system to ensure the information system is configured to compile audit records from information system components defined in AU-12 (1), CCI 1577 into a system-wide (logical or physical) audit trail that is time-correlated to within the level of tolerance defined in AU-12 (1), CCI-000173 for relationship between time stamps of individual records in the audit trail.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 174. |
The organization being inspected/assessed configures the information system to compile audit records from information system components defined in AU-12 (1), CCI 1577 into a system-wide (logical or physical) audit trail that is time-correlated to within the level of tolerance defined in AU-12 (1), CCI-000173 for relationship between time stamps of individual records in the audit trail.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 174. |
Audit Generation | System-Wide / Time-Correlated Audit Trail |
AU-12 (1) |
AU-12(1).2 |
Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances. Related controls: AU-8, AU-12. |
The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail]. |
| CCI-001459 |
The organization defines information system components that provide audit record generation capability. |
DoD has defined the information system components as all information system and network components. |
DoD has defined the information system components as all information system and network components. |
Audit Generation |
AU-12 |
AU-12.2 |
Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records. Related controls: AC-3, AU-2, AU-3, AU-6, AU-7. |
The information system:
a. Provides audit record generation capability for the auditable events defined in AU-2 at [Assignment: organization-defined information system components];
b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and
c. Generates audit records for the audited events defined in AU-2 with the content defined in AU-3. |
| CCI-001353 |
The information system produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format. |
The organization conducting the inspection/assessment examines the information system to ensure the information system is configured to produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1353. |
The organization being inspected/assessed configures the information system to produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1353. |
Audit Generation | Standardized Formats |
AU-12 (2) |
AU-12(2).1 |
Audit information that is normalized to common standards promotes interoperability and exchange of such information between dissimilar devices and information systems. This facilitates production of event information that can be more readily analyzed and correlated. Standard formats for audit records include, for example, system log records and audit records compliant with Common Event Expressions (CEE). If logging mechanisms within information systems do not conform to standardized formats, systems may convert individual audit records into standardized formats when compiling system-wide audit trails. |
The information system produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format. |
| CCI-001578 |
The organization defines the frequency to review and update the current security assessment and authorization procedures. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Security Assessment And Authorization Policy And Procedures |
CA-1 |
CA-1.10 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and
b. Reviews and updates the current:
1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and
2. Security assessment and authorization procedures [Assignment: organization-defined frequency]. |
| CCI-000238 |
The organization defines the frequency to review and update the current security assessment and authorization policy. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 5 years. |
DoD has defined the frequency as every 5 years. |
Security Assessment And Authorization Policy And Procedures |
CA-1 |
CA-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and
b. Reviews and updates the current:
1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and
2. Security assessment and authorization procedures [Assignment: organization-defined frequency]. |
| CCI-000239 |
The organization develops and documents a security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
DoDI 8510.01 meets the DoD requirement for security assessment authorization policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01. |
DoDI 8510.01 meets the DoD requirement for security assessment authorization policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01. |
Security Assessment And Authorization Policy And Procedures |
CA-1 |
CA-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and
b. Reviews and updates the current:
1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and
2. Security assessment and authorization procedures [Assignment: organization-defined frequency]. |
| CCI-000240 |
The organization disseminates to organization-defined personnel or roles a security assessment and authorization policy. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01. |
DoD disseminates DoDI 8510.01 organization-wide via the DoD Issuances website.
http://www.dtic.mil/whs/directives/corres/ins1.html |
Security Assessment And Authorization Policy And Procedures |
CA-1 |
CA-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and
b. Reviews and updates the current:
1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and
2. Security assessment and authorization procedures [Assignment: organization-defined frequency]. |
| CCI-000241 |
The organization reviews and updates the current security assessment and authorization policy in accordance with organization-defined frequency. |
DoDI 8510.01 meets the DoD requirement for security assessment authorization policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01. |
DoDI 8510.01 meets the DoD requirement for security assessment authorization policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01. |
Security Assessment And Authorization Policy And Procedures |
CA-1 |
CA-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and
b. Reviews and updates the current:
1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and
2. Security assessment and authorization procedures [Assignment: organization-defined frequency]. |
| CCI-000242 |
The organization develops and documents procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls. |
The organization conducting the inspection/assessment obtains and examines the procedures to ensure the organization being inspected/assessedd evelops and documents procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls IAW DoDI 8510.01 |
The organization being inspected/assessed develops and documents, IAW DoDI 8510.01, procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls. |
Security Assessment And Authorization Policy And Procedures |
CA-1 |
CA-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and
b. Reviews and updates the current:
1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and
2. Security assessment and authorization procedures [Assignment: organization-defined frequency]. |
| CCI-000243 |
The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls. |
The organization conducting the inspection/assessment obtains and examines the AUP (Acceptable Use Policy), appointment orders, or written policy requiring that all personnel register at the DTIC website to receive update notifications.
DoD has defined the personnel or roles as all personnel. |
The organization being inspected/assessed will require all personnel to register at the DTIC website to receive update notifications to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls.
DoD has defined the personnel or roles as all personnel.
|
Security Assessment And Authorization Policy And Procedures |
CA-1 |
CA-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and
b. Reviews and updates the current:
1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and
2. Security assessment and authorization procedures [Assignment: organization-defined frequency]. |
| CCI-000244 |
The organization reviews and updates the current security assessment and authorization procedures in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit trail of review and update activity to ensure the organization being inspected/assessed reviews and updates, IAW DoDI 8510.01, the current security assessment and authorization procedures annually.
|
The organization being inspected/assessed reviews and updates, IAW DoDI 8510.01, the current security assessment and authorization procedures annually.
The organization must maintain an audit trail of review and update activity.
DoD has defined the frequency as annually. |
Security Assessment And Authorization Policy And Procedures |
CA-1 |
CA-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and
b. Reviews and updates the current:
1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and
2. Security assessment and authorization procedures [Assignment: organization-defined frequency]. |
| CCI-001579 |
The organization conducts security control assessments using organization-defined forms of testing in accordance with organization-defined frequency and assessment techniques. |
|
|
|
|
|
|
|
| CCI-000245 |
The organization develops a security assessment plan for the information system and its environment of operation. |
The organization conducting the inspection/assessment obtains and examines the Security Plan to validate *security assessment blocks* are complete. |
The organization being inspected/assessed will document these security assessment plan requirements as part of the DoD approved Security Plan.
Security plan templates are provided through eMASS and the Knowledge Service.
*Comment*
The items required within this control are being split into the security plan and security assessment report to eliminate creation of an additional artifact. |
Security Assessments |
CA-2 |
CA-2.1 |
Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives.
To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4. |
The organization:
a. Develops a security assessment plan that describes the scope of the assessment including:
1. Security controls and control enhancements under assessment;
2. Assessment procedures to be used to determine security control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
c. Produces a security assessment report that documents the results of the assessment; and
d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. |
| CCI-000246 |
The organization's security assessment plan describes the security controls and control enhancements under assessment. |
The organization conducting the inspection/assessment obtains the security assessment plan to verify the plan identifies the security controls and those control enhancements under assessment. |
The organization being inspected/assessed will ensure the Security Plan identifies the security controls and control enhancements under assessment.
*Comment*
The items required within this control are being split into the security plan and security assessment report to eliminate creation of an additional artifact. |
Security Assessments |
CA-2 |
CA-2.2 |
Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives.
To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4. |
The organization:
a. Develops a security assessment plan that describes the scope of the assessment including:
1. Security controls and control enhancements under assessment;
2. Assessment procedures to be used to determine security control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
c. Produces a security assessment report that documents the results of the assessment; and
d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. |
| CCI-000247 |
The organization's security assessment plan describes assessment procedures to be used to determine security control effectiveness. |
DoD components are automatically compliant with this CCI if using the implementation guidance and validation procedures on the Knowledge Service.
If the organization being inspected/assessed is using alternative implementation guidance and validation procedures, the organization conducting the inspection/assessment will obtain and examine those procedures. |
The implementation guidance and validation procedures posted on the Knowledge Service constitutes assessment procedures for DoD.
If organizations being inspected/assessed use assessment procedures other than those posted on the Knowledge Service, those procedures must be documented.
*Comment*
The items required within this CCI are being split into the security plan and security assessment report to eliminate creation of an additional artifact. |
Security Assessments |
CA-2 |
CA-2.3 |
Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives.
To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4. |
The organization:
a. Develops a security assessment plan that describes the scope of the assessment including:
1. Security controls and control enhancements under assessment;
2. Assessment procedures to be used to determine security control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
c. Produces a security assessment report that documents the results of the assessment; and
d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. |
| CCI-000248 |
The organization's security assessment plan describes assessment environment. |
The organization conducting the inspection/assessment obtains and examines the organization's authorization boundary.
Authorization boundary can be described via one or more of the following: network diagrams, data flow diagrams, system design documents, or a list of information system components. |
The organization being inspected/assessed will provide a description of the authorization boundary in their Security Plan.
Authorization boundary can be described via one or more of the following: network diagrams, data flow diagrams, system design documents, or a list of information system components.
Authorization boundary as defined in CNSSI 4009.
*Comment*
The items required within this control are being split into the security plan and security assessment report to eliminate creation of an additional artifact. |
Security Assessments |
CA-2 |
CA-2.4 |
Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives.
To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4. |
The organization:
a. Develops a security assessment plan that describes the scope of the assessment including:
1. Security controls and control enhancements under assessment;
2. Assessment procedures to be used to determine security control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
c. Produces a security assessment report that documents the results of the assessment; and
d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. |
| CCI-000249 |
The organizations security assessment plan describes the assessment team. |
|
|
|
|
|
|
|
| CCI-000250 |
The organization's security assessment plan describes assessment roles and responsibilities. |
|
|
|
|
|
|
|
| CCI-000251 |
The organization assesses, on an organization-defined frequency, the security controls in the information system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements. |
See CA-2 c
"The organization conducting the inspection/assessment obtains and examines the security assessment report to verify that it includes the compliance/non-compliance status of all controls and specific deficiencies for all non-compliant controls." |
In accordance with DoD's published guidance, the organization being inspected/assessed will utilize the implementation guidance and validation procedures published on the Knowledge Service to evaluate the implementation status of the applicable controls.
DoD has defined the frequency as annually for technical controls, annually for a portion of management and operational controls, such that all are reviewed in a 3 year period, except for those requiring more frequent review as defined in other site or overarching policy. (NOTE: Technical, Management and Operational is IAW NIST SP 800-53 Table 1-1).
*Comment*
The items required within this control are being split into the security plan and security assessment report to eliminate creation of an additional artifact. |
Security Assessments |
CA-2 |
CA-2.6 |
Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives.
To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4. |
The organization:
a. Develops a security assessment plan that describes the scope of the assessment including:
1. Security controls and control enhancements under assessment;
2. Assessment procedures to be used to determine security control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
c. Produces a security assessment report that documents the results of the assessment; and
d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. |
| CCI-000252 |
The organization defines the frequency on which the security controls in the information system and its environment of operation are assessed. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually for technical controls, annually for a portion of management and operation controls such that all are reviewed in a 3 year period except for those requiring more frequent review as defined in other site or overarching policy. NOTE: Technical, Management and Operational is IAW NIST SP 800-53 Table 1-1. |
DoD has defined the frequency as annually for technical controls, annually for a portion of management and operation controls such that all are reviewed in a 3 year period except for those requiring more frequent review as defined in other site or overarching policy. NOTE: Technical, Management and Operational is IAW NIST SP 800-53 Table 1-1.
*Comment*
The items required within this control are being split into the security plan and security assessment report to eliminate creation of an additional artifact. |
Security Assessments |
CA-2 |
CA-2.7 |
Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives.
To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4. |
The organization:
a. Develops a security assessment plan that describes the scope of the assessment including:
1. Security controls and control enhancements under assessment;
2. Assessment procedures to be used to determine security control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
c. Produces a security assessment report that documents the results of the assessment; and
d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. |
| CCI-000253 |
The organization produces a security assessment report that documents the results of the assessment against the information system and its environment of operation. |
The organization conducting the inspection/assessment obtains and examines the SAR to verify that it includes the compliance/non-compliance status of all controls and specific deficiencies for all non-compliant controls. |
The organization being inspected/assessed will develop a SAR that includes the compliance/non-compliance status of all controls and specific deficiencies for all non-compliant controls using the template available on the Knowledge Service.
*Comment*
The items required within this control are being split into the security plan and security assessment report to eliminate creation of an additional artifact. |
Security Assessments |
CA-2 |
CA-2.8 |
Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives.
To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4. |
The organization:
a. Develops a security assessment plan that describes the scope of the assessment including:
1. Security controls and control enhancements under assessment;
2. Assessment procedures to be used to determine security control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
c. Produces a security assessment report that documents the results of the assessment; and
d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. |
| CCI-000254 |
The organization provides the results of the security control assessment against the information system and its environment of operation to organization-defined individuals or roles. |
The organization conducting the inspection/assessment interviews at a minimum, the ISSO and ISSM to ensure the SAR has been received.
DoD has defined the individuals or roles as at a minimum, the ISSO and ISSM.
|
The organization being inspected/assessed will provide the SAR to at a minimum, the ISSO and ISSM.
DoD has defined the individuals or roles as at a minimum, the ISSO and ISSM.
*Comment*
The items required within this control are being split into the security plan and security assessment report to eliminate creation of an additional artifact.
|
Security Assessments |
CA-2 |
CA-2.9 |
Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives.
To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4. |
The organization:
a. Develops a security assessment plan that describes the scope of the assessment including:
1. Security controls and control enhancements under assessment;
2. Assessment procedures to be used to determine security control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
c. Produces a security assessment report that documents the results of the assessment; and
d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. |
| CCI-000255 |
The organization employs assessors or assessment teams with an organization-defined level of independence to conduct security control assessments of organizational information systems. |
The organization conducting the inspection/assessment obtains and examines the level of independence defined in CA-2 (1), CCI 2064 to ensure that they, as the assessor, meet the required level of independence. |
The organization being inspected/assessed will employ assessors and assessor teams with the level of independence defined in CA-2 (1), CCI 2064 to conduct security control assessments of organizational information systems. |
Security Assessments | Independent Assessors |
CA-2 (1) |
CA-2(1).1 |
Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of organizational information systems. Impartiality implies that assessors are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the organizational information systems under assessment or to the determination of security control effectiveness. To achieve impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in positions of advocacy for the organizations acquiring their services. Independent assessments can be obtained from elements within organizations or can be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of information systems and/or the ultimate risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. This includes determining whether contracted security assessment services have sufficient independence, for example, when information system owners are not directly involved in contracting processes or cannot unduly influence the impartiality of assessors conducting assessments. In special situations, for example, when organizations that own the information systems are small or organizational structures require that assessments are conducted by individuals that are in the developmental, operational, or management chain of system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Organizations recognize that assessments performed for purposes other than direct support to authorization decisions are, when performed by assessors with sufficient independence, more likely to be useable for such decisions, thereby reducing the need to repeat assessments. |
The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to conduct security control assessments. |
| CCI-000256 |
The organization includes, as part of security control assessments announced or unannounced, one or more of the following: in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; and organization-defined other forms of security assessment on an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the test and exercise plan documented in the security assessment plan as well as the results of one or more of the latest security assessments to ensure the organization being inspected/assessed is conducting the assessments required in their security assessment plan annually.
DoD has defined the frequency as annually. |
The organization being assessed/inspected must document how they will annually conduct tests and exercises of the implemented security controls in their security assessment plan. The tests and exercises may consist of activities such as in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; or other forms of security assessment defined in CA-2 (2), CCI 1582.
Vulnerability scans are not the same as penetration testing.
DoD has defined the frequency as annually. |
Security Assessments | Specialized Assessments |
CA-2 (2) |
CA-2(2).1 |
Organizations can employ information system monitoring, insider threat assessments, malicious user testing, and other forms of testing (e.g., verification and validation) to improve readiness by exercising organizational capabilities and indicating current performance levels as a means of focusing actions to improve security. Organizations conduct assessment activities in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can incorporate vulnerabilities uncovered during assessments into vulnerability remediation processes. Related controls: PE-3, SI-2. |
The organization includes as part of security control assessments, [Assignment: organization- defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]]. |
| CCI-001580 |
The organization identifies connections to external information systems (i.e., information systems outside of the authorization boundary). |
|
|
|
|
|
|
|
| CCI-000257 |
The organization authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements. |
The organization conducting the inspection/assessment obtains and examines documentation of the Interconnection Security Agreements to include appropriate signatures.
Policy Note:
Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. |
The organization being inspected/assessed will develop and certify, by appropriate signatures (e.g. AO, network managers), Interconnection Security Agreements (e.g., MOU, MOA, SLA) authorizing the connection of its information systems to other information systems.
Policy Note:
Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. |
System Interconnections |
CA-3 |
CA-3.1 |
This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls. Related controls: AC-3, AC-4, AC-20, AU-2, AU-12, AU-16, CA-7, IA-3, SA-9, SC-7, SI-4. |
The organization:
a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;
b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and
c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency]. |
| CCI-000258 |
The organization documents, for each interconnection, the interface characteristics. |
The organization conducting the inspection/assessment obtains and examines interconnection security agreement documentation.
Policy Note:
Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. |
The organization being inspected/assessed will document the interface characteristics for each interconnection.
Use of external reporting databases for these characteristics when tied to the specific interconnection is acceptable (e.g., ports, protocols, and services).
Policy Note:
Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. |
System Interconnections |
CA-3 |
CA-3.2 |
This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls. Related controls: AC-3, AC-4, AC-20, AU-2, AU-12, AU-16, CA-7, IA-3, SA-9, SC-7, SI-4. |
The organization:
a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;
b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and
c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency]. |
| CCI-000259 |
The organization documents, for each interconnection, the security requirements. |
The organization conducting the inspection/assessment obtains and examines interconnection security agreement documentation, specifically looking at any additional security controls identified for
implementation.
Policy Note:
Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. |
The organization being inspected/assessed will, for each interconnection, identify and document any additional security controls to be implemented to protect the confidentiality, integrity, and availability of the connected systems and the data passing between them. Controls should be appropriate for the systems to be connected and the environment in which the interconnection will operate.
Policy Note:
Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. |
System Interconnections |
CA-3 |
CA-3.3 |
This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls. Related controls: AC-3, AC-4, AC-20, AU-2, AU-12, AU-16, CA-7, IA-3, SA-9, SC-7, SI-4. |
The organization:
a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;
b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and
c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency]. |
| CCI-000260 |
The organization documents, for each interconnection, the nature of the information communicated. |
The organization conducting the inspection/assessment obtains and examines the interconnection security agreement documentation, specifically to identify the type of information being transferred/transmitted.
Characteristics will include but are not limited to: classification, information type (e.g. PII, HIPAA, FOUO, financial data, etc.)
Policy Note:
Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. |
The organization being inspected/assessed will document in the interconnection security agreement the type of information being transferred/transmitted.
Characteristics will include but are not limited to: classification, information type (e.g. PII, HIPAA, FOUO, financial data, etc.)
Policy Note:
Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. |
System Interconnections |
CA-3 |
CA-3.4 |
This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls. Related controls: AC-3, AC-4, AC-20, AU-2, AU-12, AU-16, CA-7, IA-3, SA-9, SC-7, SI-4. |
The organization:
a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;
b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and
c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency]. |
| CCI-000261 |
The organization monitors the information system connections on an ongoing basis to verify enforcement of security requirements. |
|
|
|
|
|
|
|
| CCI-000262 |
The organization prohibits the direct connection of an organization-defined unclassified, national security system to an external network without the use of an organization-defined boundary protection device. |
The organization conducting the inspection/assessment obtains and examines policy document prohibiting direct connection of all unclassified NSS to external networks without the use of a boundary protection device defined in CA-3 (1), CCI 262.
DoD has defined the unclassified, national security systems as all unclassified NSS. |
The organization being inspected/assessed documents in its policy and procedures addressing information system connections, the organization will prohibit DoD has defined the unclassified, national security systems as all unclassified NSS from having a direct connection to an external network without the use of a boundary protection device defined in CA-3 (1), CCI 262.
DoD has defined the unclassified, national security systems as all unclassified NSS. |
System Interconnections | Unclassified National Security System Connections |
CA-3 (1) |
CA-3(1).1 |
Organizations typically do not have control over external networks (e.g., the Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate communications (i.e., information flows) between unclassified national security systems and external networks. This control enhancement is required for organizations processing, storing, or transmitting Controlled Unclassified Information (CUI). |
The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]. |
| CCI-000263 |
The organization prohibits the direct connection of a classified, national security system to an external network without the use of organization-defined boundary protection device. |
The organization conducting the inspection/assessment obtains and examines network topology diagrams and examines the information system to ensure the organization being inspected/assessed does not connect any national security systems to an external network without the use of protection devices defined in CA-3 (2), CCI 2074. |
The organization being inspected/assessed does not connect any national security systems to an external network without the use of protection devices defined in CA-3 (2), CCI 2074. |
System Interconnections | Classified National Security System Connections |
CA-3 (2) |
CA-3(2).1 |
Organizations typically do not have control over external networks (e.g., the Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate communications (i.e., information flows) between classified national security systems and external networks. In addition, approved boundary protection devices (typically managed interface/cross-domain systems) provide information flow enforcement from information systems to external networks. |
The organization prohibits the direct connection of a classified, national security system to an external network without the use of [Assignment; organization-defined boundary protection device]. |
| CCI-001581 |
The organization defines personnel or roles to whom the security status of the organization and the information system should be reported. |
Future DoD-wide CM guidance to be published |
Future DoD-wide CM guidance to be published |
Continuous Monitoring |
CA-7 |
CA-7.11 |
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4. |
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. |
| CCI-001582 |
The organization defines other forms of security assessments other than in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; and performance/load testing that should be included as part of security control assessments. |
The organization conducting the inspection/assessment obtains and examines the documented other forms of security assessments to ensure the organization being inspected/assessed defines other forms of security assessments other than in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment and performance/load testing that should be included as part of security control assessments.
DoD has determined the other forms of security assessments are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents other forms of security assessments other than in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment and performance/load testing that should be included as part of security control assessments.
DoD has determined the other forms of security assessments are not appropriate to define at the Enterprise level. |
Security Assessments | Specialized Assessments |
CA-2 (2) |
CA-2(2).2 |
Organizations can employ information system monitoring, insider threat assessments, malicious user testing, and other forms of testing (e.g., verification and validation) to improve readiness by exercising organizational capabilities and indicating current performance levels as a means of focusing actions to improve security. Organizations conduct assessment activities in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can incorporate vulnerabilities uncovered during assessments into vulnerability remediation processes. Related controls: PE-3, SI-2. |
The organization includes as part of security control assessments, [Assignment: organization- defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]]. |
| CCI-001583 |
The organization selects announced or unannounced assessments for each form of security control assessment. |
The organization conducting the inspection/assessment obtains and examines the documented list of security control assessment techniques defined in CA-2 (2), CCI 2064 and verifies that the security assessment plan defines whether the assessment is announced or unannounced. |
The organization being inspected/assessed selects and documents whether announced or unannounced assessments are required for each form of security control assessment that was selected as part of CA-2 (2), CCI 2064.
DoD has determined the announced or unannounced nature of the assessments is not appropriate to define at the Enterprise level. |
Security Assessments | Specialized Assessments |
CA-2 (2) |
CA-2(2).3 |
Organizations can employ information system monitoring, insider threat assessments, malicious user testing, and other forms of testing (e.g., verification and validation) to improve readiness by exercising organizational capabilities and indicating current performance levels as a means of focusing actions to improve security. Organizations conduct assessment activities in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can incorporate vulnerabilities uncovered during assessments into vulnerability remediation processes. Related controls: PE-3, SI-2. |
The organization includes as part of security control assessments, [Assignment: organization- defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]]. |
| CCI-000274 |
The organization develops a continuous monitoring strategy. |
Future DoD-wide CM guidance to be published |
Future DoD-wide CM guidance to be published |
Continuous Monitoring |
CA-7 |
CA-7.1 |
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4. |
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. |
| CCI-000275 |
The organization implements a continuous monitoring program that includes a configuration management process for the information system. |
|
|
|
|
|
|
|
| CCI-000276 |
The organization implements a continuous monitoring program that includes a configuration management process for the information system constituent components. |
|
|
|
|
|
|
|
| CCI-000277 |
The organization implements a continuous monitoring program that includes a determination of the security impact of changes to the information system. |
|
|
|
|
|
|
|
| CCI-000278 |
The organization implements a continuous monitoring program that includes a determination of the security impact of changes to the environment of operation. |
|
|
|
|
|
|
|
| CCI-000279 |
The organization implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. |
Future DoD-wide CM guidance to be published |
Future DoD-wide CM guidance to be published |
Continuous Monitoring |
CA-7 |
CA-7.5 |
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4. |
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. |
| CCI-000280 |
The organization implements a continuous monitoring program that includes reporting the security status of the organization and the information system to organization-defined personnel or roles on an organization-defined frequency. |
Future DoD-wide CM guidance to be published |
Future DoD-wide CM guidance to be published |
Continuous Monitoring |
CA-7 |
CA-7.9 |
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4. |
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. |
| CCI-000281 |
The organization defines the frequency with which to report the security status of the organization and the information system to organization-defined personnel or roles. |
Future DoD-wide CM guidance to be published |
Future DoD-wide CM guidance to be published |
Continuous Monitoring |
CA-7 |
CA-7.10 |
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4. |
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. |
| CCI-000282 |
The organization employs assessors or assessment teams with an organization-defined level of independence to monitor the security controls in the information system on an ongoing basis. |
Future DoD-wide CM guidance to be published |
Future DoD-wide CM guidance to be published |
Continuous Monitoring | Independent Assessment |
CA-7 (1) |
CA-7(1).1 |
Organizations can maximize the value of assessments of security controls during the continuous monitoring process by requiring that such assessments be conducted by assessors or assessment teams with appropriate levels of independence based on continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in advocacy positions for the organizations acquiring their services. |
The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to monitor the security controls in the information system on an ongoing basis. |
| CCI-000283 |
The organization plans announced or unannounced assessments (in-depth monitoring, malicious user testing, penetration testing, red team exercises, or other organization-defined forms of security assessment), on an organization-defined frequency, to ensure compliance with all vulnerability mitigation procedures. |
|
|
|
|
|
|
|
| CCI-000284 |
The organization schedules announced or unannounced assessments (in-depth monitoring, malicious user testing, penetration testing, red team exercises, or other organization-defined forms of security assessment), on an organization-defined frequency, to ensure compliance with all vulnerability mitigation procedures. |
|
|
|
|
|
|
|
| CCI-000285 |
The organization conducts announced or unannounced assessments (in-depth monitoring, malicious user testing, penetration testing, red team exercises, or other organization-defined forms of security assessment), on an organization-defined frequency, to ensure compliance with all vulnerability mitigation procedures. |
|
|
|
|
|
|
|
| CCI-001681 |
The organization defines the frequency at which each form of security control assessment should be conducted. |
|
|
|
|
|
|
|
| CCI-001584 |
The organization defines the frequency with which to review and update configuration management procedures. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Configuration Management Policy And Procedures |
CM-1 |
CM-1.10 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and
b. Reviews and updates the current:
1. Configuration management policy [Assignment: organization-defined frequency]; and
2. Configuration management procedures [Assignment: organization-defined frequency]. |
| CCI-000286 |
The organization defines a frequency with which to review and update the configuration management policies. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Configuration Management Policy And Procedures |
CM-1 |
CM-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and
b. Reviews and updates the current:
1. Configuration management policy [Assignment: organization-defined frequency]; and
2. Configuration management procedures [Assignment: organization-defined frequency]. |
| CCI-000287 |
The organization develops and documents a configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
The organization being inspected/assessed develops and documents a configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
Configuration Management Policy And Procedures |
CM-1 |
CM-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and
b. Reviews and updates the current:
1. Configuration management policy [Assignment: organization-defined frequency]; and
2. Configuration management procedures [Assignment: organization-defined frequency]. |
| CCI-000288 |
The organization disseminates formal, documented configuration management policy to elements within the organization having associated configuration management roles and responsibilities. |
|
|
|
|
|
|
|
| CCI-000289 |
The organization reviews and updates, on an organization-defined frequency, the configuration management policy. |
The organization conducting the inspection/assessment obtains and examines documentation of occurrence of reviews and update actions for the configuration management policy to ensure annual review and necessary updates are occurring.
DoD has defined the frequency as annually. |
The organization being inspected/assessed reviews and updates, annually, the configuration management policy.
The organization must document each occurrence of the reviews and update actions as an audit trail.
DoD has defined the frequency as annually. |
Configuration Management Policy And Procedures |
CM-1 |
CM-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and
b. Reviews and updates the current:
1. Configuration management policy [Assignment: organization-defined frequency]; and
2. Configuration management procedures [Assignment: organization-defined frequency]. |
| CCI-000290 |
The organization develops and documents procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. |
The organization conducting the inspection/assessment obtains and examines the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. |
The organization being inspected/assessed develops and documents procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. |
Configuration Management Policy And Procedures |
CM-1 |
CM-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and
b. Reviews and updates the current:
1. Configuration management policy [Assignment: organization-defined frequency]; and
2. Configuration management procedures [Assignment: organization-defined frequency]. |
| CCI-000291 |
The organization disseminates formal, documented procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. |
|
|
|
|
|
|
|
| CCI-000292 |
The organization reviews and updates, on an organization-defined frequency, the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. |
The organization conducting the inspection/assessment obtains and examines documentation of occurrence of reviews and update actions for the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls to ensure annual review and necessary updates are occurring.
DoD has defined the frequency as annually. |
The organization being inspected/assessed reviews and updates, annually, the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls.
The organization must document each occurrence of the reviews and update actions as an audit trail.
DoD has defined the frequency as annually. |
Configuration Management Policy And Procedures |
CM-1 |
CM-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and
b. Reviews and updates the current:
1. Configuration management policy [Assignment: organization-defined frequency]; and
2. Configuration management procedures [Assignment: organization-defined frequency]. |
| CCI-001585 |
The organization defines the circumstances that require reviews and updates to the baseline configuration of the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the circumstances as baseline configuration changes or as events dictate such as changes due to USCYBERCOM tactical orders/ directives or cyber attacks. |
DoD has defined the circumstances as baseline configuration changes or as events dictate such as changes due to USCYBERCOM tactical orders/ directives or cyber attacks. |
Baseline Configuration | Reviews And Updates |
CM-2 (1) |
CM-2(1).4 |
Related control: CM-5. |
The organization reviews and updates the baseline configuration of the information system:
(a) [Assignment: organization-defined frequency];
(b) When required due to [Assignment organization-defined circumstances]; and
(c) As an integral part of information system component installations and upgrades. |
| CCI-000293 |
The organization develops a current baseline configuration of the information system. |
The organization conducting the inspection/assessment obtains and examines
the documented baseline configuration. |
The organization being inspected/assessed develops and documents a current baseline configuration of the information system. |
Baseline Configuration |
CM-2 |
CM-2.1 |
This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture. Related controls: CM-3, CM-6, CM-8, CM-9, SA-10, PM-5, PM-7. |
The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. |
| CCI-000294 |
The organization documents a baseline configuration of the information system. |
|
|
|
|
|
|
|
| CCI-000295 |
The organization maintains, under configuration control, a current baseline configuration of the information system. |
The organization conducting the inspection/assessment obtains and examines the current baseline to ensure the current configuration matches the current documented baseline. |
The organization being inspected/assessed maintains a current baseline configuration of the information system. |
Baseline Configuration |
CM-2 |
CM-2.2 |
This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture. Related controls: CM-3, CM-6, CM-8, CM-9, SA-10, PM-5, PM-7. |
The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. |
| CCI-000296 |
The organization reviews and updates the baseline configuration of the information system at an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines documentation of organizational reviews and update actions for the baseline configuration to ensure annual review and necessary updates are occurring.
DoD has defined the frequency as annually. |
The organization being inspected/assessed reviews and updates the baseline configuration of the information system annually.
The organization must document each occurrence of the reviews and update actions as an audit trail.
DoD has defined the frequency as annually. |
Baseline Configuration | Reviews And Updates |
CM-2 (1) |
CM-2(1).1 |
Related control: CM-5. |
The organization reviews and updates the baseline configuration of the information system:
(a) [Assignment: organization-defined frequency];
(b) When required due to [Assignment organization-defined circumstances]; and
(c) As an integral part of information system component installations and upgrades. |
| CCI-000297 |
The organization reviews and updates the baseline configuration of the information system when required due to organization-defined circumstances. |
The organization conducting the inspection/assessment obtains and examines documentation of organizational reviews and update actions for the baseline configuration of the information system when required due to baseline configuration changes or as events dictate such as changes due to USCYBERCOM tactical orders/ directives or cyber attacks to ensure review and necessary updates are occurring.
DoD has defined the circumstances as baseline configuration changes or as events dictate such as changes due to USCYBERCOM tactical orders/ directives or cyber attacks. |
The organization being inspected/assessed reviews and updates the baseline configuration of the information system when required due to baseline configuration changes or as events dictate such as changes due to USCYBERCOM tactical orders/ directives or cyber attacks.
The organization must document each occurrence of the reviews and update actions as an audit trail.
DoD has defined the circumstances as baseline configuration changes or as events dictate such as changes due to USCYBERCOM tactical orders/ directives or cyber attacks. |
Baseline Configuration | Reviews And Updates |
CM-2 (1) |
CM-2(1).3 |
Related control: CM-5. |
The organization reviews and updates the baseline configuration of the information system:
(a) [Assignment: organization-defined frequency];
(b) When required due to [Assignment organization-defined circumstances]; and
(c) As an integral part of information system component installations and upgrades. |
| CCI-000298 |
The organization reviews and updates the baseline configuration of the information system as an integral part of information system component installations. |
The organization conducting the inspection/assessment obtains and examines documentation of organizational reviews and update actions for the baseline configuration of the information system as an integral part of information system component installations to ensure review and necessary updates are occurring. |
The organization being inspected/assessed reviews and updates the baseline configuration of the information system as an integral part of information system component installations.
The organization must document each occurrence of the reviews and update actions as an audit trail. |
Baseline Configuration | Reviews And Updates |
CM-2 (1) |
CM-2(1).5 |
Related control: CM-5. |
The organization reviews and updates the baseline configuration of the information system:
(a) [Assignment: organization-defined frequency];
(b) When required due to [Assignment organization-defined circumstances]; and
(c) As an integral part of information system component installations and upgrades. |
| CCI-000299 |
The organization reviews and updates the baseline configuration of the information system as an integral part of information system component upgrades. |
The organization conducting the inspection/assessment obtains and examines documentation of organizational reviews and update actions for the baseline configuration of the information system as an integral part of information system component upgrades to ensure review and necessary updates are occurring. |
The organization being inspected/assessed reviews and updates the baseline configuration of the information system as an integral part of information system component upgrades.
The organization must document each occurrence of the reviews and update actions as an audit trail. |
Baseline Configuration | Reviews And Updates |
CM-2 (1) |
CM-2(1).6 |
Related control: CM-5. |
The organization reviews and updates the baseline configuration of the information system:
(a) [Assignment: organization-defined frequency];
(b) When required due to [Assignment organization-defined circumstances]; and
(c) As an integral part of information system component installations and upgrades. |
| CCI-000300 |
The organization employs automated mechanisms to maintain a complete baseline configuration of the information system. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms used to maintain complete baseline configuration of the information system.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed identifies, documents, and implements automated mechanisms used to maintain complete baseline configuration of the information system. |
Baseline Configuration | Automation Support For Accuracy / Currency |
CM-2 (2) |
CM-2(2).1 |
Automated mechanisms that help organizations maintain consistent baseline configurations for information systems include, for example, hardware and software inventory tools, configuration management tools, and network management tools. Such tools can be deployed and/or allocated as common controls, at the information system level, or at the operating system or component level (e.g., on workstations, servers, notebook computers, network components, or mobile devices). Tools can be used, for example, to track version numbers on operating system applications, types of software installed, and current patch levels. This control enhancement can be satisfied by the implementation of CM-8 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related controls: CM-7, RA-5. |
The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. |
| CCI-000301 |
The organization employs automated mechanisms to maintain an up-to-date baseline configuration of the information system. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms used to maintain an up-to-date baseline configuration of the information system.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed identifies, documents, and implements automated mechanisms used to maintain an up-to-date baseline configuration of the information system. |
Baseline Configuration | Automation Support For Accuracy / Currency |
CM-2 (2) |
CM-2(2).2 |
Automated mechanisms that help organizations maintain consistent baseline configurations for information systems include, for example, hardware and software inventory tools, configuration management tools, and network management tools. Such tools can be deployed and/or allocated as common controls, at the information system level, or at the operating system or component level (e.g., on workstations, servers, notebook computers, network components, or mobile devices). Tools can be used, for example, to track version numbers on operating system applications, types of software installed, and current patch levels. This control enhancement can be satisfied by the implementation of CM-8 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related controls: CM-7, RA-5. |
The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. |
| CCI-000302 |
The organization employs automated mechanisms to maintain an accurate baseline configuration of the information system. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms used to maintain accurate baseline configuration of the information system.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed identifies, documents, and implements automated mechanisms used to maintain accurate baseline configuration of the information system. |
Baseline Configuration | Automation Support For Accuracy / Currency |
CM-2 (2) |
CM-2(2).3 |
Automated mechanisms that help organizations maintain consistent baseline configurations for information systems include, for example, hardware and software inventory tools, configuration management tools, and network management tools. Such tools can be deployed and/or allocated as common controls, at the information system level, or at the operating system or component level (e.g., on workstations, servers, notebook computers, network components, or mobile devices). Tools can be used, for example, to track version numbers on operating system applications, types of software installed, and current patch levels. This control enhancement can be satisfied by the implementation of CM-8 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related controls: CM-7, RA-5. |
The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. |
| CCI-000303 |
The organization employs automated mechanisms to maintain a readily available baseline configuration of the information system. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms used to maintain readily available baseline configuration of the information system.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed identifies, documents, and implements automated mechanisms used to maintain readily available baseline configuration of the information system. |
Baseline Configuration | Automation Support For Accuracy / Currency |
CM-2 (2) |
CM-2(2).4 |
Automated mechanisms that help organizations maintain consistent baseline configurations for information systems include, for example, hardware and software inventory tools, configuration management tools, and network management tools. Such tools can be deployed and/or allocated as common controls, at the information system level, or at the operating system or component level (e.g., on workstations, servers, notebook computers, network components, or mobile devices). Tools can be used, for example, to track version numbers on operating system applications, types of software installed, and current patch levels. This control enhancement can be satisfied by the implementation of CM-8 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related controls: CM-7, RA-5. |
The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. |
| CCI-000304 |
The organization retains organization-defined previous versions of baseline configurations of the information system to support rollback. |
The organization conducting the inspection/assessment obtains and examines the documentation of the previous version of the baseline configuration to determine if all IS components necessary for rollback are retained.
DoD has defined the previous versions as the previous approved baseline configuration of IS components for a minimum of 3 months. |
The organization being inspected/assessed retains the previous approved baseline configuration of IS components for a minimum of 3 months and documents baseline configuration to support rollback. The goal is to verify that the IS can roll back components to previous versions.
DoD has defined the previous versions as the previous approved baseline configuration of IS components for a minimum of 3 months. |
Baseline Configuration | Retention Of Previous Configurations |
CM-2 (3) |
CM-2(3).1 |
Retaining previous versions of baseline configurations to support rollback may include, for example, hardware, software, firmware, configuration files, and configuration records. |
The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback. |
| CCI-000305 |
The organization develops a list of software programs not authorized to execute on the information system. |
|
|
|
|
|
|
|
| CCI-000306 |
The organization maintains the list of software programs not authorized to execute on the information system. |
|
|
|
|
|
|
|
| CCI-000307 |
The organization employs an allow-all, deny-by-exception authorization policy to identify software allowed to execute on the information system. |
|
|
|
|
|
|
|
| CCI-000308 |
The organization develops the list of software programs authorized to execute on the information system. |
|
|
|
|
|
|
|
| CCI-000309 |
The organization maintains the list of software programs authorized to execute on the information system. |
|
|
|
|
|
|
|
| CCI-000310 |
The organization employs a deny-all, permit-by-exception authorization policy to identify software allowed to execute on the information system. |
|
|
|
|
|
|
|
| CCI-000311 |
The organization maintains a baseline configuration for information system development environments that is managed separately from the operational baseline configuration. |
The organization conducting the inspection/assessment obtains and examines development environment baseline configuration documentation and ensures the organization is maintaining and managing a baseline configuration for the development environment separate from the operational baseline configuration. |
The organization being inspected/assessed establishes and maintains a development environment baseline configuration managed separately from the operational baseline configuration. |
Baseline Configuration | Development And Test Environments |
CM-2 (6) |
CM-2(6).1 |
Establishing separate baseline configurations for development, testing, and operational environments helps protect information systems from unplanned/unexpected events related to development and testing activities. Separate baseline configurations allow organizations to apply the configuration management that is most appropriate for each type of configuration. For example, management of operational configurations typically emphasizes the need for stability, while management of development/test configurations requires greater flexibility. Configurations in the test environment mirror the configurations in the operational environment to the extent practicable so that the results of the testing are representative of the proposed changes to the operational systems. This control enhancement requires separate configurations but not necessarily separate physical environments. Related controls: CM-4, SC-3, SC-7. |
The organization maintains a baseline configuration for information system development and test environments that is managed separately from the operational baseline configuration. |
| CCI-000312 |
The organization maintains a baseline configuration for information system test environments that is managed separately from the operational baseline configuration. |
The organization conducting the inspection/assessment obtains and examines test environment baseline configuration documentation and ensures the organization is maintaining and managing a baseline configuration for the test environment separate from the operational baseline configuration. |
The organization being inspected/assessed establishes and maintains a test environment baseline configuration managed separately from the operational baseline configuration. |
Baseline Configuration | Development And Test Environments |
CM-2 (6) |
CM-2(6).2 |
Establishing separate baseline configurations for development, testing, and operational environments helps protect information systems from unplanned/unexpected events related to development and testing activities. Separate baseline configurations allow organizations to apply the configuration management that is most appropriate for each type of configuration. For example, management of operational configurations typically emphasizes the need for stability, while management of development/test configurations requires greater flexibility. Configurations in the test environment mirror the configurations in the operational environment to the extent practicable so that the results of the testing are representative of the proposed changes to the operational systems. This control enhancement requires separate configurations but not necessarily separate physical environments. Related controls: CM-4, SC-3, SC-7. |
The organization maintains a baseline configuration for information system development and test environments that is managed separately from the operational baseline configuration. |
| CCI-001497 |
The organization defines a frequency for the reviews and updates to the baseline configuration of the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Baseline Configuration | Reviews And Updates |
CM-2 (1) |
CM-2(1).2 |
Related control: CM-5. |
The organization reviews and updates the baseline configuration of the information system:
(a) [Assignment: organization-defined frequency];
(b) When required due to [Assignment organization-defined circumstances]; and
(c) As an integral part of information system component installations and upgrades. |
| CCI-001586 |
The organization defines the configuration change control element (e.g., committee, board) responsible for coordinating and providing oversight for configuration change control activities. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the configuration change control element as a configuration control board (CCB). |
DoD has defined the configuration change control element as a configuration control board (CCB). |
Configuration Change Control |
CM-3 |
CM-3.12 |
Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. |
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]. |
| CCI-000313 |
The organization determines the types of changes to the information system that are configuration controlled. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy and plan to ensure the organization identifies the types of changes to the information system that are configuration controlled. |
The organization being inspected/assessed determines the types of changes to the information system that are to be configuration controlled.
This action will be implemented by the CCB as defined in CM-3, CCI 1586. |
Configuration Change Control |
CM-3 |
CM-3.1 |
Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. |
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]. |
| CCI-000314 |
The organization approves or disapproves configuration-controlled changes to the information system, with explicit consideration for security impact analysis. |
The organization conducting the inspection/assessment obtains and examines the audit trail of the approval/disapproval of configuration controlled changes to ensure a security impact analysis was conducted. |
The organization being inspected/assessed approves or disapproves configuration controlled changes to the information system with explicit consideration for security impact analysis.
The organization must maintain an audit trail of approval/disapproval of configuration
controlled changes.
This action will be implemented by the CCB as defined in CM-3, CCI 1586. |
Configuration Change Control |
CM-3 |
CM-3.2 |
Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. |
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]. |
| CCI-000315 |
The organization documents approved configuration-controlled changes to the system. |
|
|
|
|
|
|
|
| CCI-000316 |
The organization retains records of configuration-controlled changes to the information system for an organization-defined time period. |
The organization conducting the inspection/assessment obtains and examines the records of all configuration-controlled changes to the information system to ensure the organization being inspected/assessed retains the records of all configuration controlled changes for a time period defined by the organization's CCB.
DoD has defined the time period as a time period defined by the organization's CCB. |
The organization being inspected/assessed retains records of all configuration-controlled changes to the information system, as a result of CM-3, CCI 1819, for a time period defined by the organization's CCB.
DoD has defined the time period as a time period defined by the organization's CCB. |
Configuration Change Control |
CM-3 |
CM-3.6 |
Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. |
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]. |
| CCI-000317 |
The organization reviews records of configuration-controlled changes to the system. |
|
|
|
|
|
|
|
| CCI-000318 |
The organization audits and reviews activities associated with configuration-controlled changes to the system. |
The organization conducting the inspection/assessment obtains and examines the audit trail documenting the review activities associated with configuration-controlled changes to the information system to ensure the organization being inspected/assessed audits and reviews activities associated with the changes. |
The organization being inspected/assessed audits and reviews activities associated with configuration-controlled changes to the information system.
The organization must maintain an audit trail to include review activities associated with configuration-controlled changes. |
Configuration Change Control |
CM-3 |
CM-3.8 |
Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. |
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]. |
| CCI-000319 |
The organization coordinates and provides oversight for configuration change control activities through an organization-defined configuration change control element (e.g., committee, board) that convenes at the organization-defined frequency and/or for any organization-defined configuration change conditions. |
The organization conducting the inspection/assessment obtains and examines the organization's configuration management policy and plan; document/charter establishing the organization's CCB; meeting minutes; information system change control records; and any other relevant documents or records. The objective of the review is to validate the organization is coordinating and overseeing the configuration change control activities through a CCB. |
The organization being inspected/assessed coordinates and provides oversight for configuration change control activities through a configuration control board (CCB) that convenes at a frequency determined by the CCB and/or for any configuration change conditions determined by the CCB.
DoD has defined the configuration change control element as a configuration control board.
DoD has defined the frequency as at a frequency determined by the CCB.
DoD has defined the configuration change conditions as configuration change conditions determined by the CCB. |
Configuration Change Control |
CM-3 |
CM-3.9 |
Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. |
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]. |
| CCI-000320 |
The organization defines the frequency with which to convene the configuration change control element. |
The organization conducting the inspection/assessment obtains and examines the CCB Charter to ensure the frequency for configuration change control review is defined.
DoD has defined the frequency as at a frequency determined by the CCB. |
The organization being inspected/assessed defines within their CCB Charter, the frequency for configuration change control review.
DoD has defined the frequency as at a frequency determined by the CCB. |
Configuration Change Control |
CM-3 |
CM-3.10 |
Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. |
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]. |
| CCI-000321 |
The organization defines configuration change conditions that prompt the configuration change control element to convene. |
The organization conducting the inspection/assessment obtains and examines the CCB Charter to ensure the configuration change conditions that prompt the configuration change control element to convene are defined.
DoD has defined the configuration change conditions as configuration change conditions determined by the CCB. |
The organization being inspected/assessed defines within their CCB Charter, the configuration change conditions that prompt the configuration change control element to convene.
DoD has defined the configuration change conditions as configuration change conditions determined by the CCB. |
Configuration Change Control |
CM-3 |
CM-3.11 |
Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. |
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]. |
| CCI-000322 |
The organization employs automated mechanisms to document proposed changes to the information system. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms to ensure that the identified system documents proposed changes.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed documents and employs the automated mechanisms (e.g., Remedy, ticketing mechanism, etc.) to document proposed changes to the information system. |
Configuration Change Control | Automated Document / Notification / Prohibition Of Changes |
CM-3 (1) |
CM-3(1).1 |
|
The organization employs automated mechanisms to:
(a) Document proposed changes to the information system;
(b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval;
(c) Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period];
(d) Prohibit changes to the information system until designated approvals are received;
(e) Document all changes to the information system; and
(f) Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed. |
| CCI-000323 |
The organization employs automated mechanisms to notify organization-defined approval authorities of proposed changes to the information system and request change approval. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms to ensure that the identified system notifies designated approval authorities of proposed changes to the information system and request change approval.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed documents and employs the automated mechanisms (e.g., Remedy, ticketing mechanism, etc.) to notify designated approval authorities of proposed changes to the information system and request change approval. |
Configuration Change Control | Automated Document / Notification / Prohibition Of Changes |
CM-3 (1) |
CM-3(1).2 |
|
The organization employs automated mechanisms to:
(a) Document proposed changes to the information system;
(b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval;
(c) Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period];
(d) Prohibit changes to the information system until designated approvals are received;
(e) Document all changes to the information system; and
(f) Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed. |
| CCI-000324 |
The organization employs automated mechanisms to highlight proposed changes to the information system that have not been approved or disapproved by an organization-defined time period. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms to ensure that the identified system highlights proposed changes to the information system that have not been approved or disapproved by 7 days.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms.
DoD has defined the time period as 7 days. |
The organization being inspected/assessed documents and employs the automated mechanisms (e.g., Remedy, ticketing mechanism, etc.) to highlight proposed changes to the information system that have not been approved or disapproved by 7 days.
DoD has defined the time period as 7 days. |
Configuration Change Control | Automated Document / Notification / Prohibition Of Changes |
CM-3 (1) |
CM-3(1).4 |
|
The organization employs automated mechanisms to:
(a) Document proposed changes to the information system;
(b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval;
(c) Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period];
(d) Prohibit changes to the information system until designated approvals are received;
(e) Document all changes to the information system; and
(f) Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed. |
| CCI-000325 |
The organization employs automated mechanisms to prohibit changes to the information system until designated approvals are received. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms to ensure that the identified system prohibits changes.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed documents and employs the automated mechanisms to prohibit changes to the information system until designated approvals are received. |
Configuration Change Control | Automated Document / Notification / Prohibition Of Changes |
CM-3 (1) |
CM-3(1).6 |
|
The organization employs automated mechanisms to:
(a) Document proposed changes to the information system;
(b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval;
(c) Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period];
(d) Prohibit changes to the information system until designated approvals are received;
(e) Document all changes to the information system; and
(f) Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed. |
| CCI-000326 |
The organization employs automated mechanisms to document all changes to the information system. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms to ensure that the identified system documents all changes.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed documents and employs the automated mechanisms (e.g., Remedy, ticketing mechanism, etc.) to document all changes to the information system. |
Configuration Change Control | Automated Document / Notification / Prohibition Of Changes |
CM-3 (1) |
CM-3(1).7 |
|
The organization employs automated mechanisms to:
(a) Document proposed changes to the information system;
(b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval;
(c) Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period];
(d) Prohibit changes to the information system until designated approvals are received;
(e) Document all changes to the information system; and
(f) Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed. |
| CCI-000327 |
The organization tests changes to the information system before implementing the changes on the operational system. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of testing activity to ensure the organization being inspected/assessed tests changes to the information system before implementing the changes on the operational system. |
The organization being inspected/assessed documents and implements a process to test changes to the information system before implementing the changes on the operational system.
The organization must maintain an audit trail of testing activity. |
Configuration Change Control | Test / Validate / Document Changes |
CM-3 (2) |
CM-3(2).1 |
Changes to information systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6. Organizations ensure that testing does not interfere with information system operations. Individuals/groups conducting tests understand organizational security policies and procedures, information system security policies and procedures, and the specific health, safety, and environmental risks associated with particular facilities/processes. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If information systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If testing cannot be conducted on operational systems, organizations employ compensating controls (e.g., testing on replicated systems). |
The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system. |
| CCI-000328 |
The organization validates changes to the information system before implementing the changes on the operational system. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of validation activity to ensure the organization being inspected/assessed validates changes to the information system before implementing the changes on the operational system. |
The organization being inspected/assessed documents and implements a process to validate changes to the information system before implementing the changes on the operational system.
The organization must maintain an audit trail of validation activity. |
Configuration Change Control | Test / Validate / Document Changes |
CM-3 (2) |
CM-3(2).2 |
Changes to information systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6. Organizations ensure that testing does not interfere with information system operations. Individuals/groups conducting tests understand organizational security policies and procedures, information system security policies and procedures, and the specific health, safety, and environmental risks associated with particular facilities/processes. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If information systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If testing cannot be conducted on operational systems, organizations employ compensating controls (e.g., testing on replicated systems). |
The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system. |
| CCI-000329 |
The organization documents changes to the information system before implementing the changes on the operational system. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as documentation of changes to the information system to ensure the organization has established, published, and is complying with the requirement to document all changes to be made to its operational information system(s) prior to their implementation. |
The organization being inspected/assessed documents and implements a process to document changes to the information system before implementing the changes on the operational system. |
Configuration Change Control | Test / Validate / Document Changes |
CM-3 (2) |
CM-3(2).3 |
Changes to information systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6. Organizations ensure that testing does not interfere with information system operations. Individuals/groups conducting tests understand organizational security policies and procedures, information system security policies and procedures, and the specific health, safety, and environmental risks associated with particular facilities/processes. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If information systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If testing cannot be conducted on operational systems, organizations employ compensating controls (e.g., testing on replicated systems). |
The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system. |
| CCI-000330 |
The organization employs automated mechanisms to implement changes to the current information system baseline. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms to ensure that the identified system implements changes to the current information system baseline.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed documents and employs the automated mechanisms (e.g., software deployment tools) to implement changes to the current information system baseline. |
Configuration Change Control | Automated Change Implementation |
CM-3 (3) |
CM-3(3).1 |
|
The organization employs automated mechanisms to implement changes to the current information system baseline and deploys the updated baseline across the installed base. |
| CCI-000331 |
The organization deploys the updated information system baseline across the installed base. |
The organization conducting the inspection/assessment obtains and examines the documented deployment procedures and a sampling of the audit trail of automated baseline deployments to ensure the organization being inspected/assessed is deploying the updated information system baseline across the installed base. |
The organization being inspected/assessed documents and employs procedures for deploying the updated information system baseline across the installed base.
The information system must maintain an audit trail of automated baseline deployments. |
Configuration Change Control | Automated Change Implementation |
CM-3 (3) |
CM-3(3).2 |
|
The organization employs automated mechanisms to implement changes to the current information system baseline and deploys the updated baseline across the installed base. |
| CCI-000332 |
The organization requires an information security representative to be a member of the organization-defined configuration change control element. |
The organization conducting the inspection/assessment obtains and examines the membership list of the organization's configuration control board to ensure an information security representative is a member of the organization's configuration control board. |
The organization being inspected/assessed requires an information security representative to be a member of the configuration control board.
DoD has defined the configuration change control element as the configuration control board. |
Configuration Change Control | Security Representative |
CM-3 (4) |
CM-3(4).1 |
Information security representatives can include, for example, senior agency information security officers, information system security officers, or information system security managers. Representation by personnel with information security expertise is important because changes to information system configurations can have unintended side effects, some of which may be security-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security state of organizational information systems. The configuration change control element in this control enhancement reflects the change control elements defined by organizations in CM-3. |
The organization requires an information security representative to be a member of the [Assignment: organization-defined configuration change control element]. |
| CCI-001498 |
The organization defines a time period after which proposed changes to the information system that have not been approved or disapproved are highlighted. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 7 days. |
DoD has defined the time period as 7 days. |
Configuration Change Control | Automated Document / Notification / Prohibition Of Changes |
CM-3 (1) |
CM-3(1).5 |
|
The organization employs automated mechanisms to:
(a) Document proposed changes to the information system;
(b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval;
(c) Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period];
(d) Prohibit changes to the information system until designated approvals are received;
(e) Document all changes to the information system; and
(f) Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed. |
| CCI-001587 |
The organization, when analyzing new software in a separate test environment, looks for security impacts due to flaws, weaknesses, incompatibility, or intentional malice. |
|
|
|
|
|
|
|
| CCI-000333 |
The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. |
The organization conducting the inspection/assessment obtains and examines the records of analyses to ensure the organization is conducting a security impact analysis of changes to the information system(s) prior to their implementation. |
The organization being inspected/assessed analyzes changes to the information system to determine potential security impacts prior to change implementation.
The organization must maintain records of analysis of changes to the information system. |
Security Impact Analysis |
CM-4 |
CM-4.1 |
Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills/technical expertise to analyze the changes to information systems and the associated security ramifications. Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Security impact analyses are scaled in accordance with the security categories of the information systems. Related controls: CA-2, CA-7, CM-3, CM-9, SA-4, SA-5, SA-10, SI-2. |
The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. |
| CCI-000334 |
The organization analyzes new software in a separate test environment before installation in an operational environment. |
|
|
|
|
|
|
|
| CCI-000335 |
The organization, after the information system is changed, checks the security functions to verify the functions are implemented correctly. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of the verification of security functions to ensure the organization being inspected/assessed verifies in an operational environment, following changes to the information system, the security functions are implemented correctly. |
The organization being inspected/assessed documents and implements a process to verify in an operational environment, following changes to the information system, the security functions are implemented correctly.
The organization must maintain an audit trail of the verification of security functions. |
Security Impact Analysis | Verification Of Security Functions |
CM-4 (2) |
CM-4(2).1 |
Implementation is this context refers to installing changed code in the operational information system. Related control: SA-11. |
The organization, after the information system is changed, checks the security functions to verify that the functions are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security requirements for the system. |
| CCI-000336 |
The organization, after the information system is changed, checks the security functions to verify the functions are operating as intended. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of the verification of security functions to ensure the organization being inspected/assessed verifies in an operational environment, following changes to the information system, the security functions are operating as intended. |
The organization being inspected/assessed documents and implements a process to verify in an operational environment, following changes to the information system, the security functions are operating as intended.
The organization must maintain an audit trail of the verification of security functions. |
Security Impact Analysis | Verification Of Security Functions |
CM-4 (2) |
CM-4(2).2 |
Implementation is this context refers to installing changed code in the operational information system. Related control: SA-11. |
The organization, after the information system is changed, checks the security functions to verify that the functions are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security requirements for the system. |
| CCI-000337 |
The organization, after the information system is changed, checks the security functions to verify the functions are producing the desired outcome with regard to meeting the security requirements for the system. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of the verification of security functions to ensure the organization being inspected/assessed verifies in an operational environment, following changes to the information system, the security functions are producing the desired outcome with regard to meeting the security requirements for the system. |
The organization being inspected/assessed documents and implements a process to verify in an operational environment, following changes to the information system, the security functions are producing the desired outcome with regard to meeting the security requirements for the system.
The organization must maintain an audit trail of the verification of security functions. |
Security Impact Analysis | Verification Of Security Functions |
CM-4 (2) |
CM-4(2).3 |
Implementation is this context refers to installing changed code in the operational information system. Related control: SA-11. |
The organization, after the information system is changed, checks the security functions to verify that the functions are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security requirements for the system. |
| CCI-001588 |
The organization-defined security configuration checklists reflect the most restrictive mode consistent with operational requirements. |
DoD security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.) meet the DoD requirement for ensuring security configuration checklists reflect the most restrictive mode consistent with operational requirements.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.). |
DoD security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.) meet the DoD requirement for ensuring security configuration checklists reflect the most restrictive mode consistent with operational requirements.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.). |
Configuration Settings |
CM-6 |
CM-6.4 |
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. |
The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. |
| CCI-001589 |
The organization incorporates detection of unauthorized, security-relevant configuration changes into the organization’s incident response capability to ensure they are tracked. |
|
|
|
|
|
|
|
| CCI-000363 |
The organization defines security configuration checklists to be used to establish and document configuration settings for the information system technology products employed. |
DoD has defined the security configuration checklists as DoD security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.).
The organization conducting the inspection/assessment obtains and examines the security plan to ensure the organization being inspected/assessed has documented the configuration guidance which apply to their information system components.
The organization conducting the inspection/assessment reviews the list of documented guidance to ensure that all applicable guidance is identified given the information system components within the authorization boundary. |
DoD has defined the security configuration checklists as DoD security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.).
The organization being inspected/assessed documents in the security plan, the configuration guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.) which apply to their information system components. |
Configuration Settings |
CM-6 |
CM-6.1 |
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. |
The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. |
| CCI-000364 |
The organization establishes configuration settings for information technology products employed within the information system using organization-defined security configuration checklists. |
DoD security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.) meet the DoD requirement for establishing configuration settings.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.). |
DoD security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.) meet the DoD requirement for establishing configuration settings.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.). |
Configuration Settings |
CM-6 |
CM-6.2 |
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. |
The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. |
| CCI-000365 |
The organization documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists that reflect the most restrictive mode consistent with operational requirements. |
DoD security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.) meet the DoD requirement for documenting configuration settings.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.). |
DoD security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.) meet the DoD requirement for documenting configuration settings.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.). |
Configuration Settings |
CM-6 |
CM-6.3 |
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. |
The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. |
| CCI-000366 |
The organization implements the security configuration settings. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed implements DoD security configuration or implementation guidance (e.g. STIGs, NSA configuration guides, CTOs, DTMs etc.).
The organization conducting the inspection/assessment tests a sampling of information system components to ensure they comply with the required settings.
DoD has defined the security configuration checklists as DoD security configuration or implementation guidance (e.g. STIGs, NSA configuration guides, CTOs, DTMs etc.). |
The organization being inspected/assessed must develop and document a process for implementing DoD security configuration or implementation guidance (e.g. STIGs, NSA configuration guides, CTOs, DTMs etc.).
DoD has defined the security configuration checklists as DoD security configuration or implementation guidance (e.g. STIGs, NSA configuration guides, CTOs, DTMs etc.).
|
Configuration Settings |
CM-6 |
CM-6.5 |
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. |
The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. |
| CCI-000367 |
The organization identifies any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements. |
The organization conducting the inspection/assessment obtains and examines the security plan to ensure the organization being inspected/assessed has documented deviations from configuration settings for information system components. |
The organization being inspected/assessed documents in the security plan and POA&M, if applicable, the information system components as defined in CM-6, CCI 1755 which deviate from configuration settings, and which settings as defined in CM-6, CCI 1756. |
Configuration Settings |
CM-6 |
CM-6.6 |
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. |
The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. |
| CCI-000368 |
The organization documents any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements. |
The organization conducting the inspection/assessment obtains and examines the security plan to ensure the organization being inspected/assessed has documented deviations from configuration settings for information system components. |
The organization being inspected/assessed documents in the security plan and POA&M, if applicable, all configurable information system components which deviate from configuration settings, and which settings as defined in CM-6, CCI 1756.
DoD has defined the information system components as all configurable information system components. |
Configuration Settings |
CM-6 |
CM-6.7 |
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. |
The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. |
| CCI-000369 |
The organization approves any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements. |
The organization conducting the inspection/assessment obtains and examines the security plan and the audit trail of approved changes to ensure the deviations are approved IAW CM-3, CCI 314. |
The organization being inspected/assessed manages and approves changes to the security plan documenting deviations IAW CM-3, CCI 314.
The organization must maintain an audit trail of approved changes to the security plan. |
Configuration Settings |
CM-6 |
CM-6.8 |
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. |
The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. |
| CCI-000370 |
The organization employs automated mechanisms to centrally manage configuration settings for organization-defined information system components. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy to ensure the organization being inspected/assessed identifies automated mechanisms to centrally manage configuration settings.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed identifies, documents in the configuration management policy, and implements automated mechanisms to centrally manage configuration settings. |
Configuration Settings | Automated Central Management / Application / Verification |
CM-6 (1) |
CM-6(1).1 |
Related controls: CA-7, CM-4. |
The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components]. |
| CCI-000371 |
The organization employs automated mechanisms to centrally apply configuration settings for organization-defined information system components. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy to ensure the organization being inspected/assessed identifies automated mechanisms to centrally apply configuration settings.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed identifies, documents in the configuration management policy, and implements automated mechanisms to centrally apply configuration settings. |
Configuration Settings | Automated Central Management / Application / Verification |
CM-6 (1) |
CM-6(1).2 |
Related controls: CA-7, CM-4. |
The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components]. |
| CCI-000372 |
The organization employs automated mechanisms to centrally verify configuration settings for organization-defined information system components. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy to ensure the organization being inspected/assessed identifies automated mechanisms to centrally verify configuration settings.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed identifies, documents in the configuration management policy, and implements automated mechanisms to centrally verify configuration settings. |
Configuration Settings | Automated Central Management / Application / Verification |
CM-6 (1) |
CM-6(1).3 |
Related controls: CA-7, CM-4. |
The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components]. |
| CCI-000373 |
The organization defines configuration settings for which unauthorized changes are responded to by automated mechanisms. |
|
|
|
|
|
|
|
| CCI-000374 |
The organization employs automated mechanisms to respond to unauthorized changes to organization-defined configuration settings. |
|
|
|
|
|
|
|
| CCI-000375 |
The organization incorporates detection of unauthorized, security-relevant configuration changes into the organizations incident response capability. |
|
|
|
|
|
|
|
| CCI-000376 |
The organization ensures unauthorized, security-relevant configuration changes detected are monitored. |
|
|
|
|
|
|
|
| CCI-000377 |
The organization ensures unauthorized, security-relevant configuration changes detected are corrected. |
|
|
|
|
|
|
|
| CCI-000378 |
The organization ensures unauthorized, security-relevant configuration changes detected are available for historical purposes. |
|
|
|
|
|
|
|
| CCI-000379 |
The information system (including modifications to the baseline configuration) demonstrates conformance to security configuration guidance (i.e., security checklists) prior to being introduced into a production environment. |
|
|
|
|
|
|
|
| CCI-001502 |
The organization monitors changes to the configuration settings in accordance with organizational policies and procedures. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed monitors changes to the configuration settings in accordance with organizational policies and procedures. |
The organization being inspected/assessed develops and documents a process for monitoring changes to the configuration settings in accordance with organizational policies and procedures. |
Configuration Settings |
CM-6 |
CM-6.11 |
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. |
The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. |
| CCI-001503 |
The organization controls changes to the configuration settings in accordance with organizational policies and procedures. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed controls changes to the configuration settings in accordance with organizational policies and procedures. |
The organization being inspected/assessed develops and documents a process for controlling changes to the configuration settings in accordance with organizational policies and procedures. |
Configuration Settings |
CM-6 |
CM-6.12 |
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. |
The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. |
| CCI-001590 |
The organization develops a list of software programs authorized to execute on the information system. |
|
|
|
|
|
|
|
| CCI-001591 |
The organization develops a list of software programs not authorized to execute on the information system. |
|
|
|
|
|
|
|
| CCI-001592 |
The organization defines the rules authorizing the terms and conditions of software program usage on the information system. |
The organization conducting the inspection/assessment obtains and examines the rules as well as the software list to ensure that all network capable software programs are DoDI 8551 compliant and that the rules authorizing the use of all other programs are defined.
DoD has determined that the rules authorizing the terms and conditions of software program usage on the information system are not appropriate to define at the Enterprise level |
The organization being inspected/assessed defines and documents their rules for approval of software program usage.
For network capable software programs, the organization being inspected/assessed complies with DoDI 8551.
DoD has determined that the rules authorizing the terms and conditions of software program usage on the information system are not appropriate to define at the Enterprise level. |
Least Functionality | Prevent Program Execution |
CM-7 (2) |
CM-7(2).1 |
Related controls: CM-8, PM-5. |
The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. |
| CCI-001593 |
The organization maintains a list of software programs authorized to execute on the information system. |
|
|
|
|
|
|
|
| CCI-001594 |
The organization maintains a list of software programs not authorized to execute on the information system. |
|
|
|
|
|
|
|
| CCI-001595 |
The organization maintains rules authorizing the terms and conditions of software program usage on the information system. |
|
|
|
|
|
|
|
| CCI-000380 |
The organization defines prohibited or restricted functions, ports, protocols, and/or services for the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the information system prohibited or restricted functions, ports, protocols, and/or services as IAW DoDI 8551.01. |
DoD has defined the information system prohibited or restricted functions, ports, protocols, and/or services as IAW DoDI 8551.01. |
Least Functionality |
CM-7 |
CM-7.2 |
Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. Related controls: AC-6, CM-2, RA-5, SA-5, SC-7. |
The organization:
a. Configures the information system to provide only essential capabilities; and
b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services]. |
| CCI-000381 |
The organization configures the information system to provide only essential capabilities. |
The organization conducting the inspection/assessment obtains and examines the security plan to ensure the organization being inspected/assessed has identified essential capabilities. The organization conducting the inspection/assessment inspects the information system to ensure that it provides only those documented essential capabilities. |
The organization being inspected/assessed documents in the security plan, essential capabilities which the information system must provide. The organization being inspected/assessed configures the information system to provide only those documented essential capabilities. |
Least Functionality |
CM-7 |
CM-7.1 |
Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. Related controls: AC-6, CM-2, RA-5, SA-5, SC-7. |
The organization:
a. Configures the information system to provide only essential capabilities; and
b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services]. |
| CCI-000382 |
The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services. |
The organization conducting the inspection/assessment inspects the information system to ensure the organization being inspected/assessed prohibits or restricts the use of functions, ports, protocols, and/or services IAW DoDI 8551.01.
DoD has defined the information system prohibited or restricted functions, ports, protocols, and/or services as IAW DoDI 8551.01. |
The organization being inspected/assessed configures the information system to prohibit or restrict the use of functions, ports, protocols, and/or services IAW DoDI 8551.01.
DoD has defined the information system prohibited or restricted functions, ports, protocols, and/or services as IAW DoDI 8551.01. |
Least Functionality |
CM-7 |
CM-7.3 |
Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. Related controls: AC-6, CM-2, RA-5, SA-5, SC-7. |
The organization:
a. Configures the information system to provide only essential capabilities; and
b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services]. |
| CCI-000383 |
The organization defines the frequency of information system reviews to identify and eliminate unnecessary functions, ports, protocols and/or services. |
|
|
|
|
|
|
|
| CCI-000384 |
The organization reviews the information system per organization-defined frequency to identify unnecessary and nonsecure functions, ports, protocols, and services. |
The organization conducting the inspection/assessment obtains and examines the documented process and audit trail of reviews to ensure the organization being inspected/assessed reviews the information system every 30 days to identify unnecessary and nonsecure functions, ports, protocols, and services.
DoD has defined the frequency as every 30 days. |
The organization being inspected/assessed documents and implements a process to review the information system every 30 days to identify unnecessary and nonsecure functions, ports, protocols, and services.
The organization must maintain an audit trail of the reviews.
DoD has defined the frequency as every 30 days. |
Least Functionality | Periodic Review |
CM-7 (1) |
CM-7(1).1 |
The organization can either make a determination of the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are examples of less than secure protocols. Related controls: AC-18, CM-7, IA-2. |
The organization:
(a) Reviews the information system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and
(b) Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure]. |
| CCI-000385 |
The organization reviews the information system per organization-defined frequency to eliminate unnecessary functions, ports, protocols, and/or services. |
|
|
|
|
|
|
|
| CCI-000386 |
The organization employs automated mechanisms to prevent program execution on the information system in accordance with the organization-defined specifications. |
|
|
|
|
|
|
|
| CCI-000387 |
The organization defines registration requirements for functions, ports, protocols, and services. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the registration requirements as IAW DoDI 8551.01. |
DoD has defined the registration requirements as IAW DoDI 8551.01. |
Least Functionality | Registration Compliance |
CM-7 (3) |
CM-7(3).1 |
Organizations use the registration process to manage, track, and provide oversight for information systems and implemented functions, ports, protocols, and services. |
The organization ensures compliance with [Assignment: organization-defined registration requirements for functions, ports, protocols, and services]. |
| CCI-000388 |
The organization ensures compliance with organization-defined registration requirements for functions, ports, protocols, and services. |
The organization conducting the inspection/assessment obtains and examines a documented listing of ports, protocols, and services in use, and reviews a sampling of those ports, protocols, and services to ensure the organization being inspected/assessed is compliant with DoDI 8551.01.
DoD has defined the registration requirements as IAW DoDI 8551.01. |
The organization being inspected/assessed implements DoDI 8551.01.
DoD has defined the registration requirements as IAW DoDI 8551.01. |
Least Functionality | Registration Compliance |
CM-7 (3) |
CM-7(3).2 |
Organizations use the registration process to manage, track, and provide oversight for information systems and implemented functions, ports, protocols, and services. |
The organization ensures compliance with [Assignment: organization-defined registration requirements for functions, ports, protocols, and services]. |
| CCI-001596 |
The organization defines the frequency with which to review and update the current contingency planning procedures. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Contingency Planning Policy And Procedures |
CP-1 |
CP-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and
b. Reviews and updates the current:
1. Contingency planning policy [Assignment: organization-defined frequency]; and
2. Contingency planning procedures [Assignment: organization-defined frequency]. |
| CCI-001597 |
The organization disseminates contingency planning procedures to organization-defined personnel or roles. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and NIST SP 800-34. |
DoD disseminates DoDI 8500.01 organization-wide via the DoD Issuances website.
http://www.dtic.mil/whs/directives/corres/dir.html
NIST disseminates NIST SP 800-34 via
http://csrc.nist.gov/publications/PubsSPs.html |
Contingency Planning Policy And Procedures |
CP-1 |
CP-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and
b. Reviews and updates the current:
1. Contingency planning policy [Assignment: organization-defined frequency]; and
2. Contingency planning procedures [Assignment: organization-defined frequency]. |
| CCI-001598 |
The organization reviews and updates the current contingency planning procedures in accordance with the organization-defined frequency. |
DoDI 8500.01 and NIST SP 800-34 meet the DoD requirements for contingency planning policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and NIST SP 800-34. |
DoDI 8500.01 and NIST SP 800-34 meet the DoD requirements for contingency planning policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and NIST SP 800-34. |
Contingency Planning Policy And Procedures |
CP-1 |
CP-1.10 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and
b. Reviews and updates the current:
1. Contingency planning policy [Assignment: organization-defined frequency]; and
2. Contingency planning procedures [Assignment: organization-defined frequency]. |
| CCI-000437 |
The organization defines the frequency with which to review and update the current contingency planning policy. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 5 years. |
DoD has defined the frequency as every 5 years. |
Contingency Planning Policy And Procedures |
CP-1 |
CP-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and
b. Reviews and updates the current:
1. Contingency planning policy [Assignment: organization-defined frequency]; and
2. Contingency planning procedures [Assignment: organization-defined frequency]. |
| CCI-000438 |
The organization develops and documents a contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
DoDI 8500.01 and NIST SP 800-34 meet the DoD requirements for contingency planning policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and NIST SP 800-34. |
DoDI 8500.01 and NIST SP 800-34 meet the DoD requirements for contingency planning policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and NIST SP 800-34. |
Contingency Planning Policy And Procedures |
CP-1 |
CP-1.1 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and
b. Reviews and updates the current:
1. Contingency planning policy [Assignment: organization-defined frequency]; and
2. Contingency planning procedures [Assignment: organization-defined frequency]. |
| CCI-000439 |
The organization disseminates a contingency planning policy to organization-defined personnel or roles. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and NIST SP 800-34. |
DoD disseminates DoDI 8500.01 organization-wide via the DoD Issuances website.
http://www.dtic.mil/whs/directives/corres/dir.html
NIST disseminates NIST SP 800-34 via
http://csrc.nist.gov/publications/PubsSPs.html |
Contingency Planning Policy And Procedures |
CP-1 |
CP-1.2 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and
b. Reviews and updates the current:
1. Contingency planning policy [Assignment: organization-defined frequency]; and
2. Contingency planning procedures [Assignment: organization-defined frequency]. |
| CCI-000440 |
The organization reviews and updates the current contingency planning policy in accordance with an organization-defined frequency. |
DoDI 8500.01 and NIST SP 800-34 meet the DoD requirements for contingency planning policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and NIST SP 800-34. |
DoDI 8500.01 and NIST SP 800-34 meet the DoD requirements for contingency planning policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and NIST SP 800-34. |
Contingency Planning Policy And Procedures |
CP-1 |
CP-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and
b. Reviews and updates the current:
1. Contingency planning policy [Assignment: organization-defined frequency]; and
2. Contingency planning procedures [Assignment: organization-defined frequency]. |
| CCI-000441 |
The organization develops and documents procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls. |
DoDI 8500.01 and NIST SP 800-34 meet the DoD requirements for contingency planning policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and NIST SP 800-34. |
DoDI 8500.01 and NIST SP 800-34 meet the DoD requirements for contingency planning policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and NIST SP 800-34. |
Contingency Planning Policy And Procedures |
CP-1 |
CP-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and
b. Reviews and updates the current:
1. Contingency planning policy [Assignment: organization-defined frequency]; and
2. Contingency planning procedures [Assignment: organization-defined frequency]. |
| CCI-001599 |
The organization sustains operational continuity of essential missions until full information system restoration at primary processing and/or storage sites. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it documents procedures to sustain operational continuity of essential missions until full information system restoration at primary processing and/or storage sites. |
The organization being inspected/assessed develops and documents procedures within the contingency plan to sustain operational continuity of essential missions until full information system restoration at primary processing and/or storage sites. |
Contingency Plan | Continue Essential Missions / Business Functions |
CP-2 (5) |
CP-2(5).3 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency (e.g., backup sites may become primary sites). Related control: PE-12. |
The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites. |
| CCI-001600 |
The organization sustains operational continuity of essential business functions until full information system restoration at primary processing and/or storage sites. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it documents procedures to sustain operational continuity of essential business functions until full information system restoration at primary processing and/or storage sites. |
The organization being inspected/assessed develops and documents procedures within the contingency plan to sustain operational continuity of essential business functions until full information system restoration at primary processing and/or storage sites. |
Contingency Plan | Continue Essential Missions / Business Functions |
CP-2 (5) |
CP-2(5).4 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency (e.g., backup sites may become primary sites). Related control: PE-12. |
The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites. |
| CCI-001601 |
The organization sustains operational continuity of essential missions at alternate processing and/or storage sites until information system restoration at primary processing and/or storage sites. |
The organization conducting the inspection/assessment obtains and examines the continuity plan to ensure the organization being inspected/assessed documents a process for continuation of essential missions at alternate processing and/or storage sites until information system restoration at primary processing and/or storage sites. |
The organization being inspected/assessed documents within their continuity plan a process for continuation of essential missions at alternate processing and/or storage sites until information system restoration at primary processing and/or storage sites. |
Contingency Plan | Alternate Processing / Storage Site |
CP-2 (6) |
CP-2(6).3 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency (e.g., backup sites may become primary sites). Related control: PE-12. |
The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through information system restoration to primary processing and/or storage sites. |
| CCI-001602 |
The organization sustains operational continuity of essential business functions at alternate processing and/or storage sites until information system restoration at primary processing and/or storage sites. |
The organization conducting the inspection/assessment obtains and examines the continuity plan to ensure the organization being inspected/assessed documents a process for continuation of essential business functions at alternate processing and/or storage sites until information system restoration at primary processing and/or storage sites. |
The organization being inspected/assessed documents within their continuity plan a process for continuation of essential business functions at alternate processing and/or storage sites until information system restoration at primary processing and/or storage sites. |
Contingency Plan | Alternate Processing / Storage Site |
CP-2 (6) |
CP-2(6).4 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency (e.g., backup sites may become primary sites). Related control: PE-12. |
The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through information system restoration to primary processing and/or storage sites. |
| CCI-000443 |
The organization develops a contingency plan for the information system that identifies essential missions. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents essential missions for its information system(s). |
The organization being inspected/assessed must clearly and accurately document essential missions for its information system(s). Impact of loss of essential mission functions must be defined using CNSSI 1253. |
Contingency Plan |
CP-2 |
CP-2.1 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000444 |
The organization develops a contingency plan for the information system that identifies essential business functions. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents essential business functions for its information system(s). |
The organization being inspected/assessed must clearly and accurately document essential business functions for its information system(s). Impact of loss of essential business functions must be defined using CNSSI 1253. |
Contingency Plan |
CP-2 |
CP-2.2 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000445 |
The organization develops a contingency plan for the information system that identifies associated contingency requirements. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents associated contingency requirements for its information system(s). |
The organization being inspected/assessed must clearly and accurately document associated contingency requirements for its information system(s). |
Contingency Plan |
CP-2 |
CP-2.3 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000446 |
The organization develops a contingency plan for the information system that provides recovery objectives. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents recovery objectives for its information system(s). |
The organization being inspected/assessed must clearly and accurately document recovery objectives for its information system(s). |
Contingency Plan |
CP-2 |
CP-2.4 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000447 |
The organization develops a contingency plan for the information system that provides restoration priorities. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents restoration priorities for its information system(s). |
The organization being inspected/assessed must clearly and accurately document restoration priorities for its information system(s). |
Contingency Plan |
CP-2 |
CP-2.5 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000448 |
The organization develops a contingency plan for the information system that provides metrics. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents metrics for its information system(s). |
The organization being inspected/assessed must clearly and accurately document metrics for its information system(s). |
Contingency Plan |
CP-2 |
CP-2.6 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000449 |
The organization develops a contingency plan for the information system that addresses contingency roles, responsibilities, assigned individuals with contact information. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents contingency roles, responsibilities, assigned individuals with contact information for its information system(s). |
The organization being inspected/assessed must clearly and accurately document contingency roles, responsibilities, assigned individuals with contact information for its information system(s). |
Contingency Plan |
CP-2 |
CP-2.7 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000450 |
The organization develops a contingency plan for the information system that addresses maintaining essential missions despite an information system disruption. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents maintaining essential missions despite an information system disruption for its information system(s). |
The organization being inspected/assessed must clearly and accurately document maintaining essential missions despite an information system disruption for its information system(s). |
Contingency Plan |
CP-2 |
CP-2.8 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000451 |
The organization develops a contingency plan for the information system that addresses maintaining essential business functions despite an information system disruption. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents maintaining business functions despite an information system disruption for its information system(s). |
The organization being inspected/assessed must clearly and accurately document maintaining business functions despite an information system disruption for its information system(s). |
Contingency Plan |
CP-2 |
CP-2.9 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000452 |
The organization develops a contingency plan for the information system that addresses maintaining essential missions despite an information system compromise. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents maintaining essential missions despite an information system compromise for its information system(s). |
The organization being inspected/assessed must clearly and accurately document maintaining essential missions despite an information system compromise for its information system(s). |
Contingency Plan |
CP-2 |
CP-2.10 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000453 |
The organization develops a contingency plan for the information system that addresses maintaining essential business functions despite an information system compromise. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents maintaining business functions despite an information system compromise for its information system(s). |
The organization being inspected/assessed must clearly and accurately document maintaining business functions despite an information system compromise for its information system(s). |
Contingency Plan |
CP-2 |
CP-2.11 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000454 |
The organization develops a contingency plan for the information system that addresses maintaining essential missions despite an information system failure. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents maintaining essential missions despite an information system failure for its information system(s). |
The organization being inspected/assessed must clearly and accurately document maintaining essential missions despite an information system failure for its information system(s). |
Contingency Plan |
CP-2 |
CP-2.12 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000455 |
The organization develops a contingency plan for the information system that addresses maintaining essential business functions despite an information system failure. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents maintaining business functions despite an information system failure for its information system(s). |
The organization being inspected/assessed must clearly and accurately document maintaining business functions despite an information system failure for its information system(s). |
Contingency Plan |
CP-2 |
CP-2.13 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000456 |
The organization develops a contingency plan for the information system that addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented for its information system(s). |
The organization being inspected/assessed must clearly and accurately document eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented for its information system(s). |
Contingency Plan |
CP-2 |
CP-2.14 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000457 |
The organization develops a contingency plan for the information system that is reviewed and approved by organization-defined personnel or roles. |
The organization conducting the inspection/assessment obtains and examines the audit trail to ensure the contingency plan has been reviewed and approved by at a minimum, the ISSM and ISSO.
DoD has defined the personnel or roles as at a minimum, the ISSM and ISSO. |
The organization being inspected/assessed reviews and approves the contingency plan by at a minimum, the ISSM and ISSO.
The organization must maintain an audit trail of the review and approval activity.
DoD has defined the personnel or roles as at a minimum, the ISSM and ISSO. |
Contingency Plan |
CP-2 |
CP-2.15 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000458 |
The organization defines a list of key contingency personnel (identified by name and/or by role) and organizational elements designated to receive copies of the contingency plan. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the list as all stakeholders identified in the contingency plan. |
DoD has defined the list as all stakeholders identified in the contingency plan. |
Contingency Plan |
CP-2 |
CP-2.17 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000459 |
The organization distributes copies of the contingency plan to an organization-defined list of key contingency personnel (identified by name and/or by role) and organizational elements. |
The organization conducting the inspection/assessment obtains and examines the contingency plan via the inspected organization's information sharing capability (e.g. portal, intranet, email, etc.) to ensure it has been disseminated.
|
The organization being inspected/assessed ensures the contingency plan is disseminated to all stakeholders identified in the contingency plan via an information sharing capibility.
DoD has defined the list as all stakeholders identified in the contingency plan. |
Contingency Plan |
CP-2 |
CP-2.18 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000460 |
The organization coordinates contingency planning activities with incident handling activities. |
The organization conducting the inspection/assessment obtains and examines the contingency plan and the incident response plan (IR-8) to ensure they
do not contradict each other's objectives or result in duplicate efforts/activities. |
The organization being inspected/assessed will coordinate the contingency plan and incident response plan (IR-8) to ensure they
do not contradict each other's objectives or result in duplicate efforts/activities. |
Contingency Plan |
CP-2 |
CP-2.19 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000461 |
The organization defines the frequency with which to review the contingency plan for the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Contingency Plan |
CP-2 |
CP-2.20 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000462 |
The organization reviews the contingency plan for the information system in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit trail to ensure the contingency plan is reviewed annually. |
The organization being inspected/assessed annually reviews the contingency plan.
The organization must maintain an audit trail of annual reviews. |
Contingency Plan |
CP-2 |
CP-2.21 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000463 |
The organization updates the contingency plan to address changes to the organization. |
The organization conducting the inspection/assessment obtains and examines the contingency plan and audit trail to ensure the organization clearly and accurately updates the contingency plan to address organizational changes. |
The organization being inspected/assessed must clearly and accurately update the contingency plan to address organizational changes.
The organization must document the update activities as an audit trail. |
Contingency Plan |
CP-2 |
CP-2.22 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000464 |
The organization updates the contingency plan to address changes to the information system. |
The organization conducting the inspection/assessment obtains and examines the contingency plan and audit trail to ensure the organization clearly and accurately updates the contingency plan to address information system changes. |
The organization being inspected/assessed must clearly and accurately update the contingency plan to address changes to the information system.
The organization must document the update activities as an audit trail. |
Contingency Plan |
CP-2 |
CP-2.23 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000465 |
The organization updates the contingency plan to address changes to the environment of operation. |
The organization conducting the inspection/assessment obtains and examines the contingency plan and audit trail to ensure the organization clearly and accurately revises the contingency plan to address changes to the environment of operation. |
The organization being inspected/assessed must clearly and accurately revise the contingency plan to address changes to the environment of operation.
The organization must document the update activities as an audit trail. |
Contingency Plan |
CP-2 |
CP-2.24 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000466 |
The organization updates the contingency plan to address problems encountered during contingency plan implementation, execution, or testing. |
The organization conducting the inspection/assessment obtains and examines the contingency plan and audit trail to ensure the organization clearly and accurately revises the contingency plan to address problems encountered during contingency plan implementation, execution, or testing. |
The organization being inspected/assessed must clearly and accurately revise the contingency plan to address problems encountered during contingency plan implementation, execution, or testing.
The organization must document the update activities as an audit trail. |
Contingency Plan |
CP-2 |
CP-2.25 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000468 |
The organization communicates contingency plan changes to an organization-defined list of key contingency personnel (identified by name and/or by role) and organizational elements. |
The organization conducting the inspection/assessment examines the contingency plan via the inspected organization's information sharing capability (e.g. portal, intranet, email, etc.) to ensure the most current version has been communicated. |
The organization being inspected/assessed communicates contingency plan changes to all stakeholders identified in the contingency plan.
DoD has defined the list as all stakeholders identified in the contingency plan.
|
Contingency Plan |
CP-2 |
CP-2.26 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000469 |
The organization coordinates contingency plan development with organizational elements responsible for related plans. |
The organization conducting the inspection/assessment obtains and examines documentation of agreements with entities responsible for the contingency or related plans to ensure there is evidence of coordination of those plans. |
The organization being inspected/assessed coordinates the development of its contingency plan with other organizational elements responsible for related plans.
The organization documents any applicable agreements with responsible internal or external entities. For external entities the agreements could entail MOUs, MOAs, SLAs or contracts. |
Contingency Plan | Coordinate With Related Plans |
CP-2 (1) |
CP-2(1).1 |
Plans related to contingency plans for organizational information systems include, for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, Insider Threat Implementation Plan, and Occupant Emergency Plans. |
The organization coordinates contingency plan development with organizational elements responsible for related plans. |
| CCI-000470 |
The organization conducts capacity planning so that necessary capacity for information processing exists during contingency operations. |
The organization conducting the inspection/assessment obtains and examines the documented capacity planning to ensure
that the organization has performed capacity planning. |
The organization being inspected/assessed must conduct and document capacity planning to ensure that necessary capacity for information processing exists during contingency operations. |
Contingency Plan | Capacity Planning |
CP-2 (2) |
CP-2(2).1 |
Capacity planning is needed because different types of threats (e.g., natural disasters, targeted cyber attacks) can result in a reduction of the available processing, telecommunications, and support services originally intended to support the organizational missions/business functions. Organizations may need to anticipate degraded operations during contingency operations and factor such degradation into capacity planning. |
The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations. |
| CCI-000471 |
The organization conducts capacity planning so that necessary capacity for telecommunications exists during contingency operations. |
The organization conducting the inspection/assessment obtains and examines the documented capacity planning to ensure
that the organization has performed capacity planning. |
The organization being inspected/assessed must conduct and document capacity planning to ensure that necessary capacity for telecommunications exists during contingency operations. |
Contingency Plan | Capacity Planning |
CP-2 (2) |
CP-2(2).2 |
Capacity planning is needed because different types of threats (e.g., natural disasters, targeted cyber attacks) can result in a reduction of the available processing, telecommunications, and support services originally intended to support the organizational missions/business functions. Organizations may need to anticipate degraded operations during contingency operations and factor such degradation into capacity planning. |
The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations. |
| CCI-000472 |
The organization conducts capacity planning so that necessary capacity for environmental support exists during contingency operations. |
The organization conducting the inspection/assessment obtains and examines the documented capacity planning to ensure
that the organization has performed capacity planning. |
The organization being inspected/assessed must conduct and document capacity planning to ensure that necessary capacity for environmental support exists during contingency operations. |
Contingency Plan | Capacity Planning |
CP-2 (2) |
CP-2(2).3 |
Capacity planning is needed because different types of threats (e.g., natural disasters, targeted cyber attacks) can result in a reduction of the available processing, telecommunications, and support services originally intended to support the organizational missions/business functions. Organizations may need to anticipate degraded operations during contingency operations and factor such degradation into capacity planning. |
The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations. |
| CCI-000473 |
The organization defines the time period for planning the resumption of essential missions as a result of contingency plan activation. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. |
DoD has defined the time period as 1 hour (Availability High) 12 hours (Availability Moderate) as defined in the contingency plan. |
Contingency Plan | Resume Essential Missions / Business Functions |
CP-2 (3) |
CP-2(3).1 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of essential missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure. Related control: PE-12. |
The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. |
| CCI-000474 |
The organization defines the time period for planning the resumption of essential business functions as a result of contingency plan activation. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 1 hour (Availability High) 12 hours (Availability Moderate) as defined in the contingency plan. |
DoD has defined the time period as 1 hour (Availability High) 12 hours (Availability Moderate) as defined in the contingency plan. |
Contingency Plan | Resume Essential Missions / Business Functions |
CP-2 (3) |
CP-2(3).2 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of essential missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure. Related control: PE-12. |
The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. |
| CCI-000475 |
The organization plans for the resumption of essential missions within the organization-defined time period of contingency plan activation. |
The organization conducting the inspection/assessment obtains the contingency plan to ensure it contains procedures for resumption of essential missions within 1 hour (Availability High)
12 hours (Availability Moderate)
as defined in the contingency plan. |
The organization being inspected/assessed shall document within their contingency plan, procedures for resumption of essential missions within 1 hour (Availability High)
12 hours (Availability Moderate)
as defined in the contingency plan. |
Contingency Plan | Resume Essential Missions / Business Functions |
CP-2 (3) |
CP-2(3).3 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of essential missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure. Related control: PE-12. |
The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. |
| CCI-000476 |
The organization plans for the resumption of essential business functions within the organization-defined time period of contingency plan activation. |
The organization conducting the inspection/assessment obtains the contingency plan to ensure it contains procedures for resumption of essential business functions within 1 hour (Availability High) 12 hours (Availability Moderate)
as defined in the contingency plan. |
The organization being inspected/assessed shall document within their contingency plan, procedures for resumption of essential business functions within 1 hour (Availability High) 12 hours (Availability Moderate)
as defined in the contingency plan. |
Contingency Plan | Resume Essential Missions / Business Functions |
CP-2 (3) |
CP-2(3).4 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of essential missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure. Related control: PE-12. |
The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. |
| CCI-000477 |
The organization defines the time period for planning the resumption of all missions as a result of contingency plan activation. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 1 hour (Availability High ) 1-5 days (Availability Moderate) 5-30 days (Availability Low)
as defined in the contingency plan. |
DoD has defined the time period as 1 hour (Availability High ) 1-5 days (Availability Moderate) 5-30 days (Availability Low)
as defined in the contingency plan. |
Contingency Plan | Resume All Missions / Business Functions |
CP-2 (4) |
CP-2(4).1 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of all missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure. Related control: PE-12. |
The organization plans for the resumption of all missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. |
| CCI-000478 |
The organization defines the time period for planning the resumption of all business functions as a result of contingency plan activation. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 1 hour (Availability High ) 1-5 days (Availability Moderate) 5-30 days (Availability Low)
as defined in the contingency plan. |
DoD has defined the time period as 1 hour (Availability High ) 1-5 days (Availability Moderate) 5-30 days (Availability Low)
as defined in the contingency plan. |
Contingency Plan | Resume All Missions / Business Functions |
CP-2 (4) |
CP-2(4).2 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of all missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure. Related control: PE-12. |
The organization plans for the resumption of all missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. |
| CCI-000479 |
The organization plans for the resumption of all missions within an organization-defined time period of contingency plan activation. |
The organization conducting the inspection/assessment obtains the contingency plan to ensure it contains procedures for full resumption of affected missions within 1 hour (Availability High )
1-5 days (Availability Moderate)
5-30 days (Availability Low)
as defined in the contingency plan. |
The organization being inspected/assessed shall document within their contingency plan, procedures for full resumption of affected missions within 1 hour (Availability High )
1-5 days (Availability Moderate)
5-30 days (Availability Low)
as defined in the contingency plan. |
Contingency Plan | Resume All Missions / Business Functions |
CP-2 (4) |
CP-2(4).3 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of all missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure. Related control: PE-12. |
The organization plans for the resumption of all missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. |
| CCI-000480 |
The organization plans for the resumption of all business functions within an organization-defined time period of contingency plan activation. |
The organization conducting the inspection/assessment obtains the contingency plan to ensure it contains procedures for full resumption of affected business functions within 1 hour (Availability High) 1-5 days (Availability Moderate)
5-30 days (Availability Low)
as defined in the contingency plan. |
The organization being inspected/assessed shall document within their contingency plan, procedures for full resumption of affected business functions within 1 hour (Availability High) 1-5 days (Availability Moderate)
5-30 days (Availability Low)
as defined in the contingency plan. |
Contingency Plan | Resume All Missions / Business Functions |
CP-2 (4) |
CP-2(4).4 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of all missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure. Related control: PE-12. |
The organization plans for the resumption of all missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. |
| CCI-000481 |
The organization plans for the continuance of essential missions with little or no loss of operational continuity. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents maintaining essential missions despite an information system disruption for its information system(s). |
The organization being inspected/assessed plans for the continuance of essential missions with little or no loss of operational continuity IAW CP-2a. |
Contingency Plan | Continue Essential Missions / Business Functions |
CP-2 (5) |
CP-2(5).1 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency (e.g., backup sites may become primary sites). Related control: PE-12. |
The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites. |
| CCI-000482 |
The organization plans for the continuance of essential business functions with little or no loss of operational continuity. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents maintaining essential business functions despite an information system disruption for its information system(s). |
The organization being inspected/assessed plans for the continuance of essential business functions with little or no loss of operational continuity IAW CP-2a. |
Contingency Plan | Continue Essential Missions / Business Functions |
CP-2 (5) |
CP-2(5).2 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency (e.g., backup sites may become primary sites). Related control: PE-12. |
The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites. |
| CCI-000483 |
The organization plans for the transfer of essential missions to alternate processing and/or storage sites with little or no loss of operational continuity. |
The organization conducting the inspection/assessment obtains and examines the continuity plan to ensure the organization being inspected/assessed documents a process to transfer essential missions to alternate processing and/or storage sites with little or no loss of operational continuity. |
The organization being inspected/assessed documents within their continuity plan, a process to transfer essential missions to alternate processing and/or storage sites with little or no loss of operational continuity. |
Contingency Plan | Alternate Processing / Storage Site |
CP-2 (6) |
CP-2(6).1 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency (e.g., backup sites may become primary sites). Related control: PE-12. |
The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through information system restoration to primary processing and/or storage sites. |
| CCI-000484 |
The organization plans for the transfer of essential business functions to alternate processing and/or storage sites with little or no loss of operational continuity. |
The organization conducting the inspection/assessment obtains and examines the continuity plan to ensure the organization being inspected/assessed documents a process to transfer essential business functions to alternate processing and/or storage sites with little or no loss of operational continuity. |
The organization being inspected/assessed documents within their continuity plan, a process to transfer essential business functions to alternate processing and/or storage sites with little or no loss of operational continuity. |
Contingency Plan | Alternate Processing / Storage Site |
CP-2 (6) |
CP-2(6).2 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency (e.g., backup sites may become primary sites). Related control: PE-12. |
The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through information system restoration to primary processing and/or storage sites. |
| CCI-001603 |
The contingency plan identifies the primary storage site hazards. |
|
|
|
|
|
|
|
| CCI-001604 |
The organization outlines explicit mitigation actions for organization identified accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure the organization has documented explicit mitigation actions for accessibility problems identified in CP-6 (3), CCI 509 to the alternate storage site in the event of an area-wide disruption or disaster. |
The organization being inspected/assessed must identify and document in the contingency plan explicit mitigation actions for accessibility problems identified in CP-6 (3), CCI 509 to the alternate storage site in the event of an area-wide disruption or disaster. |
Alternate Storage Site | Accessibility |
CP-6 (3) |
CP-6(3).2 |
Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include, for example: (i) duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites; or (ii) planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted. Related control: RA-3. |
The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. |
| CCI-000505 |
The organization establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to confirm the organization has established an alternate storage site. |
The organization being inspected/assessed establishes an alternate storage site and documents relevant information within the contingency plan. |
Alternate Storage Site |
CP-6 |
CP-6.1 |
Alternate storage sites are sites that are geographically distinct from primary storage sites. An alternate storage site maintains duplicate copies of information and data in the event that the primary storage site is not available. Items covered by alternate storage site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination of delivery/retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-7, CP-9, CP-10, MP-4. |
The organization:
a. Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and
b. Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site. |
| CCI-000506 |
The organization initiates necessary alternate storage site agreements to permit the storage and recovery of information system backup information. |
|
|
|
|
|
|
|
| CCI-000507 |
The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats. |
The organization conducting the inspection/assessment obtains and examines the risk management strategy and the contingency plan to ensure the organization identifies an alternate storage site that is separated from the primary storage site so as not to be susceptible to the same threats identified at the primary site. |
The organization being inspected/assessed identifies and documents within the contingency plan an alternate storage site not susceptible to the same threats that exist at the primary storage site.
The organization must document threats in the risk management strategy IAW PM-9, CCI 000227. |
Alternate Storage Site | Separation From Primary Site |
CP-6 (1) |
CP-6(1).1 |
Threats that affect alternate storage sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant. Related control: RA-3. |
The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats. |
| CCI-000508 |
The organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives. |
The organization conducting the inspection/assessment obtains and examines the contingency plan and conducts a walk-through of the alternate storage site to ensure the organization's documented recovery time and recovery point objectives have been met. |
The organization being inspected/assessed configures the alternate storage site to facilitate recovery operations IAW CP-2, CCIs 446 and 447. |
Alternate Storage Site | Recovery Time / Point Objectives |
CP-6 (2) |
CP-6(2).1 |
|
The organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives. |
| CCI-000509 |
The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure the organization has documented potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster. |
The organization being inspected/assessed must identify and document in the contingency plan potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster. |
Alternate Storage Site | Accessibility |
CP-6 (3) |
CP-6(3).1 |
Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include, for example: (i) duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites; or (ii) planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted. Related control: RA-3. |
The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. |
| CCI-001605 |
The contingency plan identifies the primary processing site hazards. |
|
|
|
|
|
|
|
| CCI-001606 |
The organization outlines explicit mitigation actions for organization-identified potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure the organization has documented explicit mitigation actions for accessibility problems identified in CP-7 (2), CCI 517 to the alternate processing site in the event of an area-wide disruption or disaster. |
The organization being inspected/assessed must identify and document in the contingency plan explicit mitigation actions for accessibility problems identified in CP-7 (2), CCI 517 to the alternate processing site in the event of an area-wide disruption or disaster. |
Alternate Processing Site | Accessibility |
CP-7 (2) |
CP-7(2).2 |
Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk. Related control: RA-3. |
The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. |
| CCI-000510 |
The organization defines the time period consistent with recovery time and recovery point objectives for essential missions/business functions to permit the transfer and resumption of organization-defined information system operations at an alternate processing site when the primary processing capabilities are unavailable. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan |
DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. |
Alternate Processing Site |
CP-7 |
CP-7.1 |
Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6. |
The organization:
a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and
c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. |
| CCI-000511 |
The organization defines the time period for achieving the recovery time objectives for business functions within which processing must be resumed at the alternate processing site. |
|
|
|
|
|
|
|
| CCI-000512 |
The organization establishes an alternate processing site. |
|
|
|
|
|
|
|
| CCI-000513 |
The organization establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions within an organization-defined time period consistent with recovery time and recovery point objectives when the primary processing capabilities are unavailable. |
The organization conducting the inspection/assessment obtains and examines the approved alternate processing site agreements to ensure the organization has alternate processing site support that will permit the transfer and resumption of information system operations for essential missions within 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. |
The organization being inspected/assessed documents and gains approval for alternate processing site agreements that permit the transfer and resumption of information system operations for essential missions within 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. |
Alternate Processing Site |
CP-7 |
CP-7.2 |
Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6. |
The organization:
a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and
c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. |
| CCI-000514 |
The organization establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential business functions within an organization-defined time period consistent with recovery time and recovery point objectives when the primary processing capabilities are unavailable. |
The organization conducting the inspection/assessment obtains and examines the approved alternate processing site agreements to ensure the organization has alternate processing site support that will permit the transfer and resumption of information system operations for business functions within 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. |
The organization being inspected/assessed documents and gains approval for alternate processing site agreements that permit the transfer and resumption of information system operations for business functions within 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. |
Alternate Processing Site |
CP-7 |
CP-7.3 |
Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6. |
The organization:
a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and
c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. |
| CCI-000515 |
The organization ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption. |
The organization conducting the inspection/assessment obtains and examines:
1. Inventory of equipment and supplies or,
2. Contract documentation
to ensure the organization has the equipment and supply resources necessary, or provisions to obtain the resources to transfer and resume operations at the alternate processing site within 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. |
The organization being inspected/assessed maintains an inventory of equipment and supplies required to transfer and resume operations, or engages contract support that meets required timelines to support 1 hour (Availability High) 12 hours (Availability Moderate) as defined in the contingency plan. |
Alternate Processing Site |
CP-7 |
CP-7.5 |
Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6. |
The organization:
a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and
c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. |
| CCI-000516 |
The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats. |
The organization conducting the inspection/assessment obtains and examines the risk management strategy and the contingency plan to ensure the organization identifies an alternate processing site that is separated from the primary processing site so as not to be susceptible to the same threats identified at the primary site. |
The organization being inspected/assessed identifies and documents within the contingency plan an alternate processing site not susceptible to the same threats that exist at the primary processing site.
The organization must document threats in the risk management strategy IAW PM-9, CCI 000227. |
Alternate Processing Site | Separation From Primary Site |
CP-7 (1) |
CP-7(1).1 |
Threats that affect alternate processing sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant. Related control: RA-3. |
The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats. |
| CCI-000517 |
The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure the organization has documented potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster. |
The organization being inspected/assessed must identify and document in the contingency plan potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster. |
Alternate Processing Site | Accessibility |
CP-7 (2) |
CP-7(2).1 |
Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk. Related control: RA-3. |
The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. |
| CCI-000518 |
The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with the organizational availability requirements (including recovery time objectives). |
The organization conducting the inspection/assessment obtains and examines the approved alternate processing site agreements to ensure they contain priority-of-service provisions in accordance with CP-2, CCI 447 for alternate processing site support (including recovery time objectives). |
The organization being inspected/assessed documents and gains approval for alternate processing site agreements that contain priority-of-service provisions in accordance with CP-2, CCI 447 (including recovery time objectives). |
Alternate Processing Site | Priority Of Service |
CP-7 (3) |
CP-7(3).1 |
Priority-of-service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources at the alternate processing site. |
The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with the organization's availability requirements (including recovery time objectives). |
| CCI-000519 |
The organization prepares the alternate processing site so that it is ready to be used as the operational site supporting essential missions. |
The organization conducting the inspection/assessment obtains and examines the contingency plan and conducts a walk-through of the alternate processing site to ensure it is ready to be used as the operational site supporting essential missions. |
The organization being inspected/assessed prepares the alternate processing site so that it is ready to be used as the operational site supporting essential missions IAW CP-2, CCI 443. |
Alternate Processing Site | Preparation For Use |
CP-7 (4) |
CP-7(4).1 |
Site preparation includes, for example, establishing configuration settings for information system components at the alternate processing site consistent with the requirements for such settings at the primary site and ensuring that essential supplies and other logistical considerations are in place. Related controls: CM-2, CM-6. |
The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions. |
| CCI-000520 |
The organization prepares the alternate processing site so that it is ready to be used as the operational site supporting essential business functions. |
The organization conducting the inspection/assessment obtains and examines the contingency plan and conducts a walk-through of the alternate processing site to ensure it is ready to be used as the operational site supporting business functions. |
The organization being inspected/assessed prepares the alternate processing site so that it is ready to be used as the operational site supporting business functions IAW CP-2, CCI 444. |
Alternate Processing Site | Preparation For Use |
CP-7 (4) |
CP-7(4).2 |
Site preparation includes, for example, establishing configuration settings for information system components at the alternate processing site consistent with the requirements for such settings at the primary site and ensuring that essential supplies and other logistical considerations are in place. Related controls: CM-2, CM-6. |
The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions. |
| CCI-000521 |
The organization ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. |
The organization conducting the inspection/assessment obtains and examines the documentation of the primary/alternate site information security safeguards that are in place as well as evidence that the alternate site was approved based on an assessment that security is equivalent at the alternate site. |
The organization being inspected/assessed documents the information security safeguards that are in place at both the primary and alternate sites and evidence that the alternate site was approved based on an assessment that security is equivalent at the alternate site. |
Alternate Processing Site |
CP-7 |
CP-7.6 |
Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6. |
The organization:
a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and
c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. |
| CCI-001607 |
The organization establishes alternate telecommunications services to support the information system. |
|
|
|
|
|
|
|
| CCI-001608 |
The organization identifies the primary provider's telecommunications service hazards. |
|
|
|
|
|
|
|
| CCI-000522 |
The organization defines the time period within which to permit the resumption of organization-defined information system operations for essential missions when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. |
DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. |
Telecommunications Services |
CP-8 |
CP-8.1 |
This control applies to telecommunications services (data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions/business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary/alternate sites. Alternate telecommunications services include, for example, additional organizational or commercial ground-based circuits/lines or satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements. Related controls: CP-2, CP-6, CP-7. |
The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization- defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. |
| CCI-000523 |
The organization defines the time period within which to permit the resumption of organization-defined information system operations for essential business functions when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. |
DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. |
Telecommunications Services |
CP-8 |
CP-8.2 |
This control applies to telecommunications services (data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions/business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary/alternate sites. Alternate telecommunications services include, for example, additional organizational or commercial ground-based circuits/lines or satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements. Related controls: CP-2, CP-6, CP-7. |
The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization- defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. |
| CCI-000524 |
The organization establishes alternate telecommunication services including necessary agreements to permit the resumption of organization-defined information system operations for essential missions within an organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. |
The organization conducting the inspection/assessment obtains and examines the approved alternate telecommunications service agreements to ensure they permit the resumption of telecommunications services for essential mission IAW DoDI 8100.04. DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. |
The organization being inspected/assessed documents and gains approval for alternate telecommunications service agreements that permit the resumption of telecommunications services for essential missions IAW DoDI 8100.04. DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. |
Telecommunications Services |
CP-8 |
CP-8.3 |
This control applies to telecommunications services (data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions/business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary/alternate sites. Alternate telecommunications services include, for example, additional organizational or commercial ground-based circuits/lines or satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements. Related controls: CP-2, CP-6, CP-7. |
The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization- defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. |
| CCI-000525 |
The organization establishes alternate telecommunication services including necessary agreements to permit the resumption of organization-defined information system operations for essential business functions within an organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. |
The organization conducting the inspection/assessment obtains and examines the approved alternate telecommunications service agreements to ensure they permit the resumption of telecommunications services for business functions IAW DoDI 8100.04. DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. |
The organization being inspected/assessed documents and gains approval for alternate telecommunications service agreements that permit the resumption of telecommunications services for business functions IAW DoDI 8100.04. DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. |
Telecommunications Services |
CP-8 |
CP-8.4 |
This control applies to telecommunications services (data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions/business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary/alternate sites. Alternate telecommunications services include, for example, additional organizational or commercial ground-based circuits/lines or satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements. Related controls: CP-2, CP-6, CP-7. |
The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization- defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. |
| CCI-000526 |
The organization develops primary telecommunications service agreements that contain priority-of-service provisions in accordance with the organization^s availability requirements (including recovery time objectives). |
The organization conducting the inspection/assessment obtains and examines the approved primary telecommunications service agreements to ensure they contain priority-of-service provisions IAW DoDI 8100.04 (including recovery time objectives). |
The organization being inspected/assessed documents and gains approval for primary telecommunications service agreements that contain priority-of-service provisions IAW DoDI 8100.04 (including recovery time objectives). |
Telecommunications Services | Priority Of Service Provisions |
CP-8 (1) |
CP-8(1).1 |
Organizations consider the potential mission/business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions. |
The organization:
(a) Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and
(b) Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier. |
| CCI-000527 |
The organization develops alternate telecommunications service agreements that contain priority-of-service provisions in accordance with the organization^s availability requirements (including recovery time objectives). |
The organization conducting the inspection/assessment obtains and examines the approved alternate telecommunications service agreements to ensure they contain priority-of-service provisions IAW DoDI 8100.04 (including recovery time objectives). |
The organization being inspected/assessed documents and gains approval for alternate telecommunications service agreements that contain priority-of-service provisions IAW DoDI 8100.04 (including recovery time objectives). |
Telecommunications Services | Priority Of Service Provisions |
CP-8 (1) |
CP-8(1).2 |
Organizations consider the potential mission/business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions. |
The organization:
(a) Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and
(b) Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier. |
| CCI-000528 |
The organization requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary telecommunications services are provided by a common carrier. |
The organization conducting the inspection/assessment obtains and examines the contingency plan, the telecommunication service agreement, and any existing formal requests for Telecommunications Service Priority.
The purpose of the review is to ensure the organization or the mid-tier provider has requested Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness where the primary telecommunications services are provided by a common carrier.
|
The organization being inspected/assessed identifies and documents within the contingency plan any telecommunications services used for national security emergency preparedness. If the primary telecommunications services are provided by a common carrier, the organization formally requests Telecommunications Service Priority IAW the DHS Telecommunications Service Priority Process http://www.dhs.gov/telecommunications-service-priority-tsp. If the primary telecommunications services are provided by a mid-tier provider instead of a common carrier (for example, DISA) the organization must insure that their provider formally requests Telecommunications Service Priority on their behalf.
|
Telecommunications Services | Priority Of Service Provisions |
CP-8 (1) |
CP-8(1).3 |
Organizations consider the potential mission/business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions. |
The organization:
(a) Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and
(b) Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier. |
| CCI-000529 |
The organization requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the alternate telecommunications services are provided by a common carrier. |
The organization conducting the inspection/assessment obtains and examines the contingency plan, the telecommunication service agreement, and any existing formal requests for Telecommunications Service Priority.
The purpose of the review is to ensure the organization has requested Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event the alternate telecommunications services are provided by a common carrier. |
The organization being inspected/assessed identifies and documents within the contingency plan telecommunications services used for national security emergency preparedness in the event the alternate telecommunications services are provided by a common carrier. For each service, the organization formally requests Telecommunications Service Priority, IAW the DHS Telecommunications Service Priority Process http://tsp.ncs.gov/request.html. |
Telecommunications Services | Priority Of Service Provisions |
CP-8 (1) |
CP-8(1).4 |
Organizations consider the potential mission/business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions. |
The organization:
(a) Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and
(b) Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier. |
| CCI-000530 |
The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services. |
The organization conducting the inspection/assessment obtains and examines agreements with their service providers to ensure that a single point of failure is not shared. |
The organization being inspected/assessed obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services IAW DoDI 8100.04. |
Telecommunications Services | Single Points Of Failure |
CP-8 (2) |
CP-8(2).1 |
|
The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services. |
| CCI-000531 |
The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats. |
The organization conducting the inspection/assessment obtains and examines agreements with alternate service providers to ensure they are not susceptible to the same hazards as the primary service provider. |
The organization being inspected/assessed obtains alternate telecommunications services from providers that are separated from primary service providers so as not to be susceptible to the same hazards IAW DoDI 8100.04. |
Telecommunications Services | Separation Of Primary / Alternate Providers |
CP-8 (3) |
CP-8(3).1 |
Threats that affect telecommunications services are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber/physical attacks, and errors of omission/commission. Organizations seek to reduce common susceptibilities by, for example, minimizing shared infrastructure among telecommunications service providers and achieving sufficient geographic separation between services. Organizations may consider using a single service provider in situations where the service provider can provide alternate telecommunications services meeting the separation needs addressed in the risk assessment. |
The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats. |
| CCI-000532 |
The organization requires primary telecommunications service providers to have contingency plans. |
The organization conducting the inspection/assessment obtains and examines the primary telecommunications service provider agreements to ensure the organization requires the primary service provider to have contingency plans. |
The organization being inspected/assessed includes in their primary telecommunications service provider agreements requirements for the primary service provider to have contingency plans. |
Telecommunications Services | Provider Contingency Plan |
CP-8 (4) |
CP-8(4).1 |
Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security, state, and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training. |
The organization:
(a) Requires primary and alternate telecommunications service providers to have contingency plans;
(b) Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and
(c) Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency]. |
| CCI-000533 |
The organization requires alternate telecommunications service providers to have contingency plans. |
The organization conducting the inspection/assessment obtains and examines the alternate telecommunications service provider agreements to ensure the organization requires the alternate service provider to have contingency plans. |
The organization being inspected/assessed includes in their alternate telecommunications service provider agreements requirements for the alternate service provider to have contingency plans. |
Telecommunications Services | Provider Contingency Plan |
CP-8 (4) |
CP-8(4).2 |
Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security, state, and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training. |
The organization:
(a) Requires primary and alternate telecommunications service providers to have contingency plans;
(b) Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and
(c) Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency]. |
| CCI-001609 |
The organization can activate the redundant secondary information system that is not collocated with the primary system without loss of information or disruption to operations. |
The organization conducting the inspection/assessment determines if the organization has established a service level agreement for a redundant secondary system support that is not co-located with the primary system, and has configured the system so it can be activated to accomplish system backups without a loss of information or operational disruption. |
The organization being inspected/assessed establishes a service level agreement which will provide for redundant secondary system support that is not co-located with the primary system, and has configured the system so that it can be activated to accomplish system backups without a loss of information or operational disruption. |
Information System Backup | Redundant Secondary System |
CP-9 (6) |
CP-9(6).2 |
Related controls: CP-7, CP-10. |
The organization accomplishes information system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations. |
| CCI-000534 |
The organization defines the frequency of conducting user-level information backups to support recovery time objectives and recovery point objectives. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at least weekly as defined in the contingency plan. |
DoD has defined the frequency as at least weekly as defined in the contingency plan. |
Information System Backup |
CP-9 |
CP-9.1 |
System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13. |
The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations. |
| CCI-000535 |
The organization conducts backups of user-level information contained in the information system per organization-defined frequency that is consistent with recovery time and recovery point objectives. |
The organization conducting the inspection/assessment obtains and reviews the backup strategy, and examines a sample of systems to ensure they are configured to perform back ups at least weekly as defined in the contingency plan. |
The organization being inspected/assessed must identify user level information within the backup strategy and configure the system to perform backups at least weekly as defined in the contingency plan. |
Information System Backup |
CP-9 |
CP-9.2 |
System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13. |
The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations. |
| CCI-000536 |
The organization defines the frequency of conducting system-level information backups to support recovery time objectives and recovery point objectives. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at least weekly and as required by system baseline configuration changes in accordance with the contingency plan. |
DoD has defined the frequency as at least weekly and as required by system baseline configuration changes in accordance with the contingency plan. |
Information System Backup |
CP-9 |
CP-9.3 |
System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13. |
The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations. |
| CCI-000537 |
The organization conducts backups of system-level information contained in the information system per organization-defined frequency that is consistent with recovery time and recovery point objectives. |
The organization conducting the inspection/assessment obtains and reviews the backup strategy, and examines a sample of systems to ensure they are configured to perform back ups at least weekly and as required by system baseline configuration changes in accordance with the contingency plan. |
The organization being inspected/assessed must identify system-level information within the backup strategy and configure the system to perform backups at least weekly and as required by system baseline configuration changes in accordance with the contingency plan. |
Information System Backup |
CP-9 |
CP-9.4 |
System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13. |
The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations. |
| CCI-000538 |
The organization defines the frequency of conducting information system documentation backups, including security-related documentation, to support recovery time objectives and recovery point objectives. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as when created or received, when updated, and as required by system baseline configuration changes in accordance with the contingency plan. |
DoD has defined the frequency as when created or received, when updated, and as required by system baseline configuration changes in accordance with the contingency plan. |
Information System Backup |
CP-9 |
CP-9.5 |
System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13. |
The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations. |
| CCI-000539 |
The organization conducts backups of information system documentation, including security-related documentation, per an organization-defined frequency that is consistent with recovery time and recovery point objectives. |
The organization conducting the inspection/assessment obtains and examines the latest version of the information system documentation including security-related documentation to verify it is the same version as contained in backups. |
The organization being inspected/assessed conducts backups of information system documentation including security-related documentation when created or received, when updated, and as required by system baseline configuration changes in accordance with the contingency plan. |
Information System Backup |
CP-9 |
CP-9.6 |
System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13. |
The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations. |
| CCI-000540 |
The organization protects the confidentiality, integrity, and availability of backup information at storage locations. |
The organization conducting the inspection/assessment obtains and examines the system security plan and ensures backup information at the storage location is protected IAW the system security plan. |
The organization being inspected/assessed will protect the confidentiality, integrity, and availability of backup information at the storage location IAW the system security plan. |
Information System Backup |
CP-9 |
CP-9.7 |
System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13. |
The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations. |
| CCI-000541 |
The organization defines the frequency with which to test backup information to verify media reliability and information integrity. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at least monthly in accordance with contingency plan. |
DoD has defined the frequency as at least monthly in accordance with contingency plan. |
Information System Backup | Testing For Reliability / Integrity |
CP-9 (1) |
CP-9(1).1 |
Related control: CP-4. |
The organization tests backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity. |
| CCI-000542 |
The organization tests backup information per an organization-defined frequency to verify media reliability and information integrity. |
The organization conducting the inspection/assessment obtains and examines the backup plan and verifies that the organization has tested and logged backup information. |
The organization being inspected/assessed tests and logs backup information at least monthly in accordance with contingency plan to verify media reliability and information integrity. |
Information System Backup | Testing For Reliability / Integrity |
CP-9 (1) |
CP-9(1).2 |
Related control: CP-4. |
The organization tests backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity. |
| CCI-000543 |
The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing. |
The organization conducting the inspection/assessment obtains and examines the contingency plan test results to verify that the sample of backup information was restored as part of the restoration of selected information system functions. |
The organization being inspected/assessed restores a sample of backup information as part of the restoration of selected information system functions during contingency plan testing.
Organizations must identify a sample of backup information in the contingency plan test results. |
Information System Backup | Test Restoration Using Sampling |
CP-9 (2) |
CP-9(2).1 |
Related control: CP-4. |
The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing. |
| CCI-000544 |
The organization stores backup copies of the operating system in a separate facility or in a fire-rated container that is not colocated with the operational system. |
|
|
|
|
|
|
|
| CCI-000545 |
The organization stores backup copies of critical information system software in a separate facility or in a fire-rated container that is not colocated with the operational system. |
|
|
|
|
|
|
|
| CCI-000546 |
The organization stores backup copies of the information system inventory (including hardware, software, and firmware components) in a separate facility or in a fire-rated container that is not colocated with the operational system. |
|
|
|
|
|
|
|
| CCI-000547 |
The organization defines the time period and transfer rate of the information system backup information to the alternate storage site consistent with the recovery time and recovery point objectives. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as Continuously (Availability High )
24 hours (Availability Moderate)
7 days (Availability Low)
as defined in the contingency plan. |
DoD has defined the time period as Continuously (Availability High )
24 hours (Availability Moderate)
7 days (Availability Low)
as defined in the contingency plan. |
Information System Backup | Transfer To Alternate Storage Site |
CP-9 (5) |
CP-9(5).1 |
Information system backup information can be transferred to alternate storage sites either electronically or by physical shipment of storage media. |
The organization transfers information system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives]. |
| CCI-000548 |
The organization transfers information system backup information to the alternate storage site in accordance with the organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives. |
The organization conducting the inspection/assessment obtains and examines the contingency plan and related logs to ensure the organization transfers information system backup information to the alternate site Continuously (Availability High) 24 hours (Availability Moderate) 7 days (Availability Low) as defined in the contingency plan. |
The organization being inspected/assessed performs the transfer of information system backup information to the alternate site Continuously (Availability High)
24 hours (Availability Moderate)
7 days (Availability Low) as defined in the contingency plan. |
Information System Backup | Transfer To Alternate Storage Site |
CP-9 (5) |
CP-9(5).2 |
Information system backup information can be transferred to alternate storage sites either electronically or by physical shipment of storage media. |
The organization transfers information system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives]. |
| CCI-000549 |
The organization maintains a redundant secondary information system that is not collocated with the primary system. |
The organization conducting the inspection/assessment determines if the organization is maintaining a redundant, secondary backup system that is not co-located with the primary system. |
The organization being inspected/assessed establishes and maintains a redundant, secondary backup system that is not co-located with the primary system. |
Information System Backup | Redundant Secondary System |
CP-9 (6) |
CP-9(6).1 |
Related controls: CP-7, CP-10. |
The organization accomplishes information system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations. |
| CCI-001610 |
The organization defines the time period (by authenticator type) for changing/refreshing authenticators. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as CAC - every 3 years, or 1 year from term of contract
Password: 60 days
Biometrics: every 3 years. |
DoD has defined the time period as CAC - every 3 years, or 1 year from term of contract
Password: 60 days
Biometrics: every 3 years. |
Authenticator Management |
IA-5 |
IA-5.17 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-001611 |
The organization defines the minimum number of special characters for password complexity enforcement. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the minimum number of special characters for password complexity enforcement as one special character. |
DoD has defined the minimum number of special characters for password complexity enforcement as one special character. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).5 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-001612 |
The organization defines the minimum number of upper case characters for password complexity enforcement. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the minimum number of upper case characters for password complexity enforcement as one upper-case character. |
DoD has defined the minimum number of upper case characters for password complexity enforcement as one upper-case character. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).6 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-001613 |
The organization defines the minimum number of lower case characters for password complexity enforcement. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the minimum number of lower case characters for password complexity enforcement as one lower-case character. |
DoD has defined the minimum number of lower case characters for password complexity enforcement as one lower-case character. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).7 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-001614 |
The organization defines the minimum number of numeric characters for password complexity enforcement. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the minimum number of numeric characters for password complexity enforcement as one numeric character. |
DoD has defined the minimum number of numeric characters for password complexity enforcement as one numeric character. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).8 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-001615 |
The organization defines the minimum number of characters that are changed when new passwords are created. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the minimum number of characters as 50% of the minimum password length. |
DoD has defined the minimum number of characters as 50% of the minimum password length. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).11 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-001616 |
The organization defines minimum password lifetime restrictions. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the minimum password lifetime restrictions as 24 hours. |
DoD has defined the minimum password lifetime restrictions as 24 hours. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).16 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-001617 |
The organization defines maximum password lifetime restrictions. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the maximum password lifetime restrictions as 60 days. |
DoD has defined the maximum password lifetime restrictions as 60 days. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).17 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-001618 |
The organization defines the number of generations for which password reuse is prohibited. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the number of generations as a minimum of 5. |
DoD has defined the number of generations as a minimum of 5. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).19 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-001619 |
The information system enforces password complexity by the minimum number of special characters used. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce password complexity by the minimum number of special characters used.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1619. |
The organization being inspected/assessed configures the information system to enforce password complexity by the minimum number of special characters used.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1619. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).9 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-001620 |
The organization defines the types of and/or specific authenticators for which the registration process must be carried out in person before a designated registration authority with authorization by a designated organizational official (e.g., a supervisor). |
|
|
|
|
|
|
|
| CCI-001621 |
The organization implements organization-defined security safeguards to manage the risk of compromise due to individuals having accounts on multiple information systems. |
The organization conducting the inspection/assessment obtains and examines the documented policies as well as training records to ensure that the organization being inspected/assessed implements policies and training advising users not to use the same password for any of the following:
Domains of differing classification levels.
More than one domain of a classification level (e.g., internal agency network and Intelink).
More than one privilege level (e.g., user, administrator). |
The organization being inspected/assessed documents and implements policies and user training including advising users not to use the same password for any of the following:
Domains of differing classification levels.
More than one domain of a classification level (e.g., internal agency network and Intelink).
More than one privilege level (e.g., user, administrator). |
Authenticator Management | Multiple Information System Accounts |
IA-5 (8) |
IA-5(8).2 |
When individuals have accounts on multiple information systems, there is the risk that the compromise of one account may lead to the compromise of other accounts if individuals use the same authenticators. Possible alternatives include, for example: (i) having different authenticators on all systems; (ii) employing some form of single sign-on mechanism; or (iii) including some form of one-time passwords on all systems. |
The organization implements [Assignment: organization-defined security safeguards] to manage the risk of compromise due to individuals having accounts on multiple information systems. |
| CCI-000175 |
The organization manages information system authenticators for users and devices by verifying, as part of the initial authenticator distribution, the identity of the individual and/or device receiving the authenticator. |
|
|
|
|
|
|
|
| CCI-000176 |
The organization manages information system authenticators by establishing initial authenticator content for authenticators defined by the organization. |
The organization conducting the inspection/assessment obtains and examines the documented procedures for setting initial authenticator content to ensure they have been defined. |
The organization being inspected/assessed defines and documents procedures for setting initial authenticator content. |
Authenticator Management |
IA-5 |
IA-5.2 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-000177 |
The organization manages information system authenticators for users and devices by establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised, or damaged authenticators, and for revoking authenticators. |
|
|
|
|
|
|
|
| CCI-000178 |
The organization manages information system authenticators for users and devices by changing default content of authenticators upon information system installation. |
|
|
|
|
|
|
|
| CCI-000179 |
The organization manages information system authenticators by establishing minimum lifetime restrictions for authenticators. |
The organization conducting the inspection/assessment obtains and examines the documented minimum lifetime restrictions for authenticators to ensure they have been defined. |
The organization being inspected/assessed defines and documents minimum lifetime restrictions for authenticators. |
Authenticator Management |
IA-5 |
IA-5.13 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-000180 |
The organization manages information system authenticators by establishing maximum lifetime restrictions for authenticators. |
Per IA-5, CCI 1610, DoD has established the maximum lifetime restrictions for authenticators as CAC - every 3 years, or 1 year from term of contract
Password: 60 days
Biometrics: every 3 years. |
Per IA-5, CCI 1610, DoD has established the maximum lifetime restrictions for authenticators as CAC - every 3 years, or 1 year from term of contract
Password: 60 days
Biometrics: every 3 years. |
Authenticator Management |
IA-5 |
IA-5.14 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-000181 |
The organization manages information system authenticators by establishing reuse conditions for authenticators. |
The organization conducting the inspection/assessment obtains and examines the documented reuse conditions for authenticators to ensure they have been defined. |
The organization being inspected/assessed defines and documents the reuse conditions for authenticators. |
Authenticator Management |
IA-5 |
IA-5.15 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-000182 |
The organization manages information system authenticators by changing/refreshing authenticators in accordance with the organization-defined time period by authenticator type. |
The organization conducting the inspection/assessment obtains and examines the documented procedures for authenticator change/refresh to ensure the procedures are defined.
The organization conducting the inspection/assessment obtains and examines a sampling of authenticator age data to ensure that authenticators are changed or refreshed in the following time periods:
CAC - every 3 years, or 1 year from term of contract
Password: 60 days
Biometrics: every 3 years.
DoD has defined the time period as CAC - every 3 years, or 1 year from term of contract
Password: 60 days
Biometrics: every 3 years. |
The organization being inspected/assessed documents and implements procedures for changing/refreshing authenticators in the following time periods:
CAC - every 3 years, or 1 year from term of contract
Password: 60 days
Biometrics: every 3 years.
DoD has defined the time period as CAC - every 3 years, or 1 year from term of contract
Password: 60 days
Biometrics: every 3 years. |
Authenticator Management |
IA-5 |
IA-5.16 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-000183 |
The organization manages information system authenticators by protecting authenticator content from unauthorized disclosure. |
The organization conducting the inspection/assessment obtains and examines the documented procedures to protect authenticator content from unauthorized disclosure to ensure the procedures are defined. |
The organization being inspected/assessed documents and implements procedures to protect authenticator content from unauthorized disclosure. |
Authenticator Management |
IA-5 |
IA-5.19 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-000184 |
The organization manages information system authenticators by requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators. |
|
|
|
|
|
|
|
| CCI-000185 |
The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to validate DoD-approved PKI credentials in accordance with RFC 5280.
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to perform a revocation check as part of the certificate validation process.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 185. |
The information system performing hardware token-based authentication must be configured to validate DoD-approved PKI credentials in accordance with RFC 5280.
The information system must be configured to perform a revocation check as part of the certificate validation process. Revocation checking may be performed using certificate revocation lists (CRLs) published by the issuing PKI or Online Certificate Status Protocol (OCSP) services.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 185. |
Authenticator Management | PKI-Based Authentication |
IA-5 (2) |
IA-5(2).1 |
Status information for certification paths includes, for example, certificate revocation lists or certificate status protocol responses. For PIV cards, validation of certifications involves the construction and verification of a certification path to the Common Policy Root trust anchor including certificate policy processing. Related control: IA-6. |
The information system, for PKI-based authentication:
(a) Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;
(b) Enforces authorized access to the corresponding private key;
(c) Maps the authenticated identity to the account of the individual or group; and
(d) Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network. |
| CCI-000186 |
The information system, for PKI-based authentication, enforces authorized access to the corresponding private key. |
The organization conducting the inspection/assessment examines the information system to ensure the information system does not contain any users' private keys.
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to store its own private key in a FIPS 140-2 validated cryptographic module. |
Information systems must not have access to users' private keys. The cryptographic container in which the private keys are stored (e.g. smart card or software module) implements access controls and protections to ensure that only the authorized user can activate the private key. DoD users agree to protect their PKI credentials in accordance with the DD-2842 agreement that is executed for each credential. They are reminded of these responsibilities in annual IA training.
The private key identifying the information system must be stored in a cryptographic container that is FIPS 140-2 validated. Only authorized information system operators should have access to activation data (e.g. password or PIN) for the private key. |
Authenticator Management | PKI-Based Authentication |
IA-5 (2) |
IA-5(2).2 |
Status information for certification paths includes, for example, certificate revocation lists or certificate status protocol responses. For PIV cards, validation of certifications involves the construction and verification of a certification path to the Common Policy Root trust anchor including certificate policy processing. Related control: IA-6. |
The information system, for PKI-based authentication:
(a) Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;
(b) Enforces authorized access to the corresponding private key;
(c) Maps the authenticated identity to the account of the individual or group; and
(d) Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network. |
| CCI-000187 |
The information system, for PKI-based authentication, maps the authenticated identity to the account of the individual or group. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to map authenticated PKI credentials to corresponding network or information system accounts or roles in accordance with DoDI 8520.03.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 187. |
The information system performing PKI-based authentication must be configured to map the authenticated PKI credential to a corresponding network or information system account or role in accordance with DoDI 8520.03.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 187. |
Authenticator Management | PKI-Based Authentication |
IA-5 (2) |
IA-5(2).3 |
Status information for certification paths includes, for example, certificate revocation lists or certificate status protocol responses. For PIV cards, validation of certifications involves the construction and verification of a certification path to the Common Policy Root trust anchor including certificate policy processing. Related control: IA-6. |
The information system, for PKI-based authentication:
(a) Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;
(b) Enforces authorized access to the corresponding private key;
(c) Maps the authenticated identity to the account of the individual or group; and
(d) Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network. |
| CCI-000188 |
The organization requires that the registration process to receive an organizational-defined type of authenticator be carried out in person before a designated registration authority with authorization by a designated organizational official (e.g., a supervisor). |
|
|
|
|
|
|
|
| CCI-000189 |
The organization employs automated tools to determine if authenticators are sufficiently strong to resist attacks intended to discover or otherwise compromise the authenticators. |
|
|
|
|
|
|
|
| CCI-000190 |
The organization requires vendors/manufacturers of information system components to provide unique authenticators or change default authenticators prior to delivery. |
|
|
|
|
|
|
|
| CCI-000191 |
The organization enforces password complexity by the number of special characters used. |
|
|
|
|
|
|
|
| CCI-000201 |
The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access. |
The organization conducting the inspection/assessment obtains and examines the documented procedures to ensure the organization being inspected/assessed protects authenticators commensurate with the security category of the information to which use of the authenticator permits access. |
The organization being inspected/assessed documents and implements procedures to protect authenticators commensurate with the security category of the information to which use of the authenticator permits access. |
Authenticator Management | Protection Of Authenticators |
IA-5 (6) |
IA-5(6).1 |
For information systems containing multiple security categories of information without reliable physical or logical separation between categories, authenticators used to grant access to the systems are protected commensurate with the highest security category of information on the systems. |
The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access. |
| CCI-000202 |
The organization ensures unencrypted static authenticators are not embedded in access scripts. |
The organization conducting the inspection/assessment obtains and examines the requirements that unencrypted static authenticators not be embedded in access scripts to ensure the organization being inspected/assessed ensures unencrypted static authenticators are not embedded in access scripts. |
The organization being inspected/assessed documents and implements requirements that unencrypted static authenticators not be embedded in access scripts. |
Authenticator Management | No Embedded Unencrypted Static Authenticators |
IA-5 (7) |
IA-5(7).1 |
Organizations exercise caution in determining whether embedded or stored authenticators are in encrypted or unencrypted form. If authenticators are used in the manner stored, then those representations are considered unencrypted authenticators. This is irrespective of whether that representation is perhaps an encrypted version of something else (e.g., a password). |
The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys. |
| CCI-000204 |
The organization defines the security safeguards required to manage the risk of compromise due to individuals having accounts on multiple information systems. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the security safeguards as
policies and user training including advising users not to use the same password for any of the following:
Domains of differing classification levels.
More than one domain of a classification level (e.g., internal agency network and Intelink).
More than one privilege level (e.g., user, administrator). |
DoD has defined the security safeguards as
policies and user training including advising users not to use the same password for any of the following:
Domains of differing classification levels.
More than one domain of a classification level (e.g., internal agency network and Intelink).
More than one privilege level (e.g., user, administrator). |
Authenticator Management | Multiple Information System Accounts |
IA-5 (8) |
IA-5(8).1 |
When individuals have accounts on multiple information systems, there is the risk that the compromise of one account may lead to the compromise of other accounts if individuals use the same authenticators. Possible alternatives include, for example: (i) having different authenticators on all systems; (ii) employing some form of single sign-on mechanism; or (iii) including some form of one-time passwords on all systems. |
The organization implements [Assignment: organization-defined security safeguards] to manage the risk of compromise due to individuals having accounts on multiple information systems. |
| CCI-000192 |
The information system enforces password complexity by the minimum number of upper case characters used. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce password complexity by the minimum number of upper case characters used.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 192. |
The organization being inspected/assessed configures the information system to enforce password complexity by the minimum number of upper case characters used.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 192. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).1 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-000193 |
The information system enforces password complexity by the minimum number of lower case characters used. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce password complexity by the minimum number of lower case characters used.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 193. |
The organization being inspected/assessed configures the information system to enforce password complexity by the minimum number of lower case characters used.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 193. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).2 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-000194 |
The information system enforces password complexity by the minimum number of numeric characters used. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce password complexity by the minimum number of numeric characters used.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 194. |
The organization being inspected/assessed configures the information system to enforce password complexity by the minimum number of numeric characters used.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 194. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).4 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-000195 |
The information system, for password-based authentication, when new passwords are created, enforces that at least an organization-defined number of characters are changed. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce that at least 50% of the minimum password length is changed.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 195.
DoD has defined the minimum number of characters as 50% of the minimum password length. |
The organization being inspected/assessed configures the information system to enforce that at least 50% of the minimum password length is changed.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 195.
DoD has defined the minimum number of characters as 50% of the minimum password length. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).10 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-000196 |
The information system, for password-based authentication, stores only cryptographically-protected passwords. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to store only encrypted representations of passwords.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 196. |
The organization being inspected/assessed configures the information system to store only encrypted representations of passwords.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 196. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).12 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-000197 |
The information system, for password-based authentication, transmits only cryptographically-protected passwords. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to transmit only encrypted representations of passwords.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 197. |
The organization being inspected/assessed configures the information system to transmit only encrypted representations of passwords.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 197. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).13 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-000198 |
The information system enforces minimum password lifetime restrictions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce minimum password lifetime restrictions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 198. |
The organization being inspected/assessed configures the information system to enforce minimum password lifetime restrictions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 198. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).14 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-000199 |
The information system enforces maximum password lifetime restrictions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce maximum password lifetime restrictions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 199. |
The organization being inspected/assessed configures the information system to enforce maximum password lifetime restrictions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 199. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).15 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-000200 |
The information system prohibits password reuse for the organization-defined number of generations. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prohibit reuse for a minimum of 5 generations.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 200.
DoD has defined the number of generations as a minimum of 5. |
The organization being inspected/assessed configures the information system to prohibit reuse for a minimum of 5 generations.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 200.
DoD has defined the number of generations as a minimum of 5. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).18 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-000203 |
The organization ensures unencrypted static authenticators are not stored on function keys. |
The organization conducting the inspection/assessment obtains and examines the requirements that unencrypted static authenticators not be stored on function keys to ensure the organization being inspected/assessed ensures unencrypted static authenticators are not stored on function keys. |
The organization being inspected/assessed documents and implements requirements that unencrypted static authenticators not be stored on function keys. |
Authenticator Management | No Embedded Unencrypted Static Authenticators |
IA-5 (7) |
IA-5(7).2 |
Organizations exercise caution in determining whether embedded or stored authenticators are in encrypted or unencrypted form. If authenticators are used in the manner stored, then those representations are considered unencrypted authenticators. This is irrespective of whether that representation is perhaps an encrypted version of something else (e.g., a password). |
The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys. |
| CCI-000205 |
The information system enforces minimum password length. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce minimum password length.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 205. |
The organization being inspected/assessed configures the information system to enforce minimum password length.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 205. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).3 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-001544 |
The organization manages information system authenticators by ensuring that authenticators have sufficient strength of mechanism for their intended use. |
The organization conducting the inspection/assessment obtains and examines documented authenticator strength mechanisms to ensure that they are defined and that the mechanisms have sufficient strength for the intended use of the authenticators. |
The organization being inspected/assessed documents and implements authenticator strength mechanisms sufficient for the intended use of the authenticators. |
Authenticator Management |
IA-5 |
IA-5.3 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-001622 |
The organization identifies personnel with incident response roles and responsibilities with respect to the information system. |
|
|
|
|
|
|
|
| CCI-001623 |
The incident response training material addresses the procedures and activities necessary to fulfill identified organizational incident response roles and responsibilities. |
|
|
|
|
|
|
|
| CCI-000813 |
The organization provides incident response training to information system users consistent with assigned roles and responsibilities within an organization-defined time period of assuming an incident response role or responsibility. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as training records for a sampling of information system users to ensure the organization being inspected/assessed provides incident response training to information system users consistent with assigned roles and responsibilities within 30 working days of assuming an incident response role or responsibility.
DoD has defined the time period as 30 working days. |
The organization being inspected/assessed documents and implement a process to provide incident response training to information system users consistent with assigned roles and responsibilities within 30 working days of assuming an incident response role or responsibility.
The organization must maintain a record of training.
DoD has defined the time period as 30 working days. |
Incident Response Training |
IR-2 |
IR-2.1 |
Incident response training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the information system; system administrators may require additional training on how to handle/remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification and reporting of suspicious activities, both from external and internal sources. Related controls: AT-3, CP-3, IR-8. |
The organization provides incident response training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-000814 |
The organization provides incident response training in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as training records for a sampling of information system users to ensure the organization being inspected/assessed provides incident response training to information system users, other than general users, consistent with assigned roles and responsibilities annually.
For general users, DoD components are automatically compliant with the requirement based on DoDD 8570.01 requirements for IA awareness training.
DoD has defined the frequency as annually. |
The organization being inspected/assessed documents and implements a process to provide incident response training to information system users, other than general users, consistent with assigned roles and responsibilities annually.
For general users, DoD components are automatically compliant with the requirement based on DoDD 8570.01 requirements for IA awareness training.
The organization must maintain a record of training.
DoD has defined the frequency as annually.
|
Incident Response Training |
IR-2 |
IR-2.3 |
Incident response training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the information system; system administrators may require additional training on how to handle/remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification and reporting of suspicious activities, both from external and internal sources. Related controls: AT-3, CP-3, IR-8. |
The organization provides incident response training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-000815 |
The organization defines a frequency for incident response training. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Incident Response Training |
IR-2 |
IR-2.4 |
Incident response training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the information system; system administrators may require additional training on how to handle/remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification and reporting of suspicious activities, both from external and internal sources. Related controls: AT-3, CP-3, IR-8. |
The organization provides incident response training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-000816 |
The organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations. |
The organization conducting the inspection/assessment obtains and examines incident response training materials and a record of training events to ensure that simulated events have been included. |
The organization being inspected/assessed will document a process to include simulated events into incident response training to facilitate effective response by personnel in crisis situations.
The process to include simulated events shall be documented IAW CJCSI 6510.01F, CJCSM 6510.01B, DoDD O-8530.1, and DoDI O-8530.2.
The organization must maintain a record of incident response training to include simulated events. |
Incident Response Training | Simulated Events |
IR-2 (1) |
IR-2(1).1 |
|
The organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations. |
| CCI-000817 |
The organization employs automated mechanisms to provide a more thorough and realistic incident response training environment. |
The organization conducting the inspection/assessment obtains and examines the automated mechanism such as scenario-based interactive online training/CBT to verify that it provides a realistic incident response training environment. |
The organization being inspected/assessed employs an automated mechanism such as scenario-based interactive online training/CBT providing a realistic incident response training environment. |
Incident Response Training | Automated Training Environments |
IR-2 (2) |
IR-2(2).1 |
|
The organization employs automated mechanisms to provide a more thorough and realistic incident response training environment. |
| CCI-001624 |
The organization documents the results of incident response tests. |
The organization conducting the inspection/assessment obtains and examines:
1. the organization's incident response plan to identify organization's testing schedule and,
2. results of previous incident response tests to ensure the organization is documenting the results IAW their incident response plan. |
The organization being inspected/assessed will document the results of incident response tests. |
Incident Response Testing |
IR-3 |
IR-3.4 |
Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response. Related controls: CP-4, IR-8. |
The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to
determine the incident response effectiveness and documents the results. |
| CCI-000818 |
The organization tests the incident response capability for the information system on an organization-defined frequency using organization-defined tests to determine the incident response effectiveness. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of test results to ensure the organization being inspected/assessed tests its incident response capability for the information system at least every six months for high availability and at least annually for low/med availability using tests and as defined in the incident response plan.
DoD has defined the frequency as at least every six months for high availability and at least annually for low/med availability.
DoD has defined the tests as tests as defined in the incident response plan. |
The organization being inspected/assessed documents and implements a process to test its incident response capability for the information system at least every six months for high availability and at least annually for low/med availability using tests and as defined in the incident response plan.
The organization must maintain a record of test results.
DoD has defined the frequency as at least every six months for high availability and at least annually for low/med availability.
DoD has defined the tests as tests as defined in the incident response plan. |
Incident Response Testing |
IR-3 |
IR-3.1 |
Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response. Related controls: CP-4, IR-8. |
The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to
determine the incident response effectiveness and documents the results. |
| CCI-000819 |
The organization defines a frequency for incident response tests. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at least every six months for high availability and at least annually for low/med availability. |
DoD has defined the frequency as at least every six months for high availability and at least annually for low/med availability. |
Incident Response Testing |
IR-3 |
IR-3.2 |
Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response. Related controls: CP-4, IR-8. |
The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to
determine the incident response effectiveness and documents the results. |
| CCI-000820 |
The organization defines tests for incident response. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the tests as tests as defined in the incident response plan. |
DoD has defined the tests as tests as defined in the incident response plan. |
Incident Response Testing |
IR-3 |
IR-3.3 |
Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response. Related controls: CP-4, IR-8. |
The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to
determine the incident response effectiveness and documents the results. |
| CCI-000821 |
The organization employs automated mechanisms to more thoroughly and effectively test the incident response capability. |
The organization conducting the inspection/assessment obtains and examines the identified automated mechanisms in use to test the incident response capability for the information system. |
The organization being inspected/assessed will identify and employ automated mechanisms to test the incident response capability for the information system. |
Incident Response Testing | Automated Testing |
IR-3 (1) |
IR-3(1).1 |
Organizations use automated mechanisms to more thoroughly and effectively test incident response capabilities, for example: (i) by providing more complete coverage of incident response issues; (ii) by selecting more realistic test scenarios and test environments; and (iii) by stressing the response capability. Related control: AT-2. |
The organization employs automated mechanisms to more thoroughly and effectively test the incident response capability. |
| CCI-001625 |
The organization implements the resulting incident handling activity changes to incident response procedures, training, and testing/exercises accordingly. |
The organization conducting the inspection/assessment obtains and examines
recent changes to the incident response plan (based on IR-4, CCI 000824) to verify that they have been disseminated and reviews the most recent after action report to ensure that changes have been followed.
|
The organization being inspected/assessed will
follow the latest incident response plan (IR-8) that has been revised (based on IR-4, CCI-000824) and disseminated.
|
Incident Handling |
IR-4 |
IR-4.4 |
Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function). Related controls: AU-6, CM-6, CP-2, CP-4, IR-2, IR-3, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7. |
The organization:
a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
b. Coordinates incident handling activities with contingency planning activities; and
c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly. |
| CCI-000822 |
The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery. |
The organization conducting the inspection/assessment obtains and examines the documentation identifying the CNDSP leveraged as well as the documented procedures for incident handling to ensure that there is a certified CNDSP in use and that there are procedures implemented to handle incidents until they are transferred to the responsibility of the CNDSP.
|
The organization being inspected/assessed must have a documented and certified CNDSP and documented procedures for information system users and site security personnel to handle incidents until they are transferred to the responsibility of the CNDSP.
|
Incident Handling |
IR-4 |
IR-4.1 |
Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function). Related controls: AU-6, CM-6, CP-2, CP-4, IR-2, IR-3, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7. |
The organization:
a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
b. Coordinates incident handling activities with contingency planning activities; and
c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly. |
| CCI-000823 |
The organization coordinates incident handling activities with contingency planning activities. |
The organization conducting the inspection/assessment obtains and examines the incident response plan (IR-8) and contingency plan (CP-2) to ensure they allow for an effective transfer of information system activity and maintain confidentiality and integrity of the contigency assets.
|
The organization being inspected/assessed will coordinate the incident response plan (IR-8) and contingency plan (CP-2) to ensure they allow for an effective transfer of information system activity and maintain confidentiality and integrity of the contigency assets.
|
Incident Handling |
IR-4 |
IR-4.2 |
Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function). Related controls: AU-6, CM-6, CP-2, CP-4, IR-2, IR-3, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7. |
The organization:
a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
b. Coordinates incident handling activities with contingency planning activities; and
c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly. |
| CCI-000824 |
The organization incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises. |
The organization conducting the inspection/assessment obtains and examines after action reports or meeting minutes to identify actionable lessons learned to verify that lessons learned are incorporated into the plan as changes are necessary. |
The organization being inspected/assessed will conduct after action reviews from incidents to identify lessons learned and will incorporate them into procedures, training, and testing/exercises.
The organization must maintain records of after action reviews. |
Incident Handling |
IR-4 |
IR-4.3 |
Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function). Related controls: AU-6, CM-6, CP-2, CP-4, IR-2, IR-3, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7. |
The organization:
a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
b. Coordinates incident handling activities with contingency planning activities; and
c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly. |
| CCI-000825 |
The organization employs automated mechanisms to support the incident handling process. |
The organization conducting the inspection/assessment obtains and examines the incident handling plan to ensure that there are procedures identified to leverage the JIMS. |
The organization being inspected/assessed will document within their incident handling plan, procedures to leverage the Joint Incident Management System (JIMS).
For the DoD, JIMS is the automated mechanism. |
Incident Handling | Automated Incident Handling Processes |
IR-4 (1) |
IR-4(1).1 |
Automated mechanisms supporting incident handling processes include, for example, online incident management systems. |
The organization employs automated mechanisms to support the incident handling process. |
| CCI-000826 |
The organization includes dynamic reconfiguration of organization-defined information system components as part of the incident response capability. |
The organization conducting the inspection/assessment obtains and examines the incident response plan and verifies it has procedures addressing dynamic reconfiguration of information system components defined in IR-4 (2), CCI 2781 as part of the incident response capability IAW CM-3. |
The organization being inspected/assessed will ensure that their incident response plan includes procedures for dynamic reconfiguration of information system components defined in IR-4 (2), CCI 2781 as part of the incident response capability IAW CM-3.
Dynamic reconfiguration bypasses the organization's standard CCB process and may include, for example, changes to router rules, access control lists, intrusion detection/prevention systems, firewalls, etc. Organizations will have procedures to examine dynamic reconfiguration changes at the earliest opportunity IAW CCB. |
Incident Handling | Dynamic Reconfiguration |
IR-4 (2) |
IR-4(2).1 |
Dynamic reconfiguration includes, for example, changes to router rules, access control lists, intrusion detection/prevention system parameters, and filter rules for firewalls and gateways. Organizations perform dynamic reconfiguration of information systems, for example, to stop attacks, to misdirect attackers, and to isolate components of systems, thus limiting the extent of the damage from breaches or compromises. Organizations include time frames for achieving the reconfiguration of information systems in the definition of the reconfiguration capability, considering the potential need for rapid response in order to effectively address sophisticated cyber threats. Related controls: AC-2, AC-4, AC-16, CM-2, CM-3, CM-4. |
The organization includes dynamic reconfiguration of [Assignment: organization-defined information system components] as part of the incident response capability. |
| CCI-000827 |
The organization defines and identifies classes of incidents for which organization-defined actions are to be taken to ensure continuation of organizational mission and business functions. |
CJCSM 6510.01B has already identified DoD's classes of incidents.
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the classes of incidents as classes of incidents defined in CJCSM 6510.01B Appendix A- Enclosure B.6510.01M |
CJCSM 6510.01B has already identified DoD's classes of incidents.
DoD Components are automatically compliant with this CCI because DoD has defined the classes of incidents as classes of incidents defined in CJCSM 6510.01B Appendix A- Enclosure B. |
Incident Handling | Continuity Of Operations |
IR-4 (3) |
IR-4(3).1 |
Classes of incidents include, for example, malfunctions due to design/implementation errors and omissions, targeted malicious attacks, and untargeted malicious attacks. Appropriate incident response actions include, for example, graceful degradation, information system shutdown, fall back to manual mode/alternative technology whereby the system operates differently, employing deceptive measures, alternate information flows, or operating in a mode that is reserved solely for when systems are under attack. |
The organization identifies [Assignment: organization-defined classes of incidents] and [Assignment: organization-defined actions to take in response to classes of incidents] to ensure continuation of organizational missions and business functions. |
| CCI-000828 |
The organization defines and identifies actions to take in response to organization-defined classes of incidents to ensure continuation of organizational missions and business functions. |
CJCSM 6510.01B has already identified DoD's actions to take in response to classes of incidents.
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the actions as actions defined in CJCSM 6510.01B. |
CJCSM 6510.01B has already identified DoD's actions to take in response to classes of incidents.
DoD Components are automatically compliant with this CCI because DoD has defined the actions as actions defined in CJCSM 6510.01B. |
Incident Handling | Continuity Of Operations |
IR-4 (3) |
IR-4(3).2 |
Classes of incidents include, for example, malfunctions due to design/implementation errors and omissions, targeted malicious attacks, and untargeted malicious attacks. Appropriate incident response actions include, for example, graceful degradation, information system shutdown, fall back to manual mode/alternative technology whereby the system operates differently, employing deceptive measures, alternate information flows, or operating in a mode that is reserved solely for when systems are under attack. |
The organization identifies [Assignment: organization-defined classes of incidents] and [Assignment: organization-defined actions to take in response to classes of incidents] to ensure continuation of organizational missions and business functions. |
| CCI-000829 |
The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response. |
The organization conducting the inspection/assessment obtains and examines proof of the analysis (such as minutes from an incident response after action meeting or other similar activity) to ensure that incident information is being examined and correlated.
|
The organization being inspected/assessed defines procedures to examine incident information gathered and the actual actions taken by both the individuals affected and the incident response personnel. These procedures shall be defined IAW CJCSM 6510.01B. The end goal is to achieve a top level perspective of the effectiveness of the incident response and awareness.
|
Incident Handling | Information Correlation |
IR-4 (4) |
IR-4(4).1 |
Sometimes the nature of a threat event, for example, a hostile cyber attack, is such that it can only be observed by bringing together information from different sources including various reports and reporting procedures established by organizations. |
The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response. |
| CCI-000830 |
The organization defines security violations that, if detected, initiate a configurable capability to automatically disable the information system. |
The organization conducting the inspection/assessment obtains and examines the list of documented security violations to ensure the organization has clearly identified those violations that initiate an automated disabling or shut down of the information system.
DoD has determined the security violations are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and document a list of security violations that upon occurrence initiate an automated action to disable or shutdown the information system.
Violations may be identified by specific activity or by class/type of activity.
DoD has determined the security violations are not appropriate to define at the Enterprise level. |
Incident Handling | Automatic Disabling Of Information System |
IR-4 (5) |
IR-4(5).1 |
|
The organization implements a configurable capability to automatically disable the information system if [Assignment: organization-defined security violations] are detected. |
| CCI-000831 |
The organization implements a configurable capability to automatically disable the information system if organization-defined security violations are detected. |
The organization conducting the inspection/assessment examines the information system to ensure an automated mechanism is configured to disable or shutdown the information system based on the identified security violations (IR-4 (5), CCI 000830).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 831. |
The organization being inspected/assessed will clearly identify, document, and implement a configurable automated mechanism (or mechanisms) that utilizes the list of security violations identified in IR-4 (5), CCI 000830 to disable or shutdown the information system.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 831.
|
Incident Handling | Automatic Disabling Of Information System |
IR-4 (5) |
IR-4(5).2 |
|
The organization implements a configurable capability to automatically disable the information system if [Assignment: organization-defined security violations] are detected. |
| CCI-001626 |
The organization employs automated mechanisms to assist in the collection of security incident information. |
The organization conducting the inspection/assessment obtains and examines the incident handling plan to ensure that there are procedures identified to leverage the JIMS. |
The organization being inspected/assessed will document within their incident handling plan, procedures to leverage the Joint Incident Management System (JIMS).
For the DoD, JIMS is the automated mechanism. |
Incident Monitoring | Automated Tracking / Data Collection / Analysis |
IR-5 (1) |
IR-5(1).2 |
Automated mechanisms for tracking security incidents and collecting/analyzing incident information include, for example, the Einstein network monitoring device and monitoring online Computer Incident Response Centers (CIRCs) or other electronic databases of incidents. Related controls: AU-7, IR-4. |
The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information. |
| CCI-001627 |
The organization employs automated mechanisms to assist in the analysis of security incident information. |
The organization conducting the inspection/assessment obtains and examines the incident handling plan to ensure that there are procedures identified to leverage the JIMS. |
The organization being inspected/assessed will document within their incident handling plan, procedures to leverage the Joint Incident Management System (JIMS).
For the DoD, JIMS is the automated mechanism. |
Incident Monitoring | Automated Tracking / Data Collection / Analysis |
IR-5 (1) |
IR-5(1).3 |
Automated mechanisms for tracking security incidents and collecting/analyzing incident information include, for example, the Einstein network monitoring device and monitoring online Computer Incident Response Centers (CIRCs) or other electronic databases of incidents. Related controls: AU-7, IR-4. |
The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information. |
| CCI-000832 |
The organization tracks and documents information system security incidents. |
The organization conducting the inspection/assessment obtains and examines the incident handling plan to ensure that there are procedures identified to leverage the JIMS. |
The organization being inspected/assessed will document within their incident handling plan, procedures to leverage the Joint Incident Management System (JIMS).
For the DoD, JIMS is the automated mechanism. |
Incident Monitoring |
IR-5 |
IR-5.1 |
Documenting information system security incidents includes, for example, maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including, for example, incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. Related controls: AU-6, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7. |
The organization tracks and documents information system security incidents. |
| CCI-000833 |
The organization employs automated mechanisms to assist in the tracking of security incidents. |
The organization conducting the inspection/assessment obtains and examines the incident handling plan to ensure that there are procedures identified to leverage the JIMS. |
The organization being inspected/assessed will document within their incident handling plan, procedures to leverage the Joint Incident Management System (JIMS).
For the DoD, JIMS is the automated mechanism. |
Incident Monitoring | Automated Tracking / Data Collection / Analysis |
IR-5 (1) |
IR-5(1).1 |
Automated mechanisms for tracking security incidents and collecting/analyzing incident information include, for example, the Einstein network monitoring device and monitoring online Computer Incident Response Centers (CIRCs) or other electronic databases of incidents. Related controls: AU-7, IR-4. |
The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information. |
| CCI-001628 |
The organization defines a frequency with which to review and update the current system maintenance procedures. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
System Maintenance Policy And Procedures |
MA-1 |
MA-1.10 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and
b. Reviews and updates the current:
1. System maintenance policy [Assignment: organization-defined frequency]; and
2. System maintenance procedures [Assignment: organization-defined frequency]. |
| CCI-000854 |
The organization reviews and updates the current system maintenance policy in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines documentation of occurrence of reviews and update actions for the maintenance policy to ensure review is occurring every 5 years and updates are made as necessary.
DoD has defined the frequency as every 5 years. |
The organization being inspected/assessed reviews the current system maintenance policy every 5 years and revises as necessary to comply with DoD regulations.
The organization must document each occurrence of the reviews and update actions as an audit trail.
DoD has defined the frequency as every 5 years. |
System Maintenance Policy And Procedures |
MA-1 |
MA-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and
b. Reviews and updates the current:
1. System maintenance policy [Assignment: organization-defined frequency]; and
2. System maintenance procedures [Assignment: organization-defined frequency]. |
| CCI-000855 |
The organization develops and documents procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls. |
The organization conducting the inspection/assessment obtains and examines the Security Plan to ensure maintenance procedures are documented and are developed IAW maintenance policy provided in DoDI 8500.01..
|
The organization being inspected/assessed documents the maintenance procedures within the Security Plan. The maintenance procedures shall be developed IAW maintenance policy provided in DoDI 8500.01.. |
System Maintenance Policy And Procedures |
MA-1 |
MA-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and
b. Reviews and updates the current:
1. System maintenance policy [Assignment: organization-defined frequency]; and
2. System maintenance procedures [Assignment: organization-defined frequency]. |
| CCI-000856 |
The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls. |
The organization conducting the inspection/assessment examines the maintenance procedures via the inspected organization's information sharing capability (e.g. portal, intranet, email, etc.) to ensure it has been disseminated to the SCA, ISSO, and maintenance personnel as needed by role in maintaining the system.
DoD has defined the personnel or roles as the SCA, ISSO, and maintenance personnel as needed by role in maintaining the system. |
The organization being inspected/assessed ensures the maintenance procedures are disseminated to the SCA, ISSO, and maintenance personnel as needed by role in maintaining the system via an information sharing capability.
DoD has defined the personnel or roles as the SCA, ISSO, and maintenance personnel as needed by role in maintaining the system. |
System Maintenance Policy And Procedures |
MA-1 |
MA-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and
b. Reviews and updates the current:
1. System maintenance policy [Assignment: organization-defined frequency]; and
2. System maintenance procedures [Assignment: organization-defined frequency]. |
| CCI-000857 |
The organization reviews and updates the current system maintenance procedures in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines documentation of occurrence of reviews and update actions for the maintenance procedures to ensure annual review and necessary updates are occurring.
DoD has defined the frequency as annually. |
The organization being inspected/assessed reviews the current system maintenance procedures annually and revises as needed to comply with DoD regulations.
The organization must document each occurrence of the reviews and update actions as an audit trail.
DoD has defined the frequency as annually. |
System Maintenance Policy And Procedures |
MA-1 |
MA-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and
b. Reviews and updates the current:
1. System maintenance policy [Assignment: organization-defined frequency]; and
2. System maintenance procedures [Assignment: organization-defined frequency]. |
| CCI-000851 |
The organization defines the frequency with which to review and update the current system maintenance policy. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 5 years. |
DoD has defined the frequency as every 5 years. |
System Maintenance Policy And Procedures |
MA-1 |
MA-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and
b. Reviews and updates the current:
1. System maintenance policy [Assignment: organization-defined frequency]; and
2. System maintenance procedures [Assignment: organization-defined frequency]. |
| CCI-000852 |
The organization develops and documents a system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
The organization conducting the inspection/assessment obtains and examines the documented maintenance policy to ensure the organization being inspected/assessed develops and documents a system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
The organization being inspected/assessed develops and documents a system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
System Maintenance Policy And Procedures |
MA-1 |
MA-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and
b. Reviews and updates the current:
1. System maintenance policy [Assignment: organization-defined frequency]; and
2. System maintenance procedures [Assignment: organization-defined frequency]. |
| CCI-000853 |
The organization disseminates to organization-defined personnel or roles a system maintenance policy. |
The organization conducting the inspection/assessment obtains and examines the maintenance policy via the inspected organization's information sharing capability (e.g. portal, intranet, email, etc.) to ensure it has been disseminated to the SCA, ISSO, and maintenance personnel as needed by role in maintaining the system.
DoD has defined the personnel or roles as the SCA, ISSO, and maintenance personnel as needed by role in maintaining the system.
|
The organization being inspected/assessed ensures the maintenance policy is disseminated to the SCA, ISSO, and maintenance personnel as needed by role in maintaining the system.
DoD has defined the personnel or roles as the SCA, ISSO, and maintenance personnel as needed by role in maintaining the system. |
System Maintenance Policy And Procedures |
MA-1 |
MA-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and
b. Reviews and updates the current:
1. System maintenance policy [Assignment: organization-defined frequency]; and
2. System maintenance procedures [Assignment: organization-defined frequency]. |
| CCI-001629 |
The organization employs automated mechanisms to produce up-to-date, accurate, complete, and available records of all maintenance and repair actions needed, in process, and complete. |
|
|
|
|
|
|
|
| CCI-000858 |
The organization schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements. |
|
|
|
|
|
|
|
| CCI-000859 |
The organization approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location. |
The organization conducting the inspection/assessment obtains and examines records of all approvals and monitoring activities to ensure the organization being inspected/assessed approves and monitors all maintenance activities whether performed on site or remotely and whether the equipment is serviced on site or removed to another location. |
The organization being inspected/assessed approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location.
The organization must maintain records of all approvals and monitoring activities. |
Controlled Maintenance |
MA-2 |
MA-2.9 |
This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2. |
The organization:
a. Schedules, performs, documents, and reviews records of, maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and /or organizational requirements;
b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
c. Requires that [Assignment: organization-defined personnel] explicitly approve the removal of the information system or system components from organizational facilities for off-site
maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records. |
| CCI-000860 |
The organization requires that organization-defined personnel or roles explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs. |
The organization conducting the inspection/assessment obtains and examines: 1. the organization's risk management strategy to ensure the personnel or roles defined in MA-2, CCI 2874 have been designated to approve the removal of the information system or system components;
2. and written records of approval for the removal of the information system or system components from organizational facilities for off-site maintenance or repairs to ensure the removal is explicitly approved. |
The organization being inspected/assessed documents within their risk management strategy personnel or roles defined in MA-2, CCI 2874 who must explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs.
The organization must maintain written records of approval for the removal of the information system or system components from organizational facilities for off-site maintenance or repairs. |
Controlled Maintenance |
MA-2 |
MA-2.10 |
This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2. |
The organization:
a. Schedules, performs, documents, and reviews records of, maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and /or organizational requirements;
b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
c. Requires that [Assignment: organization-defined personnel] explicitly approve the removal of the information system or system components from organizational facilities for off-site
maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records. |
| CCI-000861 |
The organization sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs. |
The organization conducting the inspection/assessment obtains and examines written records of media sanitization to ensure the organization sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs. |
The organization being inspected/assessed sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs IAW DoDM 5200.01-V3 for classified media and DoDM 5200.01-V4 for unclassified media.
The organization must maintain written records of media sanitization. |
Controlled Maintenance |
MA-2 |
MA-2.12 |
This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2. |
The organization:
a. Schedules, performs, documents, and reviews records of, maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and /or organizational requirements;
b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
c. Requires that [Assignment: organization-defined personnel] explicitly approve the removal of the information system or system components from organizational facilities for off-site
maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records. |
| CCI-000862 |
The organization checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions. |
The organization conducting the inspection/assessment obtains and examines documented evidence of the verification of security controls following maintenance and repair actions to ensure that the organization being inspected/assessed checks all potentially impacted security controls to verify that they are still functioning properly. |
The organization being inspected/assessed identifies and documents the impacted security controls and takes steps to verify that the controls are still functioning properly following maintenance or repair actions. |
Controlled Maintenance |
MA-2 |
MA-2.13 |
This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2. |
The organization:
a. Schedules, performs, documents, and reviews records of, maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and /or organizational requirements;
b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
c. Requires that [Assignment: organization-defined personnel] explicitly approve the removal of the information system or system components from organizational facilities for off-site
maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records. |
| CCI-000863 |
The organization maintains maintenance records for the information system that include the date and time of maintenance, the name of the individual performing the maintenance, the name of escort, if necessary, a description of the maintenance performed, and a list of equipment removed or replaced (including identification numbers, if applicable). |
|
|
|
|
|
|
|
| CCI-000864 |
The organization employs automated mechanisms to schedule, conduct, and document maintenance and repairs as required. |
|
|
|
|
|
|
|
| CCI-001630 |
Designated organizational personnel review the maintenance records of the non-local maintenance and diagnostic sessions. |
|
|
|
|
|
|
|
| CCI-001631 |
The organization, before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system. |
The organization conducting the inspection/assessment obtains and examines maintenance procedures for all non-local maintenance and diagnostic services to ensure that the organization being inspected/assessed sanitizes and inspects serviced components prior to reusing them on any information system.
Alternatively, the organization conducting the inspection/assessment ensures the organization being inspected/assessed complies with MA-4 (3) CCI 882. |
The organization being inspected/assessed sanitizes and inspects serviced components prior to reusing them on any information system.
Alternatively, the organization being inspected/assessed complies with MA-4 (3) CCI 882. |
Nonlocal Maintenance | Comparable Security / Sanitization |
MA-4 (3) |
MA-4(3).3 |
Comparable security capability on information systems, diagnostic tools, and equipment providing maintenance services implies that the implemented security controls on those systems, tools, and equipment are at least as comprehensive as the controls on the information system being serviced. Related controls: MA-3, SA-12, SI-3, SI-7. |
The organization:
(a) Requires that non-local maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or
(b) Removes the component to be serviced from the information system and prior to non-local maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system. |
| CCI-001632 |
The organization protects nonlocal maintenance sessions by separating the maintenance session from other network sessions with the information system by either physically separated communications paths or logically separated communications paths based upon encryption. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the information system by either physically separated communications paths or logically separated communications paths based upon encryption.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1632. |
The organization being inspected/assessed configures the information system to protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the information system by either physically separated communications paths or logically separated communications paths based upon encryption.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1632. |
Nonlocal Maintenance | Authentication / Separation Of Maintenance Sessions |
MA-4 (4) |
MA-4(4).3 |
Related control: SC-13. |
The organization protects non-local maintenance sessions by:
(a) Employing [Assignment: organization-defined authenticators that are replay resistant]; and
(b) Separating the maintenance sessions from other network sessions with the information system by either:
- Physically separated communications paths; or
- Logically separated communications paths based upon encryption. |
| CCI-000873 |
The organization approves nonlocal maintenance and diagnostic activities. |
The organization conducting the inspection/assessment obtains and examines:
1. the Security Plan to ensure the procedures for approving non-local maintenance and diagnostic activities are documented; and
2. records approving non-local maintenance and diagnostic activities. |
The organization being inspected/assessed documents the procedures for approving non-local maintenance and diagnostic activities within the Security Plan.
The organization must maintain records of approved non-local maintenance and diagnostic activities. |
Nonlocal Maintenance |
MA-4 |
MA-4.1 |
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls. Related controls: AC-2, AC-3, AC-6, AC-17, AU-2, AU-3, IA-2, IA-4, IA-5, IA-8, MA-2, MA-5, MP-6, PL-2, SC-7, SC-10, SC-17. |
The organization:
a. Approves and monitors nonlocal maintenance and diagnostic activities;
b. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;
c. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
d. Maintains records for nonlocal maintenance and diagnostic activities; and
e. Terminates session and network connections when nonlocal maintenance is completed. |
| CCI-000874 |
The organization monitors nonlocal maintenance and diagnostic activities. |
The organization conducting the inspection/assessment obtains and examines:
1. the Security Plan to identify the authorized non-local maintenance and diagnostic activities; and
2. documented procedures to identify how the use of non-local maintenance and diagnostic activities are monitored; and
3. reviews evidence that the monitoring is conducted IAW the documented procedures. |
The organization being inspected/assessed develops and implements procedures to monitor non-local maintenance and diagnostic activities.
Records of monitoring activity must be maintained. |
Nonlocal Maintenance |
MA-4 |
MA-4.2 |
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls. Related controls: AC-2, AC-3, AC-6, AC-17, AU-2, AU-3, IA-2, IA-4, IA-5, IA-8, MA-2, MA-5, MP-6, PL-2, SC-7, SC-10, SC-17. |
The organization:
a. Approves and monitors nonlocal maintenance and diagnostic activities;
b. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;
c. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
d. Maintains records for nonlocal maintenance and diagnostic activities; and
e. Terminates session and network connections when nonlocal maintenance is completed. |
| CCI-000875 |
The organization controls non-local maintenance and diagnostic activities. |
|
|
|
|
|
|
|
| CCI-000876 |
The organization allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system. |
The organization conducting the inspection/assessment obtains and examines:
1. the Security Plan to ensure non-local maintenance and diagnostic tools have been identified; and
2. maintenance records to ensure only those tools allowed are used IAW MA-4, CCI 873. |
The organization being inspected/assessed:
1. documents within the Security Plan the non-local maintenance and diagnostic tools that are allowed; and
2. allows the use of non-local maintenance and diagnostic tools IAW the tools identified in the Security Plan and MA-4, CCI 873. |
Nonlocal Maintenance |
MA-4 |
MA-4.3 |
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls. Related controls: AC-2, AC-3, AC-6, AC-17, AU-2, AU-3, IA-2, IA-4, IA-5, IA-8, MA-2, MA-5, MP-6, PL-2, SC-7, SC-10, SC-17. |
The organization:
a. Approves and monitors nonlocal maintenance and diagnostic activities;
b. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;
c. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
d. Maintains records for nonlocal maintenance and diagnostic activities; and
e. Terminates session and network connections when nonlocal maintenance is completed. |
| CCI-000877 |
The organization employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 877. |
The organization being inspected/assessed configures the information system to employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 877. |
Nonlocal Maintenance |
MA-4 |
MA-4.4 |
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls. Related controls: AC-2, AC-3, AC-6, AC-17, AU-2, AU-3, IA-2, IA-4, IA-5, IA-8, MA-2, MA-5, MP-6, PL-2, SC-7, SC-10, SC-17. |
The organization:
a. Approves and monitors nonlocal maintenance and diagnostic activities;
b. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;
c. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
d. Maintains records for nonlocal maintenance and diagnostic activities; and
e. Terminates session and network connections when nonlocal maintenance is completed. |
| CCI-000878 |
The organization maintains records for nonlocal maintenance and diagnostic activities. |
The organization conducting the inspection/assessment obtains records of authorized non-local maintenance and diagnostic activities, and examines a sampling to verify the organization is maintaining records for all non-local maintenance and diagnostic activities. |
The organization being inspected/assessed maintains records of authorized non-local maintenance and diagnostic activities. |
Nonlocal Maintenance |
MA-4 |
MA-4.5 |
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls. Related controls: AC-2, AC-3, AC-6, AC-17, AU-2, AU-3, IA-2, IA-4, IA-5, IA-8, MA-2, MA-5, MP-6, PL-2, SC-7, SC-10, SC-17. |
The organization:
a. Approves and monitors nonlocal maintenance and diagnostic activities;
b. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;
c. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
d. Maintains records for nonlocal maintenance and diagnostic activities; and
e. Terminates session and network connections when nonlocal maintenance is completed. |
| CCI-000879 |
The organization terminates sessions and network connections when nonlocal maintenance is completed. |
The organization conducting the inspection/assessment obtains and examines audit logs of session and network connections termination for non-local maintenance to ensure session and network connections are terminated when non-local maintenance is completed. |
The organization being inspected/assessed terminates session and network connections when non-local maintenance is completed.
The organization must retain audit logs of session and network connections termination for non-local maintenance. |
Nonlocal Maintenance |
MA-4 |
MA-4.6 |
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls. Related controls: AC-2, AC-3, AC-6, AC-17, AU-2, AU-3, IA-2, IA-4, IA-5, IA-8, MA-2, MA-5, MP-6, PL-2, SC-7, SC-10, SC-17. |
The organization:
a. Approves and monitors nonlocal maintenance and diagnostic activities;
b. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;
c. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
d. Maintains records for nonlocal maintenance and diagnostic activities; and
e. Terminates session and network connections when nonlocal maintenance is completed. |
| CCI-000880 |
The organization audits non-local maintenance and diagnostic sessions. |
|
|
|
|
|
|
|
| CCI-000881 |
The organization documents, in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections. |
The organization conducting the inspection/assessment obtains and examines the Security Plan to ensure the plan identifies the establishment and use of non-local maintenance and diagnostic connections. |
The organization being inspected/assessed documents within the Security Plan the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections. |
Nonlocal Maintenance | Document Nonlocal Maintenance |
MA-4 (2) |
MA-4(2).1 |
|
The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections. |
| CCI-000882 |
The organization requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced. |
The organization conducting the inspection/assessment obtains and examines contracts and/or service level agreements for all non-local maintenance and diagnostic services to ensure that any IS used for those services is required to have security level at least as high as the security level implemented on the IS being serviced.
Alternatively, the organization conducting the inspection/assessment ensures the organization being inspected/assessed complies with MA-4 (3) CCIs 883 and 1631. |
The organization being inspected/assessed clearly defines in its contracts and/or service level agreements the requirement that any IS used to conduct non-local maintenance and diagnostic services will have a security level at least as high as the security level implemented on the IS being serviced.
Alternatively, the organization being inspected/assessed complies with MA-4 (3) CCIs 883 and 1631. |
Nonlocal Maintenance | Comparable Security / Sanitization |
MA-4 (3) |
MA-4(3).1 |
Comparable security capability on information systems, diagnostic tools, and equipment providing maintenance services implies that the implemented security controls on those systems, tools, and equipment are at least as comprehensive as the controls on the information system being serviced. Related controls: MA-3, SA-12, SI-3, SI-7. |
The organization:
(a) Requires that non-local maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or
(b) Removes the component to be serviced from the information system and prior to non-local maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system. |
| CCI-000883 |
The organization removes the component to be serviced from the information system and prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities. |
The organization conducting the inspection/assessment obtains and examines maintenance procedures for all non-local maintenance and diagnostic services to ensure that the organization being inspected/assessed sanitizes components before removal from organizational facilities.
Alternatively, the organization conducting the inspection/assessment ensures the organization being inspected/assessed complies with MA-4 (3) CCI 882. |
The organization being inspected/assessed removes the component to be serviced from the information system and prior to non-local maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities.
Alternatively, the organization being inspected/assessed complies with MA-4 (3) CCI 882. |
Nonlocal Maintenance | Comparable Security / Sanitization |
MA-4 (3) |
MA-4(3).2 |
Comparable security capability on information systems, diagnostic tools, and equipment providing maintenance services implies that the implemented security controls on those systems, tools, and equipment are at least as comprehensive as the controls on the information system being serviced. Related controls: MA-3, SA-12, SI-3, SI-7. |
The organization:
(a) Requires that non-local maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or
(b) Removes the component to be serviced from the information system and prior to non-local maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system. |
| CCI-000884 |
The organization protects nonlocal maintenance sessions by employing organization-defined authenticators that are replay resistant. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to protect nonlocal maintenance sessions by employing authenticators defined in MA-4 (4), CCI 2887 that are replay resistant.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 884. |
The organization being inspected/assessed configures the information system to protect nonlocal maintenance sessions by employing authenticators defined in MA-4 (4), CCI 2887 that are replay resistant.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 884. |
Nonlocal Maintenance | Authentication / Separation Of Maintenance Sessions |
MA-4 (4) |
MA-4(4).1 |
Related control: SC-13. |
The organization protects non-local maintenance sessions by:
(a) Employing [Assignment: organization-defined authenticators that are replay resistant]; and
(b) Separating the maintenance sessions from other network sessions with the information system by either:
- Physically separated communications paths; or
- Logically separated communications paths based upon encryption. |
| CCI-000885 |
The organization requires that maintenance personnel notify organization-defined personnel when non-local maintenance is planned (i.e., date/time). |
|
|
|
|
|
|
|
| CCI-000886 |
The organization defines the personnel or roles to be notified of the date and time of planned nonlocal maintenance. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as the user base which could be impacted by the maintenance event. |
DoD has defined the personnel or roles as the user base which could be impacted by the maintenance event. |
Nonlocal Maintenance | Approvals And Notifications |
MA-4 (5) |
MA-4(5).3 |
Notification may be performed by maintenance personnel. Approval of nonlocal maintenance sessions is accomplished by organizational personnel with sufficient information security and information system knowledge to determine the appropriateness of the proposed maintenance. |
The organization:
(a) Requires the approval of each nonlocal maintenance session by [Assignment: organization-defined personnel or roles]; and
(b) Notifies [Assignment: organization-defined personnel or roles] of the date and time of planned nonlocal maintenance. |
| CCI-000887 |
The organization requires the approval of each nonlocal maintenance session by organization-defined personnel or roles. |
The organization conducting the inspection/assessment obtains and examines the maintenance procedures and historical approvals to ensure that the ISSO approves the non-local maintenance.
DoD has defined the personnel or roles as the ISSO. |
The organization being inspected/assessed defines within their maintenance procedures a process for the ISSO to approve the non-local maintenance.
Written approval must be maintained.
DoD has defined the personnel or roles as the ISSO. |
Nonlocal Maintenance | Approvals And Notifications |
MA-4 (5) |
MA-4(5).1 |
Notification may be performed by maintenance personnel. Approval of nonlocal maintenance sessions is accomplished by organizational personnel with sufficient information security and information system knowledge to determine the appropriateness of the proposed maintenance. |
The organization:
(a) Requires the approval of each nonlocal maintenance session by [Assignment: organization-defined personnel or roles]; and
(b) Notifies [Assignment: organization-defined personnel or roles] of the date and time of planned nonlocal maintenance. |
| CCI-000888 |
The organization employs cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications. |
|
|
|
|
|
|
|
| CCI-000889 |
The organization employs remote disconnect verification at the termination of non-local maintenance and diagnostic sessions. |
|
|
|
|
|
|
|
| CCI-001633 |
The organization defines removable media types and information output requiring marking. |
|
|
|
|
|
|
|
| CCI-001010 |
The organization marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information. |
The organization conducting the inspection/assessment obtains a sampling of information system media and information system output to verify that it is marked in compliance with DoDM 5200.01 Vol. 1-4. |
The organization being inspected/assessed marks information system media and information system output IAW DoDM 5200.01 Vol. 1-4. |
Media Marking |
MP-3 |
MP-3.1 |
The term security marking refers to the application/use of human-readable security attributes. The term security labeling refers to the application/use of security attributes with regard to internal data structures within information systems (see AC-16). Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. Marking of information system media reflects applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Related controls: AC-16, PL-2, RA-3. |
The organization:
a. Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and
b. Exempts [Assignment: organization-defined types of information system media] from marking as long as the media remain within [Assignment: organization-defined controlled areas]. |
| CCI-001011 |
The organization exempts organization-defined types of information system media from marking as long as the media remain within organization-defined controlled areas. |
The organization conducting the inspection/assessment examines information system media to ensure it is marked IAW DoDM 5200.01 Vol. 1-4. |
All information system media must be marked in all areas IAW DoDM 5200.01 Vol. 1-4. |
Media Marking |
MP-3 |
MP-3.2 |
The term security marking refers to the application/use of human-readable security attributes. The term security labeling refers to the application/use of security attributes with regard to internal data structures within information systems (see AC-16). Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. Marking of information system media reflects applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Related controls: AC-16, PL-2, RA-3. |
The organization:
a. Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and
b. Exempts [Assignment: organization-defined types of information system media] from marking as long as the media remain within [Assignment: organization-defined controlled areas]. |
| CCI-001012 |
The organization defines types of information system media to exempt from marking as long as the media remain within organization-defined controlled areas. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the list of information system media as nothing unless otherwise exempted by DoDI 5200.01 and DoDM 5200.01 Vol 1-4 |
DoD has defined the list of information system media as nothing unless otherwise exempted by DoDI 5200.01 and DoDM 5200.01 Vol 1-4. |
Media Marking |
MP-3 |
MP-3.3 |
The term security marking refers to the application/use of human-readable security attributes. The term security labeling refers to the application/use of security attributes with regard to internal data structures within information systems (see AC-16). Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. Marking of information system media reflects applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Related controls: AC-16, PL-2, RA-3. |
The organization:
a. Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and
b. Exempts [Assignment: organization-defined types of information system media] from marking as long as the media remain within [Assignment: organization-defined controlled areas]. |
| CCI-001013 |
The organization defines controlled areas where organization-defined types of information system media are exempt from being marked. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the controlled areas as all areas unless otherwise exempted by DoDI 5200.01 and DoDM 5200.01 Vol 1-4 |
DoD has defined the controlled areas as all areas unless otherwise exempted by DoDI 5200.01 and DoDM 5200.01 Vol 1-4 |
Media Marking |
MP-3 |
MP-3.4 |
The term security marking refers to the application/use of human-readable security attributes. The term security labeling refers to the application/use of security attributes with regard to internal data structures within information systems (see AC-16). Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. Marking of information system media reflects applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Related controls: AC-16, PL-2, RA-3. |
The organization:
a. Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and
b. Exempts [Assignment: organization-defined types of information system media] from marking as long as the media remain within [Assignment: organization-defined controlled areas]. |
| CCI-001634 |
The organization identifies authorized personnel with appropriate clearances and access authorizations for gaining physical access to the facility containing an information system that processes classified information. |
|
|
|
|
|
|
|
| CCI-001635 |
The organization removes individuals from the facility access list when access is no longer required. |
The organization conducting the inspection/assessment obtains and examines the review and approval actions documentation to ensure that personnel no longer requiring access have been removed from the authorized access list and their credentials have been revoked. |
The organization being inspected/assessed will remove personnel from the authorized access list who no longer have approved access and revoke their credentials, as identified in actions per PE-2, CCI 914.
The organization must document each removal and revocation action as an audit trail. |
Physical Access Authorizations |
PE-2 |
PE-2.7 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have not been designated as publicly accessible. Related controls: PE-3, PE-4, PS-3. |
The organization:
a. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;
b. Issues authorization credentials for facility access;
c. Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and
d. Removes individuals from the facility access list when access is no longer required. |
| CCI-000912 |
The organization develops a list of individuals with authorized access to the facility where the information system resides. |
The organization conducting the inspection/assessment obtains and examines the list of personnel with authorized access to facilities where information systems reside to ensure it is current within every 90 days.
The review process should also determine if the organization has identified and officially designated its publicly accessible areas where access authorization is not required.
DoD has defined the frequency as every 90 days. |
The organization being inspected/assessed will develop and maintain a list of personnel with authorized access to the facilities where information systems reside.
The organization will also take action to identify and officially designate its publicly accessible areas where access authorization is not required. |
Physical Access Authorizations |
PE-2 |
PE-2.1 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have not been designated as publicly accessible. Related controls: PE-3, PE-4, PS-3. |
The organization:
a. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;
b. Issues authorization credentials for facility access;
c. Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and
d. Removes individuals from the facility access list when access is no longer required. |
| CCI-000913 |
The organization issues authorization credentials for facility access. |
The organization conducting the inspection/assessment obtains and examines documentation of credential issuing activities to ensure credentials are issued to personnel with authorized access. |
The organization being inspected/assessed utilizes the list of personnel with authorized access (IAW PE-2, CCI-000912) and issues credentials accordingly.
The organization must document the credential issuing activity as an audit trail. |
Physical Access Authorizations |
PE-2 |
PE-2.4 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have not been designated as publicly accessible. Related controls: PE-3, PE-4, PS-3. |
The organization:
a. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;
b. Issues authorization credentials for facility access;
c. Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and
d. Removes individuals from the facility access list when access is no longer required. |
| CCI-000914 |
The organization reviews the access list detailing authorized facility access by individuals in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit records of the review actions to ensure that reviews are conducted every 90 days.
DoD has defined the frequency as every 90 days. |
The organization being inspected/assessed will review the access list and authorization credentials every 90 days and document these review and approval actions as an audit trail.
DoD has defined the frequency as every 90 days. |
Physical Access Authorizations |
PE-2 |
PE-2.5 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have not been designated as publicly accessible. Related controls: PE-3, PE-4, PS-3. |
The organization:
a. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;
b. Issues authorization credentials for facility access;
c. Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and
d. Removes individuals from the facility access list when access is no longer required. |
| CCI-000915 |
The organization defines the frequency with which to review the access list detailing authorized facility access by individuals. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 90 days. |
DoD has defined the frequency as every 90 days. |
Physical Access Authorizations |
PE-2 |
PE-2.6 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have not been designated as publicly accessible. Related controls: PE-3, PE-4, PS-3. |
The organization:
a. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;
b. Issues authorization credentials for facility access;
c. Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and
d. Removes individuals from the facility access list when access is no longer required. |
| CCI-000916 |
The organization authorizes physical access to the facility where the information system resides based on position or role. |
The organization conducting the inspection/assessment obtains and examines:
1. The list of roles or positions that have access to the facility where the information system resides.
2. The list of personnel assigned to those roles
Recommended:
3. Access logs to verify access to the facility was authorized based on the appropriate roles and positions |
The organization being inspected/assessed must:
1. Develop and document a list of roles or positions that have access to the facility where the information system resides.
2. Identify and document personnel assigned to those roles.
3. Authorize and document access to the facility to personnel in identified roles |
Physical Access Authorizations | Access By Position / Role |
PE-2 (1) |
PE-2(1).1 |
Related controls: AC-2, AC-3, AC-6. |
The organization authorizes physical access to the facility where the information system resides based on position or role. |
| CCI-000917 |
The organization requires two forms of identification from an organization-defined list of acceptable forms of identification for visitor access to the facility where the information system resides. |
The organization conducting the inspection/assessment obtains and examines the inspected organization's physical security policy for requirements and implementation guidance to have two forms of identification defined in PE-2 (2), CCI 2912 and physical access control logs or records; and any other relevant documents or records to validate compliance. |
The organization being inspected/assessed will only grant access to the facility with two organization approved government issued forms of identification defined in PE-2 (2), CCI 2912.
This requirement must be documented within the organization's physical security policy.
The organization must maintain access control documentation as an auditable event per AU-2, CCI 000123. |
Physical Access Authorizations | Two Forms Of Identification |
PE-2 (2) |
PE-2(2).1 |
Acceptable forms of government photo identification include, for example, passports, Personal Identity Verification (PIV) cards, and drivers' licenses. In the case of gaining access to facilities using automated mechanisms, organizations may use PIV cards, key cards, PINs, and biometrics. Related controls: IA-2, IA-4, IA-5. |
The organization requires two forms of identification from [Assignment: organization-defined list of acceptable forms of identification] for visitor access to the facility where the information system resides. |
| CCI-000918 |
The organization restricts physical access to the facility containing an information system that processes classified information to authorized personnel with appropriate clearances and access authorizations. |
|
|
|
|
|
|
|
| CCI-001636 |
The organization defines the frequency with which to review and update the current security planning policy. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
Security Planning Policy And Procedures |
PL-1 |
PL-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and
b. Reviews and updates the current:
1. Security planning policy [Assignment: organization-defined frequency]; and
2. Security planning procedures [Assignment: organization-defined frequency]. |
| CCI-001637 |
The organization reviews and updates the current security planning policy in accordance with organization-defined frequency. |
DoDI 8510.01 meets the requirements for a security planning policy.
DoD Components are automatically compliant with this CCI because they are covered by DoD level policy, DoDI 8510.01.
DoD has defined the frequency as every 5 years. |
DoDI 8510.01 meets the requirements for a security planning policy.
DoD Components are automatically compliant with this CCI because they are covered by DoD level policy, DoDI 8510.01.
DoD has defined the frequency as every 5 years. |
Security Planning Policy And Procedures |
PL-1 |
PL-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and
b. Reviews and updates the current:
1. Security planning policy [Assignment: organization-defined frequency]; and
2. Security planning procedures [Assignment: organization-defined frequency]. |
| CCI-001638 |
The organization defines the frequency with which to review and update the current security planning procedures. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropriate. |
DoD has defined the frequency as reviewed annually - updated as appropriate. |
Security Planning Policy And Procedures |
PL-1 |
PL-1.10 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and
b. Reviews and updates the current:
1. Security planning policy [Assignment: organization-defined frequency]; and
2. Security planning procedures [Assignment: organization-defined frequency]. |
| CCI-000563 |
The organization develops and documents a security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
DoD Components are automatically compliant with this CCI because they are covered by DoD level policy, DoDI 8510.01. |
DoDI 8510.01 meets the requirements for a security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
DoD Components are automatically compliant with this CCI because they are covered by DoD level policy, DoDI 8510.01. |
Security Planning Policy And Procedures |
PL-1 |
PL-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and
b. Reviews and updates the current:
1. Security planning policy [Assignment: organization-defined frequency]; and
2. Security planning procedures [Assignment: organization-defined frequency]. |
| CCI-000564 |
The organization disseminates a security planning policy to organization-defined personnel or roles. |
DoD Components are automatically compliant with this CCI because they are covered by DoD level policy, DoDI 8510.01.
DoD has defined the roles as organizational personnel with planning responsibilities or information security responsibilities. |
DoD disseminates DoDI 8510.01 via the DoD Issuances website (http://www.dtic.mil/whs/directives/corres/dir.html) to organizational personnel with planning responsibilities or information security responsibilities.
DoD Components are automatically compliant with this CCI because they are covered by DoD level policy, DoDI 8510.01.
DoD has defined the roles as organizational personnel with planning responsibilities or information security responsibilities. |
Security Planning Policy And Procedures |
PL-1 |
PL-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and
b. Reviews and updates the current:
1. Security planning policy [Assignment: organization-defined frequency]; and
2. Security planning procedures [Assignment: organization-defined frequency]. |
| CCI-000565 |
The organization reviews/updates, per organization-defined frequency, a formal, documented security planning policy. |
|
|
|
|
|
|
|
| CCI-000566 |
The organization develops and documents procedures to facilitate the implementation of the security planning policy and associated security planning controls. |
DoD Components are automatically compliant with this CCI because they are covered by DoD level policy, DoDI 8510.01. |
DoDI 8510.01 meets the requirements for developing and documenting procedures to facilitate the implementation of the security planning policy and associated security planning controls.
DoD Components are automatically compliant with this CCI because they are covered by DoD level policy, DoDI 8510.01. |
Security Planning Policy And Procedures |
PL-1 |
PL-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and
b. Reviews and updates the current:
1. Security planning policy [Assignment: organization-defined frequency]; and
2. Security planning procedures [Assignment: organization-defined frequency]. |
| CCI-000567 |
The organization disseminates security planning procedures to organization-defined personnel or roles. |
DoD Components are automatically compliant with this CCI because they are covered by DoD level policy, DoDI 8510.01.
DoD has defined the roles as organizational personnel with planning responsibilities or information security responsibilities. |
DoD disseminates DoDI 8510.01 via the DoD Issuances website (http://www.dtic.mil/whs/directives/corres/dir.html) to organizational personnel with planning responsibilities or information security responsibilities.
DoD Components are automatically compliant with this CCI because they are covered by DoD level policy, DoDI 8510.01.
DoD has defined the roles as organizational personnel with planning responsibilities or information security responsibilities. |
Security Planning Policy And Procedures |
PL-1 |
PL-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and
b. Reviews and updates the current:
1. Security planning policy [Assignment: organization-defined frequency]; and
2. Security planning procedures [Assignment: organization-defined frequency]. |
| CCI-000568 |
The organization reviews and updates the current security planning procedures in accordance with organization-defined frequency. |
DoDI 8510.01 meets the requirements for a security planning policy.
DoD Components are automatically compliant with this CCI because they are covered by DoD level policy, DoDI 8510.01.
DoD has defined the frequency as reviewed annually - updated as appropriate. |
DoDI 8510.01 meets the requirements for a security planning policy.
DoD Components are automatically compliant with this CCI because they are covered by DoD level policy, DoDI 8510.01.
DoD has defined the frequency as reviewed annually - updated as appropriate. |
Security Planning Policy And Procedures |
PL-1 |
PL-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and
b. Reviews and updates the current:
1. Security planning policy [Assignment: organization-defined frequency]; and
2. Security planning procedures [Assignment: organization-defined frequency]. |
| CCI-001639 |
The organization makes readily available to individuals requiring access to the information system the rules that describe their responsibilities and expected behavior with regard to information and information system usage. |
The organization conducting the inspection/assessment obtains and examines rules that describe information system user responsibilities via the inspected organization's information sharing capability (e.g. portal, intranet, email, etc.) to ensure it has been disseminated. |
The organization being inspected/assessed must disseminate to all information system users, via an information sharing capability, rules that describe information system user responsibilities and expected behavior with regard to information and information system usage, acceptable use policy (AUP).
Organizations should disseminate the rules by providing to users and requiring signature of acceptance. |
Rules Of Behavior |
PL-4 |
PL-4.2 |
This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior. Related controls: AC-2, AC-6, AC-8, AC-9, AC-17, AC-18, AC-19, AC-20, AT-2, AT-3, CM-11, IA-2, IA-4, IA-5, MP-7, PS-6, PS-8, SA-5. |
The organization:
a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;
b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;
c. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and
d. Requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated. |
| CCI-000592 |
The organization establishes the rules describing the responsibilities and expected behavior, with regard to information and information system usage, for individuals requiring access to the information system. |
The organization conducting the inspection/assessment obtains and examines the organization's AUP to ensure the organization has clearly defined and established rules describing information system user responsibilities and expected behavior with regard to information and information system usage. |
The organization being inspected/assessed must develop and document rules that describe information system user responsibilities and expected behavior with regard to information and information system usage, acceptable use policy (AUP).
Organizations should reference Joint Ethics Regulations (DoD 5500.7-R) when developing this policy. |
Rules Of Behavior |
PL-4 |
PL-4.1 |
This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior. Related controls: AC-2, AC-6, AC-8, AC-9, AC-17, AC-18, AC-19, AC-20, AT-2, AT-3, CM-11, IA-2, IA-4, IA-5, MP-7, PS-6, PS-8, SA-5. |
The organization:
a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;
b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;
c. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and
d. Requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated. |
| CCI-000593 |
The organization receives a signed acknowledgment from individuals requiring access to the information system, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system. |
The organization conducting the inspection/assessment obtains a list of individuals with active accounts and validates the existence of signed acknowledgements (paper or electronic signature) of the organizational AUP associated with a sampling of individuals selected from the list. |
The organization being inspected/assessed will obtain signed acknowledgment (paper or electronic signature) from individuals indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system. |
Rules Of Behavior |
PL-4 |
PL-4.3 |
This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior. Related controls: AC-2, AC-6, AC-8, AC-9, AC-17, AC-18, AC-19, AC-20, AT-2, AT-3, CM-11, IA-2, IA-4, IA-5, MP-7, PS-6, PS-8, SA-5. |
The organization:
a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;
b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;
c. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and
d. Requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated. |
| CCI-000594 |
The organization includes in the rules of behavior explicit restrictions on the use of social media/networking sites. |
The organization conducting the inspection/assessment obtains and examines the rules of behavior to ensure the organization being inspected/assessed includes explicit restrictions on the use of social media/networking sites IAW DoDI 8550.01. |
The organization being inspected/assessed includes in the rules of behavior, IAW DoDI 8550.01, explicit restrictions on the use of social media/networking sites. |
Rules Of Behavior | Social Media And Networking Restrictions |
PL-4 (1) |
PL-4(1).1 |
This control enhancement addresses rules of behavior related to the use of social media/networking sites: (i) when organizational personnel are using such sites for official duties or in the conduct of official business; (ii) when organizational information is involved in social media/networking transactions; and (iii) when personnel are accessing social media/networking sites from organizational information systems. Organizations also address specific rules that prevent unauthorized entities from obtaining and/or inferring non-public organizational information (e.g., system account information, personally identifiable information) from social media/networking sites. |
The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites. |
| CCI-000595 |
The organization includes in the rules of behavior explicit restrictions on posting organizational information on public websites. |
The organization conducting the inspection/assessment obtains and examines the rules of behavior to ensure the organization being inspected/assessed includes explicit restrictions on posting organizational information on public websites IAW DoDI 8550.01. |
The organization being inspected/assessed includes in the rules of behavior, IAW DoDI 8550.01, explicit restrictions on posting organizational information on public websites. |
Rules Of Behavior | Social Media And Networking Restrictions |
PL-4 (1) |
PL-4(1).2 |
This control enhancement addresses rules of behavior related to the use of social media/networking sites: (i) when organizational personnel are using such sites for official duties or in the conduct of official business; (ii) when organizational information is involved in social media/networking transactions; and (iii) when personnel are accessing social media/networking sites from organizational information systems. Organizations also address specific rules that prevent unauthorized entities from obtaining and/or inferring non-public organizational information (e.g., system account information, personally identifiable information) from social media/networking sites. |
The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites. |
| CCI-000596 |
The organization includes in the rules of behavior, explicit restrictions on sharing information system account information. |
|
|
|
|
|
|
|
| CCI-001640 |
The organization updates the critical infrastructure and key resources protection plan that addresses information security issues. |
DoDD 3020.40 meets the DoD requirement for the development of a critical infrastructure and key resource protection plan.
DoD components are automatically compliant with this CCI as they are covered by the DoD level, DoDD 3020.40. |
DoDD 3020.40 meets the DoD requirement for the development of a critical infrastructure and key resource protection plan.
DoD components are automatically compliant with this CCI as they are covered by the DoD level, DoDD 3020.40. |
Critical Infrastructure Plan |
PM-8 |
PM-8.2 |
Protection strategies are based on the prioritization of critical assets and resources. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Related controls: PM-1, PM-9, PM-11, RA-3. |
The organization addresses information security issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan. |
| CCI-000216 |
The organization develops and documents a critical infrastructure and key resource protection plan that addresses information security issues. |
DoDD 3020.40 meets the DoD requirement for the development of a critical infrastructure and key resource protection plan.
DoD components are automatically compliant with this CCI as they are covered by the DoD level, DoDD 3020.40. |
DoDD 3020.40 meets the DoD requirement for the development of a critical infrastructure and key resource protection plan.
DoD components are automatically compliant with this CCI as they are covered by the DoD level, DoDD 3020.40. |
Critical Infrastructure Plan |
PM-8 |
PM-8.1 |
Protection strategies are based on the prioritization of critical assets and resources. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Related controls: PM-1, PM-9, PM-11, RA-3. |
The organization addresses information security issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan. |
| CCI-001641 |
The organization defines the process for conducting random vulnerability scans on the information system and hosted applications. |
The organization conducting the inspection/assessment obtains and examines random vulnerability process documentation (if applicable) to validate the organization has clearly defined and documented a process for conducting random vulnerability scans on the information system and hosted applications.
If the organization being inspected/assessed has determined they have no requirement for random scanning, there is no requirement for a process. |
DoD has defined the requirement for vulnerability scanning periodicity of every 30 days. If the organization being inspected/assessed has determined a requirement for random scanning they must document that process.
DoD has defined the frequency as every 30 days or as directed by an authoritative source (e.g. IAVM, CTOs, DTMs, STIGs). |
Vulnerability Scanning |
RA-5 |
RA-5.4 |
Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2. |
The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and
e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). |
| CCI-001643 |
The organization scans for vulnerabilities in the information system and hosted applications in accordance with the organization-defined process for random scans. |
The organization conducting the inspection/assessment obtains and examines
the vulnerability scanning results every 30 days or as directed by an authorative source (e.g. IAVM, CTOs, DTMs, STIGs) to verify compliance with the organization being inspected/assessed random vulnerability scanning process.
DoD has defined the frequency as every 30 days or as directed by an authorative source (e.g. IAVM, CTOs, DTMs, STIGs).
|
The organization being inspected/assessed will conduct random vulnerability scans every 30 days or as directed by an authorative source (e.g. IAVM, CTOs, DTMs, STIGs).
The organization will document the vulnerability scans as an audit trail for future reference. The audit trail must be maintained IAW DoD, CYBERCOM, or component policies.
DoD has defined the frequency as every 30 days or as directed by an authorative source (e.g. IAVM, CTOs, DTMs, STIGs).
. |
Vulnerability Scanning |
RA-5 |
RA-5.5 |
Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2. |
The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and
e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). |
| CCI-001644 |
The organization employs vulnerability scanning procedures that can demonstrate the depth of coverage (i.e., vulnerabilities checked). |
|
|
|
|
|
|
|
| CCI-001645 |
The organization identifies the information system components to which privileged access is authorized for selected organization-defined vulnerability scanning activities. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the information system components as all information systems and infrastructure components. |
DoD has defined the information system components as all information systems and infrastructure components. |
Vulnerability Scanning | Privileged Access |
RA-5 (5) |
RA-5(5).2 |
In certain situations, the nature of the vulnerability scanning may be more intrusive or the information system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and also protects the sensitive nature of such scanning. |
The information system implements privileged access authorization to [Assignment: organization-identified information system components] for selected [Assignment: organization-defined vulnerability scanning activities]. |
| CCI-001054 |
The organization scans for vulnerabilities in the information system and hosted applications on an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the organization's vulnerability scanning procedures and results for the 90 days preceding the inspection/assessment.
If the system in question has not been operational for more than 90 days the organization will provide all available scan(s). |
The organization being inspected/assessed will
define, document, and implement procedures for vulnerability scans of the information system and hosted applications; and scan for vulnerabilities in the information system and hosted applications every 30 days or as directed by an authoritative source (e.g. IAVM, CTOs, DTMs, STIGs).
This control is not targeted at security control compliance scanning.
DoD has defined the frequency as every 30 days or as directed by an authoritative source (e.g. IAVM, CTOs, DTMs, STIGs). |
Vulnerability Scanning |
RA-5 |
RA-5.1 |
Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2. |
The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and
e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). |
| CCI-001055 |
The organization defines a frequency for scanning for vulnerabilities in the information system and hosted applications. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 30 days or as directed by an authoritative source (e.g. IAVM, CTOs, DTMs, STIGs). |
DoD has defined the frequency as every 30 days or as directed by an authoritative source (e.g. IAVM, CTOs, DTMs, STIGs). |
Vulnerability Scanning |
RA-5 |
RA-5.2 |
Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2. |
The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and
e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). |
| CCI-001056 |
The organization scans for vulnerabilities in the information system and hosted applications when new vulnerabilities potentially affecting the system/applications are identified and reported. |
The organization conducting the inspection/assessment obtains and examines the organization's vulnerability scanning procedures and results in order to validate the organization conducts vulnerability scans of its Information System (IS) and hosted applications when new vulnerabilities potentially affecting the IS and/or applications are identified and reported. |
The organization being inspected/assessed will conduct vulnerability scans of the information system and hosted applications when new vulnerabilities potentially affecting the system/applications are identified and reported via authoritative sources (e.g., IAVM, CTO, DTM, STIG, product vendor). |
Vulnerability Scanning |
RA-5 |
RA-5.3 |
Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2. |
The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and
e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). |
| CCI-001057 |
The organization employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: enumerating platforms, software flaws, and improper configurations; formatting checklists and test procedures; and measuring vulnerability impact. |
The organization conducting the inspection/assessment obtains and examines the software list or vulnerability scanning procedures to ensure the organization being inspected/assessed employs the DoD Enterprise scanning tool. |
The organization being inspected/assessed employs the DoD Enterprise scanning tool. |
Vulnerability Scanning |
RA-5 |
RA-5.6 |
Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2. |
The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and
e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). |
| CCI-001058 |
The organization analyzes vulnerability scan reports and results from security control assessments. |
The organization conducting the inspection/assessment will interview organizational personnel with security control assessment and vulnerability scanning responsibilities. The purpose of the reviews and interviews is to validate the organization is conducting an analysis of the vulnerability scan reports and results from the security control assessments. |
The organization being inspected/assessed analyzes vulnerability scan reports and security control assessment results with the intent of identifying legitimate vulnerabilities and the relationship between vulnerabilities and security controls. |
Vulnerability Scanning |
RA-5 |
RA-5.7 |
Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2. |
The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and
e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). |
| CCI-001059 |
The organization remediates legitimate vulnerabilities in organization-defined response times in accordance with an organizational assessment risk. |
The organization conducting the inspection/assessment obtains and examines audit records to validate the organization is taking action to remediate legitimate vulnerabilities within the required response times (IAW an authoritative source (e.g. IAVM, CTOs, DTMs, STIGs).
The organization conducting the inspection/assessment may conduct independent vulnerability scans to compare those scan results with audit records of remediation actions.
DoD has defined the response times as IAW an authoritative source (e.g. IAVM, CTOs, DTMs, STIGs). |
The organization being inspected/assessed takes corrective actions as appropriate on legitimate vulnerabilities identified in RA-5, CCI 001058 IAW an authoritative source (e.g. IAVM, CTOs, DTMs, STIGs).
Audit records of actions must be maintained IAW applicable DoD, CYBERCOM, and/or component policies.
DoD has defined the response times as IAW an authoritative source (e.g. IAVM, CTOs, DTMs, STIGs). |
Vulnerability Scanning |
RA-5 |
RA-5.8 |
Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2. |
The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and
e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). |
| CCI-001060 |
The organization defines response times for remediating legitimate vulnerabilities in accordance with an organization assessment of risk. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the response times as IAW an authoritative source (e.g. IAVM, CTOs, DTMs). |
DoD has defined the response times as IAW an authoritative source (e.g. IAVM, CTOs, DTMs). |
Vulnerability Scanning |
RA-5 |
RA-5.9 |
Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2. |
The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and
e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). |
| CCI-001061 |
The organization shares information obtained from the vulnerability scanning process and security control assessments with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed shares information obtained from the vulnerability scanning process and security control assessments with at a minimum, the ISSM and ISSO to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
The organization being inspected/assessed documents and implements a process to share information obtained from the vulnerability scanning process and security control assessments with at a minimum, the ISSM and ISSO to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
Vulnerability Scanning |
RA-5 |
RA-5.10 |
Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2. |
The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and
e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). |
| CCI-001062 |
The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned. |
The organization conducting the inspection/assessment will:
1. If the inspected organization is using the DoD provided enterprise scanning tool, compliance with this control is complete.
2. Validate the identified tool in use by the inspected organization is able to maintain current up to date information system vulnerability data. |
The organization being inspected/assessed will employ scanning tools that maintain currency with industry standard information system vulnerabilities to ensure that scanning activities are conducted with the most up to date list of known vulnerabilities to include USCYBERCOM issued IAVMs.
DoD has provided an enterprise scanning tool that fully meets this requirement. Organizations that choose not to use the enterprise scanning tool must identify which scanning tool they are using and ensure that it meets these requirements. |
Vulnerability Scanning | Update Tool Capability |
RA-5 (1) |
RA-5(1).1 |
The vulnerabilities to be scanned need to be readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This updating process helps to ensure that potential vulnerabilities in the information system are identified and addressed as quickly as possible. Related controls: SI-3, SI-7. |
The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned. |
| CCI-001063 |
The organization updates the information system vulnerabilities scanned on an organization-defined frequency, prior to a new scan, and/or when new vulnerabilities are identified and reported. |
The organization conducting the inspection/assessment obtains and examines the record of scans to ensure the latest most up to date scanning policies are present. |
The organization being inspected/assessed will update the list of information system vulnerabilities scanned for prior to running scans.
The organization must maintain a record of scans including the list of vulnerabilities scanned for.
DoD has defined the frequency as prior to running scans. |
Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified |
RA-5 (2) |
RA-5(2).1 |
Related controls: SI-3, SI-5. |
The organization updates the information system vulnerabilities scanned [Selection (one or more): [Assignment: organization-defined frequency]; prior to a new scan; when new vulnerabilities are identified and reported]. |
| CCI-001064 |
The organization defines a frequency for updating the information system vulnerabilities scanned. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as prior to running scans. |
DoD has defined the frequency as prior to running scans. |
Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified |
RA-5 (2) |
RA-5(2).2 |
Related controls: SI-3, SI-5. |
The organization updates the information system vulnerabilities scanned [Selection (one or more): [Assignment: organization-defined frequency]; prior to a new scan; when new vulnerabilities are identified and reported]. |
| CCI-001065 |
The organization employs vulnerability scanning procedures that can demonstrate the breadth of coverage (i.e., information system components scanned). |
|
|
|
|
|
|
|
| CCI-001066 |
The organization determines what information about the information system is discoverable by adversaries. |
The organization conducting the inspection/assessment will review results of validation of base control RA-5, if the inspected organization is compliant with the requirements of RA-5, they are compliant with this CCI. |
If the organization being inspected/assessed is conducting vulnerability scans IAW base control RA-5, they are compliant with this CCI. |
Vulnerability Scanning | Discoverable Information |
RA-5 (4) |
RA-5(4).1 |
Discoverable information includes information that adversaries could obtain without directly compromising or breaching the information system, for example, by collecting information the system is exposing or by conducting extensive searches of the web. Corrective actions can include, for example, notifying appropriate organizational personnel, removing designated information, or changing the information system to make designated information less relevant or attractive to adversaries. Related control: AU-13. |
The organization determines what information about the information system is discoverable by adversaries and subsequently takes [Assignment: organization-defined corrective actions]. |
| CCI-001067 |
The information system implements privileged access authorization to organization-identified information system components for selected organization-defined vulnerability scanning activities. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement privileged access authorization to all information systems and infrastructure components for selected vulnerability scanning activities defined in RA-5 (5), CCI 2906.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1067.
DoD has defined the information system components as all information systems and infrastructure components. |
The organization being inspected/assessed configures the information system to implement privileged access authorization to all information systems and infrastructure components for selected vulnerability scanning activities defined in RA-5 (5), CCI 2906.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1067.
DoD has defined the information system components as all information systems and infrastructure components. |
Vulnerability Scanning | Privileged Access |
RA-5 (5) |
RA-5(5).1 |
In certain situations, the nature of the vulnerability scanning may be more intrusive or the information system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and also protects the sensitive nature of such scanning. |
The information system implements privileged access authorization to [Assignment: organization-identified information system components] for selected [Assignment: organization-defined vulnerability scanning activities]. |
| CCI-001068 |
The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities. |
The organization conducting the inspection/assessment validates the organization is employing automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities. |
The organization being inspected/assessed must configure and implement automated mechanisms which provide the capability to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities. |
Vulnerability Scanning | Automated Trend Analyses |
RA-5 (6) |
RA-5(6).1 |
Related controls: IR-4, IR-5, SI-4. |
The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities. |
| CCI-001069 |
The organization employs automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization-defined frequency. |
|
|
|
|
|
|
|
| CCI-001070 |
The organization defines a frequency for employing automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials. |
|
|
|
|
|
|
|
| CCI-001071 |
The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited. |
The organization conducting the inspection/assessment obtains and examines the audit trail to determine if the organization has documented any previously identified exploited vulnerabilities. |
The organization being inspected/assessed reviews audit logs and determines if the identified vulnerability has been previously exploited within the information system.
Any findings must be documented and acted upon IAW IR-1. |
Vulnerability Scanning | Review Historic Audit Logs |
RA-5 (8) |
RA-5(8).1 |
Related control: AU-6. |
The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited. |
| CCI-001072 |
The organization employs an independent penetration agent or penetration team to conduct a vulnerability analysis on the information system. |
|
|
|
|
|
|
|
| CCI-001073 |
The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system based on the vulnerability analysis to determine the exploitability of identified vulnerabilities. |
|
|
|
|
|
|
|
| CCI-001642 |
The organization defines the organizational document in which risk assessment results are documented (e.g., security plan, risk assessment report). |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the document as a risk assessment report. |
DoD has defined the document as a risk assessment report. |
Risk Assessment |
RA-3 |
RA-3.3 |
Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems.
Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9. |
The organization:
a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
c. Reviews risk assessment results [Assignment: organization-defined frequency];
d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. |
| CCI-001048 |
The organization conducts an assessment of risk of the information system and the information it processes, stores, or transmits that includes the likelihood and magnitude of harm from the unauthorized access, use, disclosure, disruption, modification, or destruction. |
The organization conducting the inspection/assessment obtains and examines the audit trail of assessments to ensure the organization being inspected/assessed conducts an assessment of risk of the information system and the information it processes, stores, or transmits that includes the likelihood and magnitude of harm from the unauthorized access, use, disclosure, disruption, modification, or destruction. |
The organization being inspected/assessed conducts an assessment of risk of the information system and the information it processes, stores, or transmits that includes the likelihood and magnitude of harm from the unauthorized access, use, disclosure, disruption, modification, or destruction.
The organization must maintain an audit trail
of assessments. |
Risk Assessment |
RA-3 |
RA-3.1 |
Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems.
Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9. |
The organization:
a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
c. Reviews risk assessment results [Assignment: organization-defined frequency];
d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. |
| CCI-001049 |
The organization documents risk assessment results in the organization-defined document. |
The organization conducting the inspection/assessment obtains and examines the risk assessment report to ensure the organization being inspected/assessed documents risk assessment results in the risk assessment report.
DoD has defined the document as a risk assessment report. |
The organization being inspected/assessed documents risk assessment results in the risk assessment report.
DoD has defined the document as a risk assessment report. |
Risk Assessment |
RA-3 |
RA-3.2 |
Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems.
Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9. |
The organization:
a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
c. Reviews risk assessment results [Assignment: organization-defined frequency];
d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. |
| CCI-001050 |
The organization reviews risk assessment results on an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the record of reviews to ensure the organization being inspected/assessed reviews risk assessment results upon re-accreditation.
DoD has defined the frequency as upon re-accreditation.
|
The organization being inspected/assessed reviews risk assessment results upon re-accreditation.
The organization must maintain a record of reviews.
DoD has defined the frequency as upon re-accreditation. |
Risk Assessment |
RA-3 |
RA-3.4 |
Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems.
Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9. |
The organization:
a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
c. Reviews risk assessment results [Assignment: organization-defined frequency];
d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. |
| CCI-001051 |
The organization defines a frequency for reviewing risk assessment results. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as upon re-accreditation. |
DoD has defined the frequency as upon re-accreditation. |
Risk Assessment |
RA-3 |
RA-3.5 |
Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems.
Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9. |
The organization:
a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
c. Reviews risk assessment results [Assignment: organization-defined frequency];
d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. |
| CCI-001052 |
The organization updates the risk assessment on an organization-defined frequency or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. |
The organization conducting the inspection/assessment obtains and examines historical versions of the risk assessment as well as records of changes to the system to ensure the organization being inspected/assessed updates the risk assessment upon re-accreditation or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.
DoD has defined the frequency as upon re-accreditation. |
The organization being inspected/asssessed updates the risk assessment upon re-accreditation or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.
DoD has defined the frequency as upon re-accreditation. |
Risk Assessment |
RA-3 |
RA-3.8 |
Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems.
Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9. |
The organization:
a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
c. Reviews risk assessment results [Assignment: organization-defined frequency];
d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. |
| CCI-001053 |
The organization defines a frequency for updating the risk assessment. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as upon re-accreditation. |
DoD has defined the frequency as upon re-accreditation. |
Risk Assessment |
RA-3 |
RA-3.9 |
Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems.
Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9. |
The organization:
a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
c. Reviews risk assessment results [Assignment: organization-defined frequency];
d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. |
| CCI-000608 |
The organization includes a determination of information security requirements for the information system in mission process planning. |
|
|
|
|
|
|
|
| CCI-000609 |
The organization includes a determination of information security requirements for the information system in business process planning. |
|
|
|
|
|
|
|
| CCI-000610 |
The organization determines the resources required to protect the information system or information system service as part of its capital planning and investment control process. |
The organization conducting the inspection/assessment obtains and examines the planning, programming, and budget documentation to ensure the organization being inspected/assessed has determined the resources required for cybersecurity requirements to protect the information system or information system service. |
The organization being inspected/assessed determines the resources (funding, staffing, etc.) required for the cybersecurity requirements to protect the information system or information system service as part of its planning, programming, and budget process (PPBE). |
Allocation Of Resources |
SA-2 |
SA-2.2 |
Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service. Related controls: PM-3, PM-11. |
The organization:
a. Determines information security requirements for the information system or information system service in mission/business process planning;
b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and
c. Establishes a discrete line item for information security in organizational programming and budgeting documentation |
| CCI-000611 |
The organization documents the resources required to protect the information system or information system service as part of its capital planning and investment control process. |
The organization conducting the inspection/assessment obtains and examines the planning, programming, and budget documentation to ensure the organization being inspected/assessed has documented the resources required for cybersecurity requirements to protect the information system or information system service. |
The organization being inspected/assessed documents the resources (funding, staffing, etc.) required for the cybersecurity requirements to protect the information system or information system service as part of its planning, programming, and budget process (PPBE). |
Allocation Of Resources |
SA-2 |
SA-2.3 |
Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service. Related controls: PM-3, PM-11. |
The organization:
a. Determines information security requirements for the information system or information system service in mission/business process planning;
b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and
c. Establishes a discrete line item for information security in organizational programming and budgeting documentation |
| CCI-000612 |
The organization allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process. |
The organization conducting the inspection/assessment obtains and examines the planning, programming, and budget documentation to ensure the organization being inspected/assessed has allocated the resources required for cybersecurity requirements to protect the information system or information system service. |
The organization being inspected/assessed allocates the resources (funding, staffing, etc.) required for the cybersecurity requirements to protect the information system or information system service as part of its planning, programming, and budget process (PPBE). |
Allocation Of Resources |
SA-2 |
SA-2.4 |
Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service. Related controls: PM-3, PM-11. |
The organization:
a. Determines information security requirements for the information system or information system service in mission/business process planning;
b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and
c. Establishes a discrete line item for information security in organizational programming and budgeting documentation |
| CCI-000613 |
The organization establishes a discrete line item for information security in organizational programming documentation. |
The organization conducting the inspection/assessment obtains and examines the planning, programming, and budget documentation to ensure the organization being inspected/assessed has identified and established an individual line item for cybersecurity requirements to protect the information system. |
The organization being inspected/assessed identifies and establishes an individual line item for cybersecurity requirements to protect the information system as part of the planning, programming, and budget process (PPBE). |
Allocation Of Resources |
SA-2 |
SA-2.5 |
Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service. Related controls: PM-3, PM-11. |
The organization:
a. Determines information security requirements for the information system or information system service in mission/business process planning;
b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and
c. Establishes a discrete line item for information security in organizational programming and budgeting documentation |
| CCI-000614 |
The organization establishes a discrete line item for information security in organizational budgeting documentation. |
The organization conducting the inspection/assessment obtains and examines the planning, programming, and budget documentation to ensure the organization being inspected/assessed has identified and established an individual line item for cybersecurity requirements to protect the information system. |
The organization being inspected/assessed identifies and establishes an individual line item for cybersecurity requirements to protect the information system as part of the planning, programming, and budget process (PPBE). |
Allocation Of Resources |
SA-2 |
SA-2.6 |
Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service. Related controls: PM-3, PM-11. |
The organization:
a. Determines information security requirements for the information system or information system service in mission/business process planning;
b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and
c. Establishes a discrete line item for information security in organizational programming and budgeting documentation |
| CCI-001647 |
The organization requires the use of a FIPS-validated, cryptographic module for a technology product that relies on cryptographic functionality to enforce its security policy when no U.S. Government Protection Profile exists for such a specific technology type. |
|
|
|
|
|
|
|
| CCI-000619 |
The organization includes security functional requirements/specifications, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |
|
|
|
|
|
|
|
| CCI-000620 |
The organization includes security-related documentation requirements, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |
|
|
|
|
|
|
|
| CCI-000621 |
The organization includes developmental and evaluation-related assurance requirements, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |
|
|
|
|
|
|
|
| CCI-000623 |
The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed. |
DoDI 8510.01 system categorization meets the DoD requirement for providing a description of the functional properties of the security controls to be employed.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01. |
DoDI 8510.01 system categorization meets the DoD requirement for providing a description of the functional properties of the security controls to be employed.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01. |
Acquisition Process | Functional Properties Of Security Controls |
SA-4 (1) |
SA-4(1).1 |
Functional properties of security controls describe the functionality (i.e., security capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed. |
| CCI-000624 |
The organization requires in acquisition documents that vendors/contractors provide information describing the design details of the security controls to be employed within the information system, information system components, or information system services (including functional interfaces among control components) in sufficient detail to permit analysis and testing of the controls. |
|
|
|
|
|
|
|
| CCI-000625 |
The organization requires in acquisition documents that vendors/contractors provide information describing the implementation details of the security controls to be employed within the information system, information system components, or information system services (including functional interfaces among control components) in sufficient detail to permit analysis and testing of the controls. |
|
|
|
|
|
|
|
| CCI-000626 |
The organization requires software vendors/manufacturers to minimize flawed or malformed software by demonstrating that their software development process employs state-of-the-practice software and security engineering methods. |
|
|
|
|
|
|
|
| CCI-000627 |
The organization requires software vendors/manufacturers to minimize flawed or malformed software by demonstrating that their software development process employs quality control processes. |
|
|
|
|
|
|
|
| CCI-000628 |
The organization requires software vendors/manufacturers to minimize flawed or malformed software by demonstrating that their software development processes employ validation techniques. |
|
|
|
|
|
|
|
| CCI-000629 |
The organization ensures each information system component acquired is explicitly assigned to an information system, and that the owner of the system acknowledges this assignment. |
|
|
|
|
|
|
|
| CCI-000630 |
The organization requires in acquisition documents, that information system components are delivered in a secure, documented configuration, and that the secure configuration is the default configuration for any software reinstalls or upgrades. |
|
|
|
|
|
|
|
| CCI-000631 |
The organization employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted. |
The organization conducting the inspection/assessment examines and verifies identified encryption technologies in use by the organization being inspected/assessed are NSA-approved. |
The organization being inspected/assessed must identify and use NSA-approved encryption technologies to protect classified information when the networks or transmission medium used to transmit the information are at a lower classification level than the information being transmitted. |
Acquisition Process | Use Of Information Assurance Products |
SA-4 (6) |
SA-4(6).1 |
COTS IA or IA-enabled information technology products used to protect classified information by cryptographic means may be required to use NSA-approved key management. Related controls: SC-8, SC-12, SC-13. |
The organization:
(a) Employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and
(b) Ensures that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures. |
| CCI-000632 |
The organization employs only commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted. |
|
|
|
|
|
|
|
| CCI-000633 |
The organization ensures that government off-the-shelf (GOTS) or commercial-off-the-shelf(COTS) information assurance (IA) and IA-enabled information technology products have been evaluated and/or validated by the NSA or in accordance with NSA-approved procedures. |
The organization conducting the inspection/assessment examines and verifies identified encryption technologies in use by the organization being inspected/assessed are NSA-approved. |
The organization being inspected/assessed must identify and use NSA-approved encryption technologies to protect classified information when the networks or transmission medium used to transmit the information are at a lower classification level than the information being transmitted. |
Acquisition Process | Use Of Information Assurance Products |
SA-4 (6) |
SA-4(6).2 |
COTS IA or IA-enabled information technology products used to protect classified information by cryptographic means may be required to use NSA-approved key management. Related controls: SC-8, SC-12, SC-13. |
The organization:
(a) Employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and
(b) Ensures that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures. |
| CCI-000634 |
The organization limits the use of commercially provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance Partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists. |
The organization conducting the inspection/assessment obtains and examines the hardware and software lists to ensure the organization being inspected/assessed, when using commercially provided IA and IA-enabled IT products uses only products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists. |
The organization being inspected/assessed, when using commercially provided IA and IA-enabled IT products uses only products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists. |
Acquisition Process | NIAP-Approved Protection Profiles |
SA-4 (7) |
SA-4(7).1 |
Related controls: SC-12, SC-13. |
The organization:
(a) Limits the use of commercially provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and
(b) Requires, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated. |
| CCI-000635 |
The organization requires, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated. |
The organization conducting the inspection/assessment obtains and examines the hardware and software lists to ensure the organization being inspected/assessed, when using commercially provided IA or IA enabled IT products for which there is no NIAP-approved protection profile, relies on FIPS-validated cryptographic modules. |
The organization being inspected/assessed, when using commercially provided IA or IA enabled IT products for which there is no NIAP-approved protection profile, relies on FIPS-validated cryptographic modules. |
Acquisition Process | NIAP-Approved Protection Profiles |
SA-4 (7) |
SA-4(7).2 |
Related controls: SC-12, SC-13. |
The organization:
(a) Limits the use of commercially provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and
(b) Requires, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated. |
| CCI-001648 |
The organization makes available to authorized personnel the source code for the information system to permit analysis and testing. |
|
|
|
|
|
|
|
| CCI-000636 |
The organization obtains administrator documentation for the information system that describes secure configuration, installation, and operation of the information system; effective use and maintenance of the security features/functions; and known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions. |
|
|
|
|
|
|
|
| CCI-000637 |
The organization protects, as required, administrator documentation for the information system that describes secure configuration, installation, and operation of the information system; effective use and maintenance of the security features/functions; and known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions. |
|
|
|
|
|
|
|
| CCI-000638 |
The organization makes available to authorized personnel administrator documentation for the information system that describes secure configuration, installation, and operation of the information system; effective use and maintenance of the security features/functions; and known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions. |
|
|
|
|
|
|
|
| CCI-000639 |
The organization obtains user documentation for the information system that describes user-accessible security features/functions and how to effectively use those security features/functions; methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and user responsibilities in maintaining the security of the information and information system. |
|
|
|
|
|
|
|
| CCI-000640 |
The organization protects, as required, user documentation for the information system that describes user-accessible security features/functions and how to effectively use those security features/functions; methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and user responsibilities in maintaining the security of the information and information system. |
|
|
|
|
|
|
|
| CCI-000641 |
The organization makes available to authorized personnel user documentation for the information system that describes user-accessible security features/functions and how to effectively use those security features/functions; methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and user responsibilities in maintaining the security of the information and information system. |
|
|
|
|
|
|
|
| CCI-000642 |
The organization documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent. |
The organization conducting the inspection/assessment obtains and examines the documented attempts to ensure the organization being inspected/assessed documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent. |
The organization being inspected/assessed documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent.
|
Information System Documentation |
SA-5 |
SA-5.11 |
This control helps organizational personnel understand the implementation and operation of security controls associated with information systems, system components, and information system services. Organizations consider establishing specific measures to determine the quality/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the information system/component or lack of support from developers and contractors. In those situations, organizations may need to recreate selected documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection provided for selected information system, component, or service documentation is commensurate with the security category or classification of the system. For example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level of protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increased level of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system operation after any lapse in system operation. Related controls: CM-6, CM-8, PL-2, PL-4, PS-2, SA-3, SA-4. |
The organization:
a. Obtains administrator documentation for the information system, system component, or information system service that describes:
1. Secure configuration, installation, and operation of the system, component, or service;
2. Effective use and maintenance of security functions/mechanisms; and
3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
b. Obtains user documentation for the information system, system component, or information system service that describes:
1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
3. User responsibilities in maintaining the security of the system, component, or service;
c. Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and [Assignment: organization-defined actions] in response;
d. Protects documentation as required, in accordance with the risk management strategy; and
e. Distributes documentation to [Assignment: organization-defined personnel or roles]. |
| CCI-000643 |
The organization obtains vendor/manufacturer documentation that describes the functional properties of the security controls employed within the information system with sufficient detail to permit analysis and testing. |
|
|
|
|
|
|
|
| CCI-000644 |
The organization protects, as required, vendor/manufacturer documentation that describes the functional properties of the security controls employed within the information system. |
|
|
|
|
|
|
|
| CCI-000645 |
The organization makes available to authorized personnel vendor/manufacturer documentation that describes the functional properties of the security controls employed within the information system with sufficient detail to permit analysis and testing. |
|
|
|
|
|
|
|
| CCI-000646 |
The organization obtains vendor/manufacturer documentation that describes the security-relevant external interfaces to the information system with sufficient detail to permit analysis and testing. |
|
|
|
|
|
|
|
| CCI-000647 |
The organization obtains vendor/manufacturer documentation that describes the high-level design of the information system in terms of subsystems and implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing. |
|
|
|
|
|
|
|
| CCI-000648 |
The organization protects, as required, vendor/manufacturer documentation that describes the high-level design of the information system in terms of subsystems and implementation details of the security controls employed within the system. |
|
|
|
|
|
|
|
| CCI-000650 |
The organization obtains vendor/manufacturer documentation that describes the low-level design of the information system in terms of modules and implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing. |
|
|
|
|
|
|
|
| CCI-000651 |
The organization protects, as required, vendor/manufacturer documentation that describes the low-level design of the information system in terms of modules and implementation details of the security controls employed within the system. |
|
|
|
|
|
|
|
| CCI-000653 |
The organization obtains the source code for the information system to permit analysis and testing. |
|
|
|
|
|
|
|
| CCI-000654 |
The organization protects, as required, the source code for the information system to permit analysis and testing. |
|
|
|
|
|
|
|
| CCI-001690 |
The organization protects, as required, vendor/manufacturer documentation that describes the security-relevant external interfaces to the information system. |
|
|
|
|
|
|
|
| CCI-001691 |
The organization makes available to authorized personnel vendor/manufacturer documentation that describes the security-relevant external interfaces to the information system with sufficient detail to permit analysis and testing. |
|
|
|
|
|
|
|
| CCI-001692 |
The organization makes available to authorized personnel vendor/manufacturer documentation that describes the low-level design of the information system in terms of modules and implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing. |
|
|
|
|
|
|
|
| CCI-001649 |
The organization identifies and documents (as appropriate) explicit rules to be enforced when governing the installation of software by users. |
|
|
|
|
|
|
|
| CCI-000663 |
The organization (or information system) enforces explicit rules governing the installation of software by users. |
|
|
|
|
|
|
|
| CCI-001650 |
The organization requires the information system developers to manage and control changes to the information system during development. |
|
|
|
|
|
|
|
| CCI-001651 |
The organization requires the information system integrators to manage and control changes to the information system during development. |
|
|
|
|
|
|
|
| CCI-001652 |
The organization requires the information system developers to manage and control changes to the information system during implementation. |
|
|
|
|
|
|
|
| CCI-001653 |
The organization requires the information system integrators to manage and control changes to the information system during implementation. |
|
|
|
|
|
|
|
| CCI-001654 |
The organization requires the information system developers to manage and control changes to the information system during modification. |
|
|
|
|
|
|
|
| CCI-001655 |
The organization requires the information system integrators to manage and control changes to the information system during modification. |
|
|
|
|
|
|
|
| CCI-000682 |
The organization requires information system developers to perform configuration management during information system design. |
|
|
|
|
|
|
|
| CCI-000683 |
The organization requires information system developers to perform configuration management during information system development. |
|
|
|
|
|
|
|
| CCI-000684 |
The organization requires information system developers to perform configuration management during information system implementation. |
|
|
|
|
|
|
|
| CCI-000685 |
The organization requires information system developers to perform configuration management during information system operation. |
|
|
|
|
|
|
|
| CCI-000686 |
The organization requires information system integrators to perform configuration management during information system design. |
|
|
|
|
|
|
|
| CCI-000687 |
The organization requires information system integrators to perform configuration management during information system development. |
|
|
|
|
|
|
|
| CCI-000688 |
The organization requires information system integrators to perform configuration management during information system implementation. |
|
|
|
|
|
|
|
| CCI-000689 |
The organization requires information system integrators to perform configuration management during information system operation. |
|
|
|
|
|
|
|
| CCI-000690 |
The organization requires information system developers to manage and control changes to the information system during design. |
|
|
|
|
|
|
|
| CCI-000691 |
The organization requires information system integrators to manage and control changes to the information system during design. |
|
|
|
|
|
|
|
| CCI-000692 |
The organization requires the developer of the information system, system component, or information system service to implement only organization-approved changes to the system, component, or service. |
The organization conducting the inspection/assessment obtains and examines contracts/agreements between the organization and the IS developer to confirm the organization has established in its acquisition contracts/agreements the requirement that the IS developer implement only organization-approved changes to the system, component, or service throughout its life cycle. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service implement only organization-approved changes to the system, component, or service throughout its life cycle. |
Developer Configuration Management |
SA-10 |
SA-10.6 |
This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle. Related controls: CM-3, CM-4, CM-9, SA-12, SI-2. |
The organization requires the developer of the information system, system component, or information system service to:
a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];
b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
c. Implement only organization-approved changes to the system, component, or service;
d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]. |
| CCI-000693 |
The organization requires information system integrators to implement only organization-approved changes. |
|
|
|
|
|
|
|
| CCI-000694 |
The organization requires the developer of the information system, system component, or information system service to document approved changes to the system, component, or service. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service document approved changes to the system, component, or service. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service document approved changes to the system, component, or service. |
Developer Configuration Management |
SA-10 |
SA-10.7 |
This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle. Related controls: CM-3, CM-4, CM-9, SA-12, SI-2. |
The organization requires the developer of the information system, system component, or information system service to:
a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];
b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
c. Implement only organization-approved changes to the system, component, or service;
d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]. |
| CCI-000695 |
The organization requires information system integrators to document approved changes to the information system. |
|
|
|
|
|
|
|
| CCI-000696 |
The organization requires that information system developers track security flaws and flaw resolution. |
|
|
|
|
|
|
|
| CCI-000697 |
The organization requires information system integrators to track security flaws and flaw resolution. |
|
|
|
|
|
|
|
| CCI-000698 |
The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service enable integrity verification of software and firmware components. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service enable integrity verification of software and firmware components.
The organization being inspected/assessed requires the developer to enable integrity verification of software and firmware that may include:
1. Stipulating and monitoring logical delivery of products and services, requiring downloading from approved, verification-enhanced sites;
2. Encrypting elements (software, software patches, etc.) and supply chain process data in transit (motion) and at rest throughout delivery;
3. Requiring suppliers to provide their elements “secure by default”, so that additional configuration is required to make the element insecure;
4. Implementing software designs using programming languages and tools that reduce the likelihood of weaknesses;
5. Implementing cryptographic hash verification; and
6. Establishing performance and sub-element baseline for the system and system elements to help detect unauthorized tampering/modification during repairs/refurbishing.
|
Developer Configuration Management | Software / Firmware Integrity Verification |
SA-10 (1) |
SA-10(1).1 |
This control enhancement allows organizations to detect unauthorized changes to software and firmware components through the use of tools, techniques, and/or mechanisms provided by developers. Integrity checking mechanisms can also address counterfeiting of software and firmware components. Organizations verify the integrity of software and firmware components, for example, through secure one-way hashes provided by developers. Delivered software and firmware components also include any updates to such components. Related control: SI-7. |
The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components. |
| CCI-000699 |
The organization requires information system integrators to provide an integrity check of software to facilitate organizational verification of software integrity after delivery. |
|
|
|
|
|
|
|
| CCI-000700 |
The organization provides an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team. |
The organization conducting the inspection/assessment obtains and examines the Configuration Control Board (CCB) charter to determine if the organization, in the absence of a dedicated software developer configuration management team, has established an alternate configuration management process that is staffed with key organizational personnel. |
The organization being inspected/assessed, in the absence of a dedicated software developer configuration management team, establishes an alternate configuration management process that is staffed with appropriate key organizational personnel. |
Developer Configuration Management | Alternative Configuration Management Processes |
SA-10 (2) |
SA-10(2).1 |
Alternate configuration management processes may be required, for example, when organizations use commercial off-the-shelf (COTS) information technology products. Alternate configuration management processes include organizational personnel that: (i) are responsible for reviewing/approving proposed changes to information systems, system components, and information system services; and (ii) conduct security impact analyses prior to the implementation of any changes to systems, components, or services (e.g., a configuration control board that considers security impacts of changes during development and includes representatives of both the organization and the developer, when applicable). |
The organization provides an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team. |
| CCI-000701 |
The organization provides an alternative configuration management process with organizational personnel in the absence of a dedicated integrator configuration management team. |
|
|
|
|
|
|
|
| CCI-001656 |
The organization defines the security functions of the information system to be isolated from nonsecurity functions. |
|
|
|
|
|
|
|
| CCI-001084 |
The information system isolates security functions from nonsecurity functions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to isolate security functions from nonsecurity functions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1084. |
The organization being inspected/assessed configures the information system to isolate security functions from nonsecurity functions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1084. |
Security Function Isolation |
SC-3 |
SC-3.1 |
The information system isolates security functions from nonsecurity functions by means of an isolation boundary (implemented via partitions and domains). Such isolation controls access to and protects the integrity of the hardware, software, and firmware that perform those security functions. Information systems implement code separation (i.e., separation of security functions from nonsecurity functions) in a number of ways, including, for example, through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that serve to protect the code on disk, and address space protections that protect executing code. Information systems restrict access to security functions through the use of access control mechanisms and by implementing least privilege capabilities. While the ideal is for all of the code within the security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include nonsecurity functions within the isolation boundary as an exception. Related controls: AC-3, AC-6, SA-4, SA-5, SA-8, SA-13, SC-2, SC-7, SC-39. |
The information system isolates security functions from nonsecurity functions. |
| CCI-001085 |
The information system utilizes underlying hardware separation mechanisms to implement security function isolation. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to utilize underlying hardware separation mechanisms to implement security function isolation.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1085. |
The organization being inspected/assessed configures the information system to utilize underlying hardware separation mechanisms to implement security function isolation.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1085. |
Security Function Isolation | Hardware Separation |
SC-3 (1) |
SC-3(1).1 |
Underlying hardware separation mechanisms include, for example, hardware ring architectures, commonly implemented within microprocessors, and hardware-enforced address segmentation used to support logically distinct storage objects with separate attributes (i.e., readable, writeable). |
The information system utilizes underlying hardware separation mechanisms to implement security function isolation. |
| CCI-001086 |
The information system isolates security functions enforcing access and information flow control from both nonsecurity functions and from other security functions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to isolate security functions enforcing access and information flow control from both nonsecurity functions and from other security functions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1086. |
The organization being inspected/assessed configures the information system to isolate security functions enforcing access and information flow control from both nonsecurity functions and from other security functions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1086. |
Security Function Isolation | Access / Flow Control Functions |
SC-3 (2) |
SC-3(2).1 |
Security function isolation occurs as a result of implementation; the functions can still be scanned and monitored. Security functions that are potentially isolated from access and flow control enforcement functions include, for example, auditing, intrusion detection, and anti-virus functions. |
The information system isolates security functions enforcing access and information flow control from nonsecurity functions and from other security functions. |
| CCI-001087 |
The organization implements an information system isolation boundary to minimize the number of nonsecurity functions included within the boundary containing security functions. |
|
|
|
|
|
|
|
| CCI-001088 |
The organization implements security functions as largely independent modules that avoid unnecessary interactions between modules. |
|
|
|
|
|
|
|
| CCI-001089 |
The organization implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1089. |
The organization being inspected/assessed configures the information system to implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1089. |
Security Function Isolation | Layered Structures |
SC-3 (5) |
SC-3(5).1 |
The implementation of layered structures with minimized interactions among security functions and non-looping layers (i.e., lower-layer functions do not depend on higher-layer functions) further enables the isolation of security functions and management of complexity. |
The organization implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. |
| CCI-001657 |
The organization defines the external boundary of the information system. |
|
|
|
|
|
|
|
| CCI-001658 |
The organization defines key internal boundaries of the information system. |
|
|
|
|
|
|
|
| CCI-001659 |
The organization defines the mediation necessary for public access to the organization's internal networks. |
|
|
|
|
|
|
|
| CCI-001660 |
The organization defines the measures to protect against unauthorized physical connections across boundary protections implemented at organization-defined managed interfaces. |
|
|
|
|
|
|
|
| CCI-001097 |
The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of monitoring activities to ensure the organization being inspected/assessed monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. |
The organization being inspected/assessed documents and implements processes to monitor and control communications at the external boundary of the system and at key internal boundaries within the system.
The organization must maintain an audit trail of monitoring activities. |
Boundary Protection |
SC-7 |
SC-7.1 |
Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. Related controls: AC-4, AC-17, CA-3, CM-7, CP-8, IR-4, RA-3, SC-5, SC-13. |
The information system:
a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;
b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and
c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. |
| CCI-001098 |
The information system connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. |
The organization conducting the inspection/assessment obtains and examines network topology diagrams, architecture documentation, or any other documentation identifying component connectivity to ensure the organization being inspected/assessed connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. |
The organization being inspected/assessed designs the information system to enforce requirements that components connect to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. |
Boundary Protection |
SC-7 |
SC-7.3 |
Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. Related controls: AC-4, AC-17, CA-3, CM-7, CP-8, IR-4, RA-3, SC-5, SC-13. |
The information system:
a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;
b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and
c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. |
| CCI-001099 |
The organization physically allocates publicly accessible information system components to separate subnetworks with separate physical network interfaces. |
|
|
|
|
|
|
|
| CCI-001100 |
The information system prevents public access into the organization's internal networks except as appropriately mediated by managed interfaces employing boundary protection devices. |
|
|
|
|
|
|
|
| CCI-001101 |
The organization limits the number of external network connections to the information system. |
The organization conducting the inspection/assessment obtains and examines the documented access control mechanisms to ensure that the organization being inspected/assessed limits the number of external network connections to the information system. |
The organization being inspected/assessed documents and implements information system access control mechanisms to limit the number of external connections to the information system. |
Boundary Protection | Access Points |
SC-7 (3) |
SC-7(3).1 |
Limiting the number of external network connections facilitates more comprehensive monitoring of inbound and outbound communications traffic. The Trusted Internet Connection (TIC) initiative is an example of limiting the number of external network connections. |
The organization limits the number of external network connections to the information system. |
| CCI-001102 |
The organization implements a managed interface for each external telecommunication service. |
The organization conducting the inspection/assessment obtains and examines network topology diagrams, architecture documentation, or any other documentation identifying system interfaces to ensure the organization being inspected/assessed implements a managed interface for each external telecommunication service. |
The organization being inspected/assessed designs the information system to have a managed interface for each telecommunication service. |
Boundary Protection | External Telecommunications Services |
SC-7 (4) |
SC-7(4).1 |
Related control: SC-8. |
The organization:
(a) Implements a managed interface for each external telecommunication service;
(b) Establishes a traffic flow policy for each managed interface;
(c) Protects the confidentiality and integrity of the information being transmitted across each interface;
(d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and
(e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need. |
| CCI-001103 |
The organization establishes a traffic flow policy for each managed interface for each external telecommunication service. |
The organization conducting the inspection/assessment obtains and examines the documented traffic flow policy to ensure the organization being inspected/assessed establishes a traffic flow policy for each managed interface for each external telecommunication service. |
The organization being inspected/assessed defines and documents a traffic flow policy for each managed interface for each external telecommunication service. |
Boundary Protection | External Telecommunications Services |
SC-7 (4) |
SC-7(4).2 |
Related control: SC-8. |
The organization:
(a) Implements a managed interface for each external telecommunication service;
(b) Establishes a traffic flow policy for each managed interface;
(c) Protects the confidentiality and integrity of the information being transmitted across each interface;
(d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and
(e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need. |
| CCI-001104 |
The organization employs security controls as needed to protect the confidentiality and integrity of the information being transmitted. |
|
|
|
|
|
|
|
| CCI-001105 |
The organization documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need for each external telecommunication service. |
The organization conducting the inspection/assessment obtains and examines the documented exceptions to the traffic flow policy to ensure the organization being inspected/assessed identifies each exception with supporting mission/business need and duration of that need for each external telecommunication service. |
The organization being inspected/assessed documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need for each external telecommunication service. |
Boundary Protection | External Telecommunications Services |
SC-7 (4) |
SC-7(4).4 |
Related control: SC-8. |
The organization:
(a) Implements a managed interface for each external telecommunication service;
(b) Establishes a traffic flow policy for each managed interface;
(c) Protects the confidentiality and integrity of the information being transmitted across each interface;
(d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and
(e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need. |
| CCI-001106 |
The organization reviews exceptions to the traffic flow policy on an organization-defined frequency for each external telecommunication service. |
The organization conducting the inspection/assessment obtains and examines the audit trail of reviews to ensure the organization being inspected/assessed reviews exceptions to the traffic flow policy every 180 days for each external telecommunication service.
DoD has defined the frequency as every 180 days. |
The organization being inspected/assessed implements a process to review exceptions to the traffic flow policy every 180 days for each external telecommunication service.
The organization must maintain an audit trail of reviews.
DoD has defined the frequency as every 180 days. |
Boundary Protection | External Telecommunications Services |
SC-7 (4) |
SC-7(4).5 |
Related control: SC-8. |
The organization:
(a) Implements a managed interface for each external telecommunication service;
(b) Establishes a traffic flow policy for each managed interface;
(c) Protects the confidentiality and integrity of the information being transmitted across each interface;
(d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and
(e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need. |
| CCI-001107 |
The organization defines a frequency for the review of exceptions to the traffic flow policy for each external telecommunication service. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 180 days. |
DoD has defined the frequency as every 180 days. |
Boundary Protection | External Telecommunications Services |
SC-7 (4) |
SC-7(4).6 |
Related control: SC-8. |
The organization:
(a) Implements a managed interface for each external telecommunication service;
(b) Establishes a traffic flow policy for each managed interface;
(c) Protects the confidentiality and integrity of the information being transmitted across each interface;
(d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and
(e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need. |
| CCI-001108 |
The organization removes traffic flow policy exceptions that are no longer supported by an explicit mission/business need for each external telecommunication service. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as a sampling of existing exceptions to ensure the organization being inspected/assessed removes traffic flow policy exceptions that are no longer supported by an explicit mission/business need for each external telecommunication service. |
The organization being inspected/assessed documents and implements a process to remove traffic flow policy exceptions that are no longer supported by an explicit mission/business need for each external telecommunication service. |
Boundary Protection | External Telecommunications Services |
SC-7 (4) |
SC-7(4).7 |
Related control: SC-8. |
The organization:
(a) Implements a managed interface for each external telecommunication service;
(b) Establishes a traffic flow policy for each managed interface;
(c) Protects the confidentiality and integrity of the information being transmitted across each interface;
(d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and
(e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need. |
| CCI-001109 |
The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception). |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to deny network communications traffic at managed interfaces by default and allows network communications traffic by exception (i.e., deny all, permit by exception).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1109. |
The organization being inspected/assessed configures the information system to deny network communications traffic at managed interfaces by default and allows network communications traffic by exception (i.e., deny all, permit by exception).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1109. |
Boundary Protection | Deny By Default / Allow By Exception |
SC-7 (5) |
SC-7(5).1 |
This control enhancement applies to both inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed. |
The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception). |
| CCI-001110 |
The organization prevents the unauthorized release of information outside of the information system boundary or any unauthorized communication through the information system boundary when there is an operational failure of the boundary protection mechanisms. |
|
|
|
|
|
|
|
| CCI-001111 |
The information system prevents remote devices that have established a non-remote connection with the system from communicating outside of that communications path with resources in external networks. |
|
|
|
|
|
|
|
| CCI-001112 |
The information system routes organization-defined internal communications traffic to organization-defined external networks through authenticated proxy servers at managed interfaces. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to route protocols as designated by PPSM guidance (e.g. HTTPS, HTTP, FTP, SNMP) to any network external to the authorization boundary through authenticated proxy servers at managed interfaces.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1112.
DoD has defined the internal communications traffic as protocols as designated by PPSM guidance (e.g. HTTPS, HTTP, FTP, SNMP).
DoD has defined the external networks as any network external to the authorization boundary. |
The organization being inspected/assessed configures the information system to route protocols as designated by PPSM guidance (e.g. HTTPS, HTTP, FTP, SNMP) to any network external to the authorization boundary through authenticated proxy servers at managed interfaces.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1112.
DoD has defined the internal communications traffic as protocols as designated by PPSM guidance (e.g. HTTPS, HTTP, FTP, SNMP).
DoD has defined the external networks as any network external to the authorization boundary. |
Boundary Protection | Route Traffic To Authenticated Proxy Servers |
SC-7 (8) |
SC-7(8).1 |
External networks are networks outside of organizational control. A proxy server is a server (i.e., information system or application) that acts as an intermediary for clients requesting information system resources (e.g., files, connections, web pages, or services) from other organizational servers. Client requests established through an initial connection to the proxy server are evaluated to manage complexity and to provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers providing access to the Internet. Proxy servers support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators (URLs), domain names, and Internet Protocol (IP) addresses. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Related controls: AC-3, AU-2. |
The information system routes [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces. |
| CCI-001113 |
The organization defines the internal communications traffic to be routed to external networks. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the internal communications traffic as protocols as designated by PPSM guidance (e.g. HTTPS, HTTP, FTP, SNMP). |
DoD has defined the internal communications traffic as protocols as designated by PPSM guidance (e.g. HTTPS, HTTP, FTP, SNMP). |
Boundary Protection | Route Traffic To Authenticated Proxy Servers |
SC-7 (8) |
SC-7(8).2 |
External networks are networks outside of organizational control. A proxy server is a server (i.e., information system or application) that acts as an intermediary for clients requesting information system resources (e.g., files, connections, web pages, or services) from other organizational servers. Client requests established through an initial connection to the proxy server are evaluated to manage complexity and to provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers providing access to the Internet. Proxy servers support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators (URLs), domain names, and Internet Protocol (IP) addresses. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Related controls: AC-3, AU-2. |
The information system routes [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces. |
| CCI-001114 |
The organization defines the external networks to which organization-defined internal communications traffic should be routed. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the external networks as any network external to the authorization boundary. |
DoD has defined the external networks as any network external to the authorization boundary. |
Boundary Protection | Route Traffic To Authenticated Proxy Servers |
SC-7 (8) |
SC-7(8).3 |
External networks are networks outside of organizational control. A proxy server is a server (i.e., information system or application) that acts as an intermediary for clients requesting information system resources (e.g., files, connections, web pages, or services) from other organizational servers. Client requests established through an initial connection to the proxy server are evaluated to manage complexity and to provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers providing access to the Internet. Proxy servers support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators (URLs), domain names, and Internet Protocol (IP) addresses. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Related controls: AC-3, AU-2. |
The information system routes [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces. |
| CCI-001115 |
The information system, at managed interfaces, denies network traffic and audits internal users (or malicious code) posing a threat to external information systems. |
|
|
|
|
|
|
|
| CCI-001116 |
The organization prevents the unauthorized exfiltration of information across managed interfaces. |
The organization conducting the inspection/assessment obtains and examines the documented mechanisms to ensure the organization being inspected/assessed prevents the unauthorized exfiltration of information across managed interfaces. |
The organization being inspected/assessed documents and implements mechanisms to prevent the unauthorized exfiltration of information across managed interfaces. |
Boundary Protection | Prevent Unauthorized Exfiltration |
SC-7 (10) |
SC-7(10).1 |
Safeguards implemented by organizations to prevent unauthorized exfiltration of information from information systems include, for example: (i) strict adherence to protocol formats; (ii) monitoring for beaconing from information systems; (iii) monitoring for steganography; (iv) disconnecting external network interfaces except when explicitly needed; (v) disassembling and reassembling packet headers; and (vi) employing traffic profile analysis to detect deviations from the volume/types of traffic expected within organizations or call backs to command and control centers. Devices enforcing strict adherence to protocol formats include, for example, deep packet inspection firewalls and XML gateways. These devices verify adherence to protocol formats and specification at the application layer and serve to identify vulnerabilities that cannot be detected by devices operating at the network or transport layers. This control enhancement is closely associated with cross-domain solutions and system guards enforcing information flow requirements. Related control: SI-3. |
The organization prevents the unauthorized exfiltration of information across managed interfaces. |
| CCI-001117 |
The information system checks incoming communications to ensure the communications are coming from an authorized source and routed to an authorized destination. |
|
|
|
|
|
|
|
| CCI-001118 |
The information system implements host-based boundary protection mechanisms for servers, workstations, and mobile devices. |
|
|
|
|
|
|
|
| CCI-001119 |
The organization isolates organization-defined information security tools, mechanisms, and support components from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system. |
The organization conducting the inspection/assessment obtains and examines network topology diagrams, architecture documentation, or any other documentation identifying component partitioning to ensure the organization being inspected/assessed isolates key information security tools, mechanisms, and support components such as, but not limited to PKI, Patching infrastructure, HBSS, CND Tools, Special Purpose Gateway, vulnerability tracking systems, honeypots, internet access points (IAPs); network element and data center administrative/management traffic; Demilitarized Zones (DMZs), Server farms/computing centers, centralized audit log servers etc. from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system.
DoD has defined the key information security tools, mechanisms, and support components as key information security tools, mechanisms, and support components such as, but not limited to PKI, Patching infrastructure, HBSS, CND Tools, Special Purpose Gateway, vulnerability tracking systems, honeypots, internet access points (IAPs); network element and data center administrative/management traffic; Demilitarized Zones (DMZs), Server farms/computing centers, centralized audit log servers etc. |
The organization being inspected/assessed designs the information system to isolate key information security tools, mechanisms, and support components such as, but not limited to PKI, Patching infrastructure, HBSS, CND Tools, Special Purpose Gateway, vulnerability tracking systems, honeypots, internet access points (IAPs); network element and data center administrative/management traffic; Demilitarized Zones (DMZs), Server farms/computing centers, centralized audit log servers etc. from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system.
DoD has defined the key information security tools, mechanisms, and support components as key information security tools, mechanisms, and support components such as, but not limited to PKI, Patching infrastructure, HBSS, CND Tools, Special Purpose Gateway, vulnerability tracking systems, honeypots, internet access points (IAPs); network element and data center administrative/management traffic; Demilitarized Zones (DMZs), Server farms/computing centers, centralized audit log servers etc.
|
Boundary Protection | Isolation Of Security Tools / Mechanisms / Support Components |
SC-7 (13) |
SC-7(13).1 |
Physically separate subnetworks with managed interfaces are useful, for example, in isolating computer network defenses from critical operational processing networks to prevent adversaries from discovering the analysis and forensics techniques of organizations. Related controls: SA-8, SC-2, SC-3. |
The organization isolates [Assignment: organization-defined information security tools, mechanisms, and support components] from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system. |
| CCI-001120 |
The organization defines key information security tools, mechanisms, and support components to be isolated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the key information security tools, mechanisms, and support components as key information security tools, mechanisms, and support components such as, but not limited to PKI, Patching infrastructure, HBSS, CND Tools, Special Purpose Gateway, vulnerability tracking systems, honeypots, internet access points (IAPs); network element and data center administrative/management traffic; Demilitarized Zones (DMZs), Server farms/computing centers, centralized audit log servers etc. |
DoD has defined the key information security tools, mechanisms, and support components as key information security tools, mechanisms, and support components such as, but not limited to PKI, Patching infrastructure, HBSS, CND Tools, Special Purpose Gateway, vulnerability tracking systems, honeypots, internet access points (IAPs); network element and data center administrative/management traffic; Demilitarized Zones (DMZs), Server farms/computing centers, centralized audit log servers etc. |
Boundary Protection | Isolation Of Security Tools / Mechanisms / Support Components |
SC-7 (13) |
SC-7(13).2 |
Physically separate subnetworks with managed interfaces are useful, for example, in isolating computer network defenses from critical operational processing networks to prevent adversaries from discovering the analysis and forensics techniques of organizations. Related controls: SA-8, SC-2, SC-3. |
The organization isolates [Assignment: organization-defined information security tools, mechanisms, and support components] from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system. |
| CCI-001121 |
The organization protects against unauthorized physical connections at organization-defined managed interfaces. |
The organization conducting the inspection/assessment obtains and examines the documented mechanisms to ensure the organization being inspected/assessed protects against unauthorized physical connections at internet access points, enclave LAN to WAN, cross domain solutions, and any DoD Approved Alternate Gateways.
DoD has defined the managed interfaces as internet access points, enclave LAN to WAN, cross domain solutions, and any DoD Approved Alternate Gateways. |
The organization being inspected/assessed documents and implements mechanisms to protect against unauthorized physical connections at internet access points, enclave LAN to WAN, cross domain solutions, and any DoD Approved Alternate Gateways.
DoD has defined the managed interfaces as internet access points, enclave LAN to WAN, cross domain solutions, and any DoD Approved Alternate Gateways. |
Boundary Protection | Protects Against Unauthorized Physical Connection |
SC-7 (14) |
SC-7(14).1 |
Information systems operating at different security categories or classification levels may share common physical and environmental controls, since the systems may share space within organizational facilities. In practice, it is possible that these separate information systems may share common equipment rooms, wiring closets, and cable distribution paths. Protection against unauthorized physical connections can be achieved, for example, by employing clearly identified and physically separated cable trays, connection frames, and patch panels for each side of managed interfaces with physical access controls enforcing limited authorized access to these items. Related controls: PE-4, PE-19. |
The organization protects against unauthorized physical connections at [Assignment: organization-defined managed interfaces]. |
| CCI-001122 |
The organization defines the managed interfaces where boundary protections against unauthorized physical connections are to be implemented. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the managed interfaces as internet access points, enclave LAN to WAN, cross domain solutions, and any DoD Approved Alternate Gateways. |
DoD has defined the managed interfaces as internet access points, enclave LAN to WAN, cross domain solutions, and any DoD Approved Alternate Gateways. |
Boundary Protection | Protects Against Unauthorized Physical Connection |
SC-7 (14) |
SC-7(14).2 |
Information systems operating at different security categories or classification levels may share common physical and environmental controls, since the systems may share space within organizational facilities. In practice, it is possible that these separate information systems may share common equipment rooms, wiring closets, and cable distribution paths. Protection against unauthorized physical connections can be achieved, for example, by employing clearly identified and physically separated cable trays, connection frames, and patch panels for each side of managed interfaces with physical access controls enforcing limited authorized access to these items. Related controls: PE-4, PE-19. |
The organization protects against unauthorized physical connections at [Assignment: organization-defined managed interfaces]. |
| CCI-001123 |
The information system routes all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing. |
The organization conducting the inspection/assessment obtains and examines network topology diagrams, architecture documentation, or any other documentation identifying network data flow to ensure the organization being inspected/assessed routes all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing. |
The organization being inspected/assessed designs the information system to route all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing. |
Boundary Protection | Route Privileged Network Accesses |
SC-7 (15) |
SC-7(15).1 |
Related controls: AC-2, AC-3, AU-2, SI-4. |
The information system routes all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing. |
| CCI-001124 |
The information system prevents discovery of specific system components composing a managed interface. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prevent discovery of specific system components composing a managed interface.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1124. |
The organization being inspected/assessed configures the information system to prevent discovery of specific system components composing a managed interface.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1124. |
Boundary Protection | Prevent Discovery Of Components / Devices |
SC-7 (16) |
SC-7(16).1 |
This control enhancement protects network addresses of information system components that are part of managed interfaces from discovery through common tools and techniques used to identify devices on networks. Network addresses are not available for discovery (e.g., network address not published or entered in domain name systems), requiring prior knowledge for access. Another obfuscation technique is to periodically change network addresses. |
The information system prevents discovery of specific system components (or devices) composing a managed interface. |
| CCI-001125 |
The information system enforces adherence to protocol format. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce adherence to protocol format.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1125. |
The organization being inspected/assessed configures the information system to enforce adherence to protocol format.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1125. |
Boundary Protection | Automated Enforcement Of Protocol Formats |
SC-7 (17) |
SC-7(17).1 |
Information system components that enforce protocol formats include, for example, deep packet inspection firewalls and XML gateways. Such system components verify adherence to protocol formats/specifications (e.g., IEEE) at the application layer and identify significant vulnerabilities that cannot be detected by devices operating at the network or transport layers. Related control: SC-4. |
The information system enforces adherence to protocol formats. |
| CCI-001126 |
The information system fails securely in the event of an operational failure of a boundary protection device. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to fail securely in the event of an operational failure of a boundary protection device.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1126. |
The organization being inspected/assessed configures the information system to fail securely in the event of an operational failure of a boundary protection device.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1126. |
Boundary Protection | Fail Secure |
SC-7 (18) |
SC-7(18).1 |
Fail secure is a condition achieved by employing information system mechanisms to ensure that in the event of operational failures of boundary protection devices at managed interfaces (e.g., routers, firewalls, guards, and application gateways residing on protected subnetworks commonly referred to as demilitarized zones), information systems do not enter into unsecure states where intended security properties no longer hold. Failures of boundary protection devices cannot lead to, or cause information external to the devices to enter the devices, nor can failures permit unauthorized information releases. Related controls: CP-2, SC-24. |
The information system fails securely in the event of an operational failure of a boundary protection device. |
| CCI-001661 |
The organization defines the security functions, to minimally include information system authentication and re-authentication, within the information system to be included in a trusted communications path. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the security functions as providers of authentication, reauthentication, and all privileged commands (administration, monitoring, and controlling). |
DoD has defined the security functions as providers of authentication, reauthentication, and all privileged commands (administration, monitoring, and controlling). |
Trusted Path |
SC-11 |
SC-11.2 |
Trusted paths are mechanisms by which users (through input devices) can communicate directly with security functions of information systems with the requisite assurance to support information security policies. The mechanisms can be activated only by users or the security functions of organizational information systems. User responses via trusted paths are protected from modifications by or disclosure to untrusted applications. Organizations employ trusted paths for high-assurance connections between security functions of information systems and users (e.g., during system logons). Enforcement of trusted communications paths is typically provided via an implementation that meets the reference monitor concept. Related controls: AC-16, AC-25. |
The information system establishes a trusted communications path between the user and the following security functions of the system: [Assignment: organization-defined security functions to include at a minimum, information system authentication and re-authentication]. |
| CCI-001135 |
The information system establishes a trusted communications path between the user and organization-defined security functions within the information system. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to establish a trusted communications path between the user and providers of authentication, reauthentication, and all privileged commands (administration, monitoring, and controlling) within the information system.
Additionally, the organization conducting the inspection/assessment obtains and examines network topology diagrams, architecture documentation, or any other documentation identifying data flow to ensure the organization being inspected/assessed establishes a trusted communications path between the user and providers of authentication, reauthentication, and all privileged commands (administration, monitoring, and controlling) within the information system.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1135.
DoD has defined the security functions as providers of authentication, reauthentication, and all privileged commands (administration, monitoring, and controlling). |
The organization being inspected/assessed designs and configures the information system to establish a trusted communications path between the user and providers of authentication, reauthentication, and all privileged commands (administration, monitoring, and controlling) within the information system.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1135.
DoD has defined the security functions as providers of authentication, reauthentication, and all privileged commands (administration, monitoring, and controlling). |
Trusted Path |
SC-11 |
SC-11.1 |
Trusted paths are mechanisms by which users (through input devices) can communicate directly with security functions of information systems with the requisite assurance to support information security policies. The mechanisms can be activated only by users or the security functions of organizational information systems. User responses via trusted paths are protected from modifications by or disclosure to untrusted applications. Organizations employ trusted paths for high-assurance connections between security functions of information systems and users (e.g., during system logons). Enforcement of trusted communications paths is typically provided via an implementation that meets the reference monitor concept. Related controls: AC-16, AC-25. |
The information system establishes a trusted communications path between the user and the following security functions of the system: [Assignment: organization-defined security functions to include at a minimum, information system authentication and re-authentication]. |
| CCI-001136 |
The organization defines security functions include information system authentication and reauthentication. |
|
|
|
|
|
|
|
| CCI-001662 |
The information system takes organization-defined corrective action when organization-defined unacceptable mobile code is identified. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to take corrective actions defined in SC-18 (1), CCI 2457 when unacceptable mobile code defined in SC-18 (1), CCI 2458 is identified.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1662. |
The organization being inspected/assessed configures the information system to take corrective actions defined in SC-18 (1), CCI 2457 when unacceptable mobile code defined in SC-18 (1), CCI 2458 is identified.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1662. |
Mobile Code | Identify Unacceptable Code / Take Corrective Actions |
SC-18 (1) |
SC-18(1).2 |
Corrective actions when unacceptable mobile code is detected include, for example, blocking, quarantine, or alerting administrators. Blocking includes, for example, preventing transmission of word processing files with embedded macros when such macros have been defined to be unacceptable mobile code. |
The information system identifies [Assignment: organization-defined unacceptable mobile code] and takes [Assignment: organization-defined corrective actions]. |
| CCI-001162 |
The organization establishes implementation guidance for acceptable mobile code and mobile code technologies. |
The Protection Profile for Web Browsers and Application SRG
meet the DoD requirement to establish implementation guidance for acceptable mobile code and mobile code technologies.
DoD Components are automatically compliant with this CCI because they are covered by the Protection Profile for Web Browsers and Application SRG. |
The Protection Profile for Web Browsers and Application SRG
meet the DoD requirement to establish implementation guidance for acceptable mobile code and mobile code technologies.
DoD Components are automatically compliant with this CCI because they are covered by the Protection Profile for Web Browsers and Application SRG. |
Mobile Code |
SC-18 |
SC-18.3 |
Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems. Related controls: AU-2, AU-12, CM-2, CM-6, SI-3. |
The organization:
a. Defines acceptable and unacceptable mobile code and mobile code technologies;
b. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and
c. Authorizes, monitors, and controls the use of mobile code within the information system. |
| CCI-001163 |
The organization authorizes the use of mobile code within the information system. |
The organization conducting the inspection/assessment obtains and examines the documented list of mobile code which is authorized for use within the information system and examines the information system to ensure that all used mobile code is authorized. |
The organization being inspected/assessed documents mobile code which is authorized for use within the information system. |
Mobile Code |
SC-18 |
SC-18.4 |
Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems. Related controls: AU-2, AU-12, CM-2, CM-6, SI-3. |
The organization:
a. Defines acceptable and unacceptable mobile code and mobile code technologies;
b. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and
c. Authorizes, monitors, and controls the use of mobile code within the information system. |
| CCI-001164 |
The organization monitors the use of mobile code within the information system. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as any artifacts applicable to monitoring of mobile code to ensure the organization being inspected/assessed monitors the use of mobile code within the information system. |
The organization being inspected/assessed documents and implements a process to monitor the use of mobile code within the information system. |
Mobile Code |
SC-18 |
SC-18.5 |
Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems. Related controls: AU-2, AU-12, CM-2, CM-6, SI-3. |
The organization:
a. Defines acceptable and unacceptable mobile code and mobile code technologies;
b. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and
c. Authorizes, monitors, and controls the use of mobile code within the information system. |
| CCI-001165 |
The organization controls the use of mobile code within the information system. |
The organization conducting the inspection/assessment obtains and examines the documented process and examines the information system to ensure the organization being inspected/assessed controls the use of mobile code within the information system. |
The organization being inspected/assessed documents and implements a process to control the use of mobile code within the information system. |
Mobile Code |
SC-18 |
SC-18.6 |
Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems. Related controls: AU-2, AU-12, CM-2, CM-6, SI-3. |
The organization:
a. Defines acceptable and unacceptable mobile code and mobile code technologies;
b. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and
c. Authorizes, monitors, and controls the use of mobile code within the information system. |
| CCI-001166 |
The information system identifies organization-defined unacceptable mobile code. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to identify unacceptable mobile code defined in SC-18 (1), CCI 2458.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1166. |
The organization being inspected/assessed configures the information system to identify unacceptable mobile code defined in SC-18 (1), CCI 2458.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1166. |
Mobile Code | Identify Unacceptable Code / Take Corrective Actions |
SC-18 (1) |
SC-18(1).1 |
Corrective actions when unacceptable mobile code is detected include, for example, blocking, quarantine, or alerting administrators. Blocking includes, for example, preventing transmission of word processing files with embedded macros when such macros have been defined to be unacceptable mobile code. |
The information system identifies [Assignment: organization-defined unacceptable mobile code] and takes [Assignment: organization-defined corrective actions]. |
| CCI-001167 |
The organization ensures the development of mobile code to be deployed in information systems meets organization-defined mobile code requirements. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed develops mobile code IAW the requirements defined in CCI 1168. |
The organization being inspected/assessed documents and implements a process to develop mobile code IAW the requirements defined in CCI 1168. |
Mobile Code | Acquisition / Development / Use |
SC-18 (2) |
SC-18(2).1 |
|
The organization ensures that the acquisition, development, and use of mobile code to be deployed in the information system meets [Assignment: organization-defined mobile code requirements]. |
| CCI-001168 |
The organization defines requirements for the acquisition, development, and use of mobile code. |
The organization conducting the inspection/assessment obtains and examines the documented requirements to ensure the organization being inspected/assessed defines requirements for the acquisition, development, and use of mobile code.
DoD has determined the requirements are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents requirements for the acquisition, development, and use of mobile code. The requirements must result in the acquisition and development of mobile code which complies with the Protection Profile for Web Browsers and Application SRG.
DoD has determined the requirements are not appropriate to define at the Enterprise level.
|
Mobile Code | Acquisition / Development / Use |
SC-18 (2) |
SC-18(2).2 |
|
The organization ensures that the acquisition, development, and use of mobile code to be deployed in the information system meets [Assignment: organization-defined mobile code requirements]. |
| CCI-001169 |
The information system prevents the download of organization-defined unacceptable mobile code. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prevent the download of unacceptable mobile code defined in CCI 2459.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1169.
|
The organization being inspected/assessed configures the information system to prevent the download of unacceptable mobile code defined in CCI 2459.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1169.
|
Mobile Code | Prevent Downloading / Execution |
SC-18 (3) |
SC-18(3).1 |
|
The information system prevents the download and execution of [Assignment: organization defined unacceptable mobile code]. |
| CCI-001170 |
The information system prevents the automatic execution of mobile code in organization-defined software applications. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prevent the automatic execution of unacceptable mobile code in software applications defined in CCI 1171.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1170. |
The organization being inspected/assessed configures the information system to prevent the automatic execution of unacceptable mobile code in software applications defined in CCI 1171.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1170.
|
Mobile Code | Prevent Automatic Execution |
SC-18 (4) |
SC-18(4).1 |
Actions enforced before executing mobile code, include, for example, prompting users prior to opening electronic mail attachments. Preventing automatic execution of mobile code includes, for example, disabling auto execute features on information system components employing portable storage devices such as Compact Disks (CDs), Digital Video Disks (DVDs), and Universal Serial Bus (USB) devices. |
The information system prevents the automatic execution of mobile code in [Assignment: organization-defined software applications] and enforces [Assignment: organization-defined actions] prior to executing the code. |
| CCI-001171 |
The organization defines software applications in which automatic mobile code execution is to be prohibited. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the software applications in which automatic mobile code execution is to be prohibited as the software applications defined in the Protection Profile for Web Browsers and Application SRG.
|
DoD has defined the software applications in which automatic mobile code execution is to be prohibited as the software applications defined in the Protection Profile for Web Browsers and Application SRG.
|
Mobile Code | Prevent Automatic Execution |
SC-18 (4) |
SC-18(4).2 |
Actions enforced before executing mobile code, include, for example, prompting users prior to opening electronic mail attachments. Preventing automatic execution of mobile code includes, for example, disabling auto execute features on information system components employing portable storage devices such as Compact Disks (CDs), Digital Video Disks (DVDs), and Universal Serial Bus (USB) devices. |
The information system prevents the automatic execution of mobile code in [Assignment: organization-defined software applications] and enforces [Assignment: organization-defined actions] prior to executing the code. |
| CCI-001172 |
The organization defines actions to be enforced by the information system before executing mobile code. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the actions as the user be prompted. |
DoD has defined the actions as the user be prompted. |
Mobile Code | Prevent Automatic Execution |
SC-18 (4) |
SC-18(4).3 |
Actions enforced before executing mobile code, include, for example, prompting users prior to opening electronic mail attachments. Preventing automatic execution of mobile code includes, for example, disabling auto execute features on information system components employing portable storage devices such as Compact Disks (CDs), Digital Video Disks (DVDs), and Universal Serial Bus (USB) devices. |
The information system prevents the automatic execution of mobile code in [Assignment: organization-defined software applications] and enforces [Assignment: organization-defined actions] prior to executing the code. |
| CCI-001160 |
The organization defines acceptable and unacceptable mobile code and mobile code technologies. |
The organization conducting the inspection/assessmenet obtains and examines the documented acceptable and unacceptable mobile code and mobile code technologies to ensure the organization being inspected/assessed defines acceptable and unacceptable mobile code and mobile code technologies IAW the Protection Profile for Web Browsers and Application SRG.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has defined acceptable and unacceptable mobile code and mobile code technologies IAW the applicable STIGs and SRGs pertaining to CCI 1160. |
The organization being inspected/assessed defines and documents acceptable and unacceptable mobile code and mobile code technologies IAW the Protection Profile for Web Browsers and Application SRG.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must define IAW the STIG/SRG guidance that pertains to CCI 1160. |
Mobile Code |
SC-18 |
SC-18.1 |
Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems. Related controls: AU-2, AU-12, CM-2, CM-6, SI-3. |
The organization:
a. Defines acceptable and unacceptable mobile code and mobile code technologies;
b. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and
c. Authorizes, monitors, and controls the use of mobile code within the information system. |
| CCI-001161 |
The organization establishes usage restrictions for acceptable mobile code and mobile code technologies. |
The organization conducting the inspection/assessmenet obtains and examines the documented usage restrictions to ensure the organization being inspected/assessed establishes usage restrictions for acceptable mobile code and mobile code technologies IAW the Protection Profile for Web Browsers and Application SRG.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has established usage restrictions IAW the applicable STIGs and SRGs pertaining to CCI 1161. |
The organization being inspected/assessed documents usage restrictions for acceptable mobile code and mobile code technologies IAW the Protection Profile for Web Browsers and Application SRG.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must establish IAW the STIG/SRG guidance that pertains to CCI 1161. |
Mobile Code |
SC-18 |
SC-18.2 |
Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems. Related controls: AU-2, AU-12, CM-2, CM-6, SI-3. |
The organization:
a. Defines acceptable and unacceptable mobile code and mobile code technologies;
b. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and
c. Authorizes, monitors, and controls the use of mobile code within the information system. |
| CCI-001687 |
The organization ensures the use of mobile code to be deployed in information systems meets organization-defined mobile code requirements. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed uses mobile code IAW the requirements defined in CCI 1168. |
The organization being inspected/assessed documents and implements a process to use mobile code IAW the requirements defined in CCI 1168. |
Mobile Code | Acquisition / Development / Use |
SC-18 (2) |
SC-18(2).3 |
|
The organization ensures that the acquisition, development, and use of mobile code to be deployed in the information system meets [Assignment: organization-defined mobile code requirements]. |
| CCI-001688 |
The organization ensures the acquisition of mobile code to be deployed in information systems meets organization-defined mobile code requirements. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed acquire mobile code IAW the requirements defined in CCI 1168. |
The organization being inspected/assessed documents and implements a process to acquire mobile code IAW the requirements defined in CCI 1168. |
Mobile Code | Acquisition / Development / Use |
SC-18 (2) |
SC-18(2).4 |
|
The organization ensures that the acquisition, development, and use of mobile code to be deployed in the information system meets [Assignment: organization-defined mobile code requirements]. |
| CCI-001695 |
The information system prevents the execution of organization-defined unacceptable mobile code. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prevent the execution of unacceptable mobile code defined in CCI 2459.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1695.
|
The organization being inspected/assessed configures the information system to prevent the execution of unacceptable mobile code defined in CCI 2459.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1695.
|
Mobile Code | Prevent Downloading / Execution |
SC-18 (3) |
SC-18(3).2 |
|
The information system prevents the download and execution of [Assignment: organization defined unacceptable mobile code]. |
| CCI-001663 |
The information system, when operating as part of a distributed, hierarchical namespace, provides the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services). |
The organization conducting the inspection/assessment utilizes DNSSEC diagnostic tools, such as dig, and performs queries which will exercise the data flow path for authoritative name resolution services where parent and child domains exist.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs that pertains to CCI 1663. |
The organization being inspected/assessed installs and utilizes software capable of validating the chain of trust (Examples of software include dig, dnsviz, dnssec-debugger, dnssec validator for Mozilla, etc.).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1663. |
Secure Name / Address Resolution Service (Authoritative Source) |
SC-20 |
SC-20.4 |
This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data. Related controls: AU-10, SC-8, SC-12, SC-13, SC-21, SC-22. |
The information system:
a. Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and
b. Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace. |
| CCI-001178 |
The information system provides additional data origin authentication artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries. |
The organization conducting the inspection/assessment:
1. inspects the configuration files for the presence of DNSSEC records for each A record hosted in a zone;
2. utilizes DNSSEC diagnostic tools, such as dig; and
3. performs queries which will exercise the data flow path for authoritative name resolution services.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs that determine the name server software configuration files and pertain to CCI 1178. |
The organization being inspected/assessed configures the authoritative name server software for external queries to enable DNSSEC and creates resource records with digital signatures (RRSig) for each A record.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that determines the name server software configuration files and pertains to CCI 1178. |
Secure Name / Address Resolution Service (Authoritative Source) |
SC-20 |
SC-20.1 |
This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data. Related controls: AU-10, SC-8, SC-12, SC-13, SC-21, SC-22. |
The information system:
a. Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and
b. Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace. |
| CCI-001179 |
The information system, when operating as part of a distributed, hierarchical namespace, provides the means to indicate the security status of child zones. |
The organization conducting the inspection/assessment inspect the configuration files for the presence of Delegation Signer (DS) Records for any child domains.
Note: This is only applicable for zones with child domains.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs that determine the name server software configuration files and pertain to CCI 1179. |
The organization being inspected/assessed configures the authoritative name server software to enable DNSSEC and creates delegation signer (DS) resource records for each child zone and place those records in the parent zone.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that determines the name server software configuration files and pertains to CCI 1179. |
Secure Name / Address Resolution Service (Authoritative Source) |
SC-20 |
SC-20.3 |
This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data. Related controls: AU-10, SC-8, SC-12, SC-13, SC-21, SC-22. |
The information system:
a. Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and
b. Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace. |
| CCI-001664 |
The information system recognizes only session identifiers that are system-generated. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to recognize only session identifiers that are system-generated.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1664. |
The organization being inspected/assessed configures the information system to recognize only session identifiers that are system-generated.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1664. |
Session Authenticity | Unique Session Identifiers With Randomization |
SC-23 (3) |
SC-23(3).3 |
This control enhancement curtails the ability of adversaries from reusing previously valid session IDs. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers. Related control: SC-13. |
The information system generates a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognizes only session identifiers that are system-generated. |
| CCI-001184 |
The information system protects the authenticity of communications sessions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to protect the authenticity of communications sessions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1184. |
The organization being inspected/assessed configures the information system to protect the authenticity of communications sessions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1184. |
Session Authenticity |
SC-23 |
SC-23.1 |
This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Related controls: SC-8, SC-10, SC-11. |
The information system protects the authenticity of communications sessions. |
| CCI-001185 |
The information system invalidates session identifiers upon user logout or other session termination. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to invalidate session identifiers upon user logout or other session termination.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1185. |
The organization being inspected/assessed configures the information system to invalidate session identifiers upon user logout or other session termination.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1185. |
Session Authenticity | Invalidate Session Identifiers At Logout |
SC-23 (1) |
SC-23(1).1 |
This control enhancement curtails the ability of adversaries from capturing and continuing to employ previously valid session IDs. |
The information system invalidates session identifiers upon user logout or other session termination. |
| CCI-001186 |
The information system provides a readily observable logout capability whenever authentication is used to gain access to web pages. |
|
|
|
|
|
|
|
| CCI-001187 |
The information system generates a unique session identifier for each session. |
|
|
|
|
|
|
|
| CCI-001188 |
The information system generates unique session identifiers for each session with organization-defined randomness requirements. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to generate unique session identifiers for each session with randomness requirements defined in SC-23 (3), CCI 1189.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1188. |
The organization being inspected/assessed configures the information system to generate unique session identifiers for each session with randomness requirements defined in SC-23 (3), CCI 1189.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1188. |
Session Authenticity | Unique Session Identifiers With Randomization |
SC-23 (3) |
SC-23(3).1 |
This control enhancement curtails the ability of adversaries from reusing previously valid session IDs. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers. Related control: SC-13. |
The information system generates a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognizes only session identifiers that are system-generated. |
| CCI-001189 |
The organization defines randomness requirements for generating unique session identifiers. |
The organization conducting the inspection/assessment obtains and examines the documented randomness requirements to ensure the organization being inspected/assessed defines randomness requirements for generating unique session identifiers.
DoD has determined the randomness requirements are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents randomness requirements for generating unique session identifiers.
DoD has determined the randomness requirements are not appropriate to define at the Enterprise level. |
Session Authenticity | Unique Session Identifiers With Randomization |
SC-23 (3) |
SC-23(3).2 |
This control enhancement curtails the ability of adversaries from reusing previously valid session IDs. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers. Related control: SC-13. |
The information system generates a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognizes only session identifiers that are system-generated. |
| CCI-001665 |
The information system preserves organization-defined system state information in the event of a system failure. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to preserve information necessary to determine cause of failure and to return to operations with least disruption to mission/ business processes in the event of a system failure.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1665.
DoD has defined system state information as information necessary to determine cause of failure and to return to operations with least disruption to mission/ business processes. |
The organization being inspected/assessed configures the information system to preserve information necessary to determine cause of failure and to return to operations with least disruption to mission/ business processes in the event of a system failure.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1665.
DoD has defined system state information as information necessary to determine cause of failure and to return to operations with least disruption to mission/ business processes. |
Fail In Known State |
SC-24 |
SC-24.5 |
Failure in a known state addresses security concerns in accordance with the mission/business needs of organizations. Failure in a known secure state helps to prevent the loss of confidentiality, integrity, or availability of information in the event of failures of organizational information systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving information system state information facilitates system restart and return to the operational mode of organizations with less disruption of mission/business processes. Related controls: CP-2, CP-10, CP-12, SC-7, SC-22. |
The information system fails to a [Assignment: organization-defined known-state] for [Assignment: organization-defined types of failures] preserving [Assignment: organization-defined system state information] in failure. |
| CCI-001190 |
The information system fails to an organization-defined known-state for organization-defined types of failures. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to fail to a secure state for failures during system initialization, shutdown, and aborts.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1190.
DoD has defined the known state as secure state.
DoD has defined the types of failures as failures during system initialization, shutdown, and aborts. |
The organization being inspected/assessed configures the information system to fail to a secure state for failures during system initialization, shutdown, and aborts.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1190.
DoD has defined the known state as secure state.
DoD has defined the types of failures as failures during system initialization, shutdown, and aborts. |
Fail In Known State |
SC-24 |
SC-24.1 |
Failure in a known state addresses security concerns in accordance with the mission/business needs of organizations. Failure in a known secure state helps to prevent the loss of confidentiality, integrity, or availability of information in the event of failures of organizational information systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving information system state information facilitates system restart and return to the operational mode of organizations with less disruption of mission/business processes. Related controls: CP-2, CP-10, CP-12, SC-7, SC-22. |
The information system fails to a [Assignment: organization-defined known-state] for [Assignment: organization-defined types of failures] preserving [Assignment: organization-defined system state information] in failure. |
| CCI-001191 |
The organization defines the known states the information system should fail to in the event of an organization-defined system failure. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the known state as secure state. |
DoD has defined the known state as secure state. |
Fail In Known State |
SC-24 |
SC-24.2 |
Failure in a known state addresses security concerns in accordance with the mission/business needs of organizations. Failure in a known secure state helps to prevent the loss of confidentiality, integrity, or availability of information in the event of failures of organizational information systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving information system state information facilitates system restart and return to the operational mode of organizations with less disruption of mission/business processes. Related controls: CP-2, CP-10, CP-12, SC-7, SC-22. |
The information system fails to a [Assignment: organization-defined known-state] for [Assignment: organization-defined types of failures] preserving [Assignment: organization-defined system state information] in failure. |
| CCI-001192 |
The organization defines types of failures for which the information system should fail to an organization-defined known state. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the types of failures as failures during system initialization, shutdown, and aborts. |
DoD has defined the types of failures as failures during system initialization, shutdown, and aborts. |
Fail In Known State |
SC-24 |
SC-24.3 |
Failure in a known state addresses security concerns in accordance with the mission/business needs of organizations. Failure in a known secure state helps to prevent the loss of confidentiality, integrity, or availability of information in the event of failures of organizational information systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving information system state information facilitates system restart and return to the operational mode of organizations with less disruption of mission/business processes. Related controls: CP-2, CP-10, CP-12, SC-7, SC-22. |
The information system fails to a [Assignment: organization-defined known-state] for [Assignment: organization-defined types of failures] preserving [Assignment: organization-defined system state information] in failure. |
| CCI-001193 |
The organization defines system state information that should be preserved in the event of a system failure. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined system state information as information necessary to determine cause of failure and to return to operations with least disruption to mission/ business processes. |
DoD has defined system state information as information necessary to determine cause of failure and to return to operations with least disruption to mission/ business processes. |
Fail In Known State |
SC-24 |
SC-24.4 |
Failure in a known state addresses security concerns in accordance with the mission/business needs of organizations. Failure in a known secure state helps to prevent the loss of confidentiality, integrity, or availability of information in the event of failures of organizational information systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving information system state information facilitates system restart and return to the operational mode of organizations with less disruption of mission/business processes. Related controls: CP-2, CP-10, CP-12, SC-7, SC-22. |
The information system fails to a [Assignment: organization-defined known-state] for [Assignment: organization-defined types of failures] preserving [Assignment: organization-defined system state information] in failure. |
| CCI-001666 |
The organization employs cryptographic mechanisms to prevent unauthorized modification of information at rest unless otherwise protected by alternative physical measures. |
|
|
|
|
|
|
|
| CCI-001199 |
The information system protects the confidentiality and/or integrity of organization-defined information at rest. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to protect the confidentiality and/or integrity of organization-defined information at rest.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1199. |
The organization being inspected/assessed configures the information system to protect the confidentiality and/or integrity of organization-defined information at rest.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1199. |
Protection Of Information At Rest |
SC-28 |
SC-28.1 |
This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest. Related controls: AC-3, AC-6, CA-7, CM-3, CM-5, CM-6, PE-3, SC-8, SC-13, SI-3, SI-7. |
The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest]. |
| CCI-001200 |
The organization employs cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures. |
|
|
|
|
|
|
|
| CCI-001667 |
The organization compares the time measured between flaw identification and flaw remediation with organization-defined benchmarks. |
|
|
|
|
|
|
|
| CCI-001225 |
The organization identifies information system flaws. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed identifies information system flaws. |
The organization being inspected/assessed documents and implements a process to identify information system flaws.
The process shall include review of the system through automated scans and manual checks to determine the existence of flaws such as IAVM, CVE, or other resources. |
Flaw Remediation |
SI-2 |
SI-2.1 |
Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures. Related controls: CA-2, CA-7, CM-3, CM-5, CM-8, MA-2, IR-4, RA-5, SA-10, SA-11, SI-11. |
The organization:
a. Identifies, reports, and corrects information system flaws;
b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
c. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
d. Incorporates flaw remediation into the organizational configuration management process. |
| CCI-001226 |
The organization reports information system flaws. |
The organization conducting the inspection/assessment obtains and examines the authorization package, verifies the POA&M is up to date and includes recently identified information system flaws, and verifies that the organization has notified appropriate personnel as defined by DoD Cybersecurity policy and organizational roles and responsibilities. |
The organization being inspected/assessed reports information system flaws according to DoD Cybersecurity policy and organizational roles and responsibilities.
The organization must report information system flaws in their POA&M. |
Flaw Remediation |
SI-2 |
SI-2.2 |
Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures. Related controls: CA-2, CA-7, CM-3, CM-5, CM-8, MA-2, IR-4, RA-5, SA-10, SA-11, SI-11. |
The organization:
a. Identifies, reports, and corrects information system flaws;
b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
c. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
d. Incorporates flaw remediation into the organizational configuration management process. |
| CCI-001227 |
The organization corrects information system flaws. |
The organization conducting the inspection/assessment obtains and examines the information system POA&M and examines the information system to ensure the organization being inspected/assessed corrects information system flaws. |
The organization being inspected/assessed corrects information system flaws within the time period directed by an authorative source (e.g. IAVM, CTOs, DTMs, STIGs).
The organization documents the corrections on their POA&M.
DoD has defined the time period as within the time period directed by an authorative source (e.g. IAVM, CTOs, DTMs, STIGs). |
Flaw Remediation |
SI-2 |
SI-2.3 |
Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures. Related controls: CA-2, CA-7, CM-3, CM-5, CM-8, MA-2, IR-4, RA-5, SA-10, SA-11, SI-11. |
The organization:
a. Identifies, reports, and corrects information system flaws;
b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
c. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
d. Incorporates flaw remediation into the organizational configuration management process. |
| CCI-001228 |
The organization tests software updates related to flaw remediation for effectiveness before installation. |
The organization conducting the inspection/assessment obtains and examines the documented process and test results to ensure the organization being inspected/assessed tests software updates related to flaw remediation for effectiveness before installation. |
The organization being inspected/assessed documents and implements a process to test software updates related to flaw remediation for effectiveness before installation.
If the software update is being provided by a vendor who has documented the effectiveness of the update in fixing the affected IAVM/CVE, further testing by the organization may not be required. |
Flaw Remediation |
SI-2 |
SI-2.4 |
Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures. Related controls: CA-2, CA-7, CM-3, CM-5, CM-8, MA-2, IR-4, RA-5, SA-10, SA-11, SI-11. |
The organization:
a. Identifies, reports, and corrects information system flaws;
b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
c. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
d. Incorporates flaw remediation into the organizational configuration management process. |
| CCI-001229 |
The organization tests software updates related to flaw remediation for potential side effects before installation. |
The organization conducting the inspection/assessment obtains and examines the documented process and test results to ensure the organization being inspected/assessed tests software updates related to flaw remediation for potential side effects before installation. |
The organization being inspected/assessed documents and implements a process for regression testing IAW CM-4 to identify any potential side effects before installation of software updates. |
Flaw Remediation |
SI-2 |
SI-2.5 |
Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures. Related controls: CA-2, CA-7, CM-3, CM-5, CM-8, MA-2, IR-4, RA-5, SA-10, SA-11, SI-11. |
The organization:
a. Identifies, reports, and corrects information system flaws;
b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
c. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
d. Incorporates flaw remediation into the organizational configuration management process. |
| CCI-001230 |
The organization incorporates flaw remediation into the organizational configuration management process. |
The organization conducting the inspection/assessment obtains and examines the configuration management plan to ensure that it incorporates flaw remediation. |
The organization being inspected/assessed documents within their configuration management plan, flaw remediation processes. |
Flaw Remediation |
SI-2 |
SI-2.12 |
Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures. Related controls: CA-2, CA-7, CM-3, CM-5, CM-8, MA-2, IR-4, RA-5, SA-10, SA-11, SI-11. |
The organization:
a. Identifies, reports, and corrects information system flaws;
b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
c. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
d. Incorporates flaw remediation into the organizational configuration management process. |
| CCI-001231 |
The organization centrally manages the flaw remediation process. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed centrally manages the flaw remediation process. |
The organization being inspected/assessed documents and implements a process to centrally manage the flaw remediation process. |
Flaw Remediation | Central Management |
SI-2 (1) |
SI-2(1).1 |
Central management is the organization-wide management and implementation of flaw remediation processes. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw remediation security controls. |
The organization centrally manages the flaw remediation process. |
| CCI-001232 |
The organization installs software updates automatically. |
|
|
|
|
|
|
|
| CCI-001233 |
The organization employs automated mechanisms on an organization-defined frequency to determine the state of information system components with regard to flaw remediation. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to employ automated mechanisms continuously with HBSS; 30 days for any additional internal network scans not covered by HBSS; annually for external scans by (Computer Network Defense Service Provider) CNDSP to determine the state of information system components with regard to flaw remediation.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1233.
DoD has defined the frequency as continuously with HBSS; 30 days for any additional internal network scans not covered by HBSS; annually for external scans by (Computer Network Defense Service Provider) CNDSP. |
The organization being inspected/assessed configures the information system to employ automated mechanisms continuously with HBSS; 30 days for any additional internal network scans not covered by HBSS; annually for external scans by (Computer Network Defense Service Provider) CNDSP to determine the state of information system components with regard to flaw remediation.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1233.
DoD has defined the frequency as continuously with HBSS; 30 days for any additional internal network scans not covered by HBSS; annually for external scans by (Computer Network Defense Service Provider) CNDSP. |
Flaw Remediation | Automated Flaw Remediation Status |
SI-2 (2) |
SI-2(2).1 |
Related controls: CM-6, SI-4. |
The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation. |
| CCI-001234 |
The organization defines a frequency for employing automated mechanisms to determine the state of information system components with regard to flaw remediation. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as continuously with HBSS; 30 days for any additional internal network scans not covered by HBSS; annually for external scans by (Computer Network Defense Service Provider) CNDSP. |
DoD has defined the frequency as continuously with HBSS; 30 days for any additional internal network scans not covered by HBSS; annually for external scans by (Computer Network Defense Service Provider) CNDSP. |
Flaw Remediation | Automated Flaw Remediation Status |
SI-2 (2) |
SI-2(2).2 |
Related controls: CM-6, SI-4. |
The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation. |
| CCI-001235 |
The organization measures the time between flaw identification and flaw remediation. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of flaw identification and flaw remediation to ensure the organization being inspected/assessed measures the time between flaw identification and flaw remediation. |
The organization being inspected/assessed documents and implements a process to measure the time between flaw identification and flaw remediation.
The organization must maintain an audit trail of flaw identification and flaw remediation. |
Flaw Remediation | Time To Remediate Flaws / Benchmarks For Corrective Actions |
SI-2 (3) |
SI-2(3).1 |
This control enhancement requires organizations to determine the current time it takes on the average to correct information system flaws after such flaws have been identified, and subsequently establish organizational benchmarks (i.e., time frames) for taking corrective actions. Benchmarks can be established by type of flaw and/or severity of the potential vulnerability if the flaw can be exploited. |
The organization:
(a) Measures the time between flaw identification and flaw remediation; and
(b) Establishes [Assignment: organization-defined benchmarks] for taking corrective actions. |
| CCI-001236 |
The organization defines benchmarks for the time taken to apply corrective actions after flaw identification. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the benchmarks as within the time period directed by an authorative source (e.g. IAVM, CTOs, DTMs, STIGs). |
DoD has defined the benchmarks as within the time period directed by an authorative source (e.g. IAVM, CTOs, DTMs, STIGs). |
Flaw Remediation | Time To Remediate Flaws / Benchmarks For Corrective Actions |
SI-2 (3) |
SI-2(3).2 |
This control enhancement requires organizations to determine the current time it takes on the average to correct information system flaws after such flaws have been identified, and subsequently establish organizational benchmarks (i.e., time frames) for taking corrective actions. Benchmarks can be established by type of flaw and/or severity of the potential vulnerability if the flaw can be exploited. |
The organization:
(a) Measures the time between flaw identification and flaw remediation; and
(b) Establishes [Assignment: organization-defined benchmarks] for taking corrective actions. |
| CCI-001237 |
The organization employs automated patch management tools to facilitate flaw remediation to organization-defined information system components. |
|
|
|
|
|
|
|
| CCI-001238 |
The organization defines information system components for which automated patch management tools are to be employed to facilitate flaw remediation. |
|
|
|
|
|
|
|
| CCI-001668 |
The organization employs malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means or inserted through the exploitation of information system vulnerabilities. |
|
|
|
|
|
|
|
| CCI-001669 |
The organization defines the frequency of testing malicious code protection mechanisms. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as twice annually or when substantial changes are made to the malicious code protection mechanisms. |
DoD has defined the frequency as twice annually or when substantial changes are made to the malicious code protection mechanisms. |
Malicious Code Protection | Testing / Verification |
SI-3 (6) |
SI-3(6).2 |
Related controls: CA-2, CA-7, RA-5. |
The organization:
(a) Tests malicious code protection mechanisms [Assignment: organization-defined frequency] by introducing a known benign, non-spreading test case into the information system; and
(b) Verifies that both detection of the test case and associated incident reporting occur. |
| CCI-001239 |
The organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means or inserted through the exploitation of information system vulnerabilities. |
|
|
|
|
|
|
|
| CCI-001240 |
The organization updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1240. |
The organization being inspected/assessed configures the information system to update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1240. |
Malicious Code Protection |
SI-3 |
SI-3.5 |
Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13, SC-7, SC-26, SC-44, SI-2, SI-4, SI-7. |
The organization:
a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;
c. Configures malicious code protection mechanisms to:
1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and
2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and
d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. |
| CCI-001241 |
The organization configures malicious code protection mechanisms to perform periodic scans of the information system on an organization-defined frequency. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures malicious code protection mechanisms to perform periodic scans of the information system on every 7 days.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1241.
DoD has defined the frequency as every 7 days. |
The organization being inspected/assessed configures malicious code protection mechanisms to perform periodic scans of the information system on every 7 days.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1241.
DoD has defined the frequency as every 7 days. |
Malicious Code Protection |
SI-3 |
SI-3.8 |
Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13, SC-7, SC-26, SC-44, SI-2, SI-4, SI-7. |
The organization:
a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;
c. Configures malicious code protection mechanisms to:
1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and
2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and
d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. |
| CCI-001242 |
The organization configures malicious code protection mechanisms to perform real-time scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures malicious code protection mechanisms to perform real-time scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1242. |
The organization being inspected/assessed configures malicious code protection mechanisms to perform real-time scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1242. |
Malicious Code Protection |
SI-3 |
SI-3.9 |
Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13, SC-7, SC-26, SC-44, SI-2, SI-4, SI-7. |
The organization:
a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;
c. Configures malicious code protection mechanisms to:
1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and
2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and
d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. |
| CCI-001243 |
The organization configures malicious code protection mechanisms to perform organization-defined action(s) in response to malicious code detection. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures malicious code protection mechanisms to perform block and quarantine malicious code and then send an alert to the administrator immediately in near real-time in response to malicious code detection.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1243.
DoD has defined the actions as block and quarantine malicious code and then send an alert to the administrator immediately in near real-time. |
The organization being inspected/assessed configures malicious code protection mechanisms to perform block and quarantine malicious code and then send an alert to the administrator immediately in near real-time in response to malicious code detection.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1243.
DoD has defined the actions as block and quarantine malicious code and then send an alert to the administrator immediately in near real-time. |
Malicious Code Protection |
SI-3 |
SI-3.10 |
Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13, SC-7, SC-26, SC-44, SI-2, SI-4, SI-7. |
The organization:
a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;
c. Configures malicious code protection mechanisms to:
1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and
2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and
d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. |
| CCI-001244 |
The organization defines one or more actions to perform in response to malicious code detection, such as blocking malicious code, quarantining malicious code, or sending alerts to administrators. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the actions as block and quarantine malicious code and then send an alert to the administrator immediately in near real-time. |
DoD has defined the actions as block and quarantine malicious code and then send an alert to the administrator immediately in near real-time. |
Malicious Code Protection |
SI-3 |
SI-3.11 |
Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13, SC-7, SC-26, SC-44, SI-2, SI-4, SI-7. |
The organization:
a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;
c. Configures malicious code protection mechanisms to:
1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and
2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and
d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. |
| CCI-001245 |
The organization addresses the receipt of false positives during malicious code detection and eradication, and the resulting potential impact on the availability of the information system. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to address the receipt of false positives during malicious code detection and eradication, and the resulting potential impact on the availability of the information system.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1245. |
The organization being inspected/assessed configures the information system to address the receipt of false positives during malicious code detection and eradication, and the resulting potential impact on the availability of the information system.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1245. |
Malicious Code Protection |
SI-3 |
SI-3.12 |
Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13, SC-7, SC-26, SC-44, SI-2, SI-4, SI-7. |
The organization:
a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;
c. Configures malicious code protection mechanisms to:
1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and
2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and
d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. |
| CCI-001246 |
The organization centrally manages malicious code protection mechanisms. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed centrally manages malicious code protection mechanisms. |
The organization being inspected/assessed documents and implements a process to centrally manage malicious code protection mechanisms. |
Malicious Code Protection | Central Management |
SI-3 (1) |
SI-3(1).1 |
Central management is the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw malicious code protection security controls. Related controls: AU-2, SI-8. |
The organization centrally manages malicious code protection mechanisms. |
| CCI-001247 |
The information system automatically updates malicious code protection mechanisms. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to automatically update malicious code protection mechanisms.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1247. |
The organization being inspected/assessed configures the information system to automatically update malicious code protection mechanisms.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1247. |
Malicious Code Protection | Automatic Updates |
SI-3 (2) |
SI-3(2).1 |
Malicious code protection mechanisms include, for example, signature definitions. Due to information system integrity and availability concerns, organizations give careful consideration to the methodology used to carry out automatic updates. Related control: SI-8. |
The information system automatically updates malicious code protection mechanisms. |
| CCI-001248 |
The information system prevents non-privileged users from circumventing malicious code protection capabilities. |
|
|
|
|
|
|
|
| CCI-001249 |
The information system updates malicious code protection mechanisms only when directed by a privileged user. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to update malicious code protection mechanisms only when directed by a privileged user.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1249. |
The organization being inspected/assessed configures the information system to update malicious code protection mechanisms only when directed by a privileged user.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1249.
This control enhancement may be appropriate for situations where for reasons of security or operational continuity, updates are only applied when selected/approved by designated organizational personnel. |
Malicious Code Protection | Updates Only By Privileged Users |
SI-3 (4) |
SI-3(4).1 |
This control enhancement may be appropriate for situations where for reasons of security or operational continuity, updates are only applied when selected/approved by designated organizational personnel. Related controls: AC-6, CM-5. |
The information system updates malicious code protection mechanisms only when directed by a privileged user. |
| CCI-001250 |
The organization does not allow users to introduce removable media into the information system. |
|
|
|
|
|
|
|
| CCI-001251 |
The organization tests malicious code protection mechanisms on an organization-defined frequency by introducing a known benign, non-spreading test case into the information system. |
The organization conducting the inspection/assessment obtains and examines the documented process and test results to ensure the organization being inspected/assessed tests malicious code protection mechanisms twice annually or when substantial changes are made to the malicious code protection mechanisms by introducing a known benign, non-spreading test case into the information system.
DoD has defined the frequency as twice annually or when substantial changes are made to the malicious code protection mechanisms. |
The organization being inspected/assessed documents and implement a process to test malicious code protection mechanisms twice annually or when substantial changes are made to the malicious code protection mechanisms by introducing a known benign, non-spreading test case into the information system.
DoD has defined the frequency as twice annually or when substantial changes are made to the malicious code protection mechanisms. |
Malicious Code Protection | Testing / Verification |
SI-3 (6) |
SI-3(6).1 |
Related controls: CA-2, CA-7, RA-5. |
The organization:
(a) Tests malicious code protection mechanisms [Assignment: organization-defined frequency] by introducing a known benign, non-spreading test case into the information system; and
(b) Verifies that both detection of the test case and associated incident reporting occur. |
| CCI-001670 |
The information system takes organization-defined least-disruptive actions to terminate suspicious events. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to take least-disruptive actions defined in SI-4 (7), CCI 1268 to terminate suspicious events.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1670. |
The organization being inspected/assessed configures the information system to take least-disruptive actions defined in SI-4 (7), CCI 1268 to terminate suspicious events.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1670. |
Information System Monitoring | Automated Response To Suspicious Events |
SI-4 (7) |
SI-4(7).4 |
Least-disruptive actions may include, for example, initiating requests for human responses. |
The information system notifies [Assignment: organization-defined incident response personnel (identified by name and/or by role)] of detected suspicious events and takes [Assignment: organization-defined least-disruptive actions to terminate suspicious events]. |
| CCI-001671 |
The organization analyzes outbound communications traffic at selected organization-defined interior points within the system (e.g., subnetworks, subsystems) to discover anomalies. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of any discovered anomalies to ensure the organization being inspected/assessed analyzes outbound communications traffic at selected interior points defined in SI-4 (11), CCI 2668 within the system (e.g., subnetworks, subsystems) to discover anomalies. |
The organization being inspected/assessed documents and implements a process to analyze outbound communications traffic at selected interior points defined in SI-4 (11), CCI 2668 within the system (e.g., subnetworks, subsystems) to discover anomalies.
The organization must maintain a record of any discovered anomalies. |
Information System Monitoring | Analyze Communications Traffic Anomalies |
SI-4 (11) |
SI-4(11).2 |
Anomalies within organizational information systems include, for example, large file transfers, long-time persistent connections, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses. |
The organization analyzes outbound communications traffic at the external boundary of the information system and selected [Assignment: organization-defined interior points within the system (e.g., subnetworks, subsystems)] to discover anomalies. |
| CCI-001672 |
The organization employs a wireless intrusion detection system to identify rogue wireless devices. |
|
|
|
|
|
|
|
| CCI-001673 |
The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified wireless intrusion detection system and the system hardware/software list to ensure the organization being inspected/assessed employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system.
The organization being inspected/assessed may be required to demonstrate use of the wireless intrusion detection system. |
The organization being inspected/assessed documents and implements a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system. |
Information System Monitoring | Wireless Intrusion Detection |
SI-4 (14) |
SI-4(14).1 |
Wireless signals may radiate beyond the confines of organization-controlled facilities. Organizations proactively search for unauthorized wireless connections including the conduct of thorough scans for unauthorized wireless access points. Scans are not limited to those areas within facilities containing information systems, but also include areas outside of facilities as needed, to verify that unauthorized wireless access points are not connected to the systems. Related controls: AC-18, IA-3. |
The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system. |
| CCI-001252 |
The organization monitors events on the information system in accordance with organization-defined monitoring objectives and detects information system attacks. |
|
|
|
|
|
|
|
| CCI-001253 |
The organization defines the objectives of monitoring for attacks and indicators of potential attacks on the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the monitoring objectives as sensor placement and monitoring requirements within CJCSI 6510.01F. |
DoD has defined the monitoring objectives as sensor placement and monitoring requirements within CJCSI 6510.01F. |
Information System Monitoring |
SI-4 |
SI-4.1 |
Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Related controls: AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, CA-7, IR-4, PE-3, RA-5, SC-7, SC-26, SC-35, SI-3, SI-7. |
The organization:
a. Monitors the information system to detect:
1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];
c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;
f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and
g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. |
| CCI-001254 |
The organization identifies unauthorized use of the information system. |
|
|
|
|
|
|
|
| CCI-001255 |
The organization deploys monitoring devices strategically within the information system to collect organization-determined essential information. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed deploys monitoring devices strategically within the information system to collect organization determined essential information. |
The organization being inspected/assessed documents and implements a process to deploy monitoring devices strategically within the information system to collect organization determined essential information. |
Information System Monitoring |
SI-4 |
SI-4.8 |
Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Related controls: AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, CA-7, IR-4, PE-3, RA-5, SC-7, SC-26, SC-35, SI-3, SI-7. |
The organization:
a. Monitors the information system to detect:
1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];
c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;
f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and
g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. |
| CCI-001256 |
The organization deploys monitoring devices at ad hoc locations within the system to track specific types of transactions of interest to the organization. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed deploys monitoring devices at ad hoc locations within the system to track specific types of transactions of interest to the organization. |
The organization being inspected/assessed documents and implements a process to deploy monitoring devices at ad hoc locations within the system to track specific types of transactions of interest to the organization. |
Information System Monitoring |
SI-4 |
SI-4.9 |
Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Related controls: AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, CA-7, IR-4, PE-3, RA-5, SC-7, SC-26, SC-35, SI-3, SI-7. |
The organization:
a. Monitors the information system to detect:
1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];
c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;
f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and
g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. |
| CCI-001257 |
The organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information. |
The organization being inspected/assessed documents and implements a process to heighten the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information. |
Information System Monitoring |
SI-4 |
SI-4.13 |
Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Related controls: AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, CA-7, IR-4, PE-3, RA-5, SC-7, SC-26, SC-35, SI-3, SI-7. |
The organization:
a. Monitors the information system to detect:
1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];
c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;
f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and
g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. |
| CCI-001258 |
The organization obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations. |
The organization conducting the inspection/assessment obtains and examines the documented legal opinion to ensure the organization being inspected/assessed obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations. |
The organization being inspected/assessed obtains and documents legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations. |
Information System Monitoring |
SI-4 |
SI-4.14 |
Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Related controls: AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, CA-7, IR-4, PE-3, RA-5, SC-7, SC-26, SC-35, SI-3, SI-7. |
The organization:
a. Monitors the information system to detect:
1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];
c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;
f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and
g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. |
| CCI-001259 |
The organization interconnects and configures individual intrusion detection tools into a systemwide intrusion detection system using common protocols. |
|
|
|
|
|
|
|
| CCI-001260 |
The organization employs automated tools to support near real-time analysis of events. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated tools to ensure the organization being inspected/assessed employs automated tools to support near real-time analysis of events.
The organization being inspected/assessed may be required to demonstrate use of their automated tools. |
The organization being inspected/assessed documents and implements automated tools to support near real-time analysis of events. |
Information System Monitoring | Automated Tools For Real-Time Analysis |
SI-4 (2) |
SI-4(2).1 |
Automated tools include, for example, host-based, network-based, transport-based, or storage-based event monitoring tools or Security Information and Event Management (SIEM) technologies that provide real time analysis of alerts and/or notifications generated by organizational information systems. |
The organization employs automated tools to support near real-time analysis of events. |
| CCI-001261 |
The organization employs automated tools to integrate intrusion detection tools into access control and flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination. |
|
|
|
|
|
|
|
| CCI-001262 |
The information system monitors inbound and outbound communications for unusual or unauthorized activities or conditions. |
|
|
|
|
|
|
|
| CCI-001263 |
The information system provides near real-time alerts when any of the organization-defined list of compromise or potential compromise indicators occurs. |
|
|
|
|
|
|
|
| CCI-001264 |
The organization defines indicators of compromise or potential compromise to the security of the information system which will result in information system alerts being provided to organization-defined personnel or roles. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the compromise indicators as real time intrusion detection and when there are threats identified by authoritative sources (e.g. CTOs) and IAW incident categories I, II, IV, & VII within CJCSM 6510.01B. |
DoD has defined the compromise indicators as real time intrusion detection and when there are threats identified by authoritative sources (e.g. CTOs) and IAW incident categories I, II, IV, & VII within CJCSM 6510.01B. |
Information System Monitoring | System-Generated Alerts |
SI-4 (5) |
SI-4(5).1 |
Alerts may be generated from a variety of sources, including, for example, audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the notification list can include, for example, system administrators, mission/business owners, system owners, or information system security officers. Related controls: AU-5, PE-6. |
The information system alerts [Assignment: organization-defined personnel or roles] when the following indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators]. |
| CCI-001265 |
The information system prevents non-privileged users from circumventing intrusion detection and prevention capabilities. |
|
|
|
|
|
|
|
| CCI-001266 |
The information system notifies an organization-defined list of incident response personnel (identified by name and/or by role) of detected suspicious events. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to notify incident response personnel defined in the incident response plan of detected suspicious events.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1266.
DoD has defined the incident response personnel as incident response personnel defined in the incident response plan. |
The organization being inspected/assessed configures the information system to notify incident response personnel defined in the incident response plan of detected suspicious events.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1266.
DoD has defined the incident response personnel as incident response personnel defined in the incident response plan. |
Information System Monitoring | Automated Response To Suspicious Events |
SI-4 (7) |
SI-4(7).1 |
Least-disruptive actions may include, for example, initiating requests for human responses. |
The information system notifies [Assignment: organization-defined incident response personnel (identified by name and/or by role)] of detected suspicious events and takes [Assignment: organization-defined least-disruptive actions to terminate suspicious events]. |
| CCI-001267 |
The organization defines a list of incident response personnel (identified by name and/or by role) to be notified of detected suspicious events. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the incident response personnel as incident response personnel defined in the incident response plan. |
DoD has defined the incident response personnel as incident response personnel defined in the incident response plan. |
Information System Monitoring | Automated Response To Suspicious Events |
SI-4 (7) |
SI-4(7).2 |
Least-disruptive actions may include, for example, initiating requests for human responses. |
The information system notifies [Assignment: organization-defined incident response personnel (identified by name and/or by role)] of detected suspicious events and takes [Assignment: organization-defined least-disruptive actions to terminate suspicious events]. |
| CCI-001268 |
The organization defines a list of least-disruptive actions to be taken by the information system to terminate suspicious events. |
The organization conducting the inspection/assessment obtains and examines the documented list of least-disruptive actions to ensure the organization being inspected/assessed defines a list of least-disruptive actions to be taken by the information system to terminate suspicious events.
DoD has determined the least-disruptive actions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents a list of least-disruptive actions to be taken by the information system to terminate suspicious events.
DoD has determined the least-disruptive actions are not appropriate to define at the Enterprise level. |
Information System Monitoring | Automated Response To Suspicious Events |
SI-4 (7) |
SI-4(7).3 |
Least-disruptive actions may include, for example, initiating requests for human responses. |
The information system notifies [Assignment: organization-defined incident response personnel (identified by name and/or by role)] of detected suspicious events and takes [Assignment: organization-defined least-disruptive actions to terminate suspicious events]. |
| CCI-001269 |
The organization protects information obtained from intrusion monitoring tools from unauthorized access, modification, and deletion. |
|
|
|
|
|
|
|
| CCI-001270 |
The organization tests intrusion monitoring tools at an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of test results to ensure the organization being inspected/assessed tests intrusion monitoring tools every 30 days.
DoD has defined the frequency as every 30 days. |
The organization being inspected/assessed documents and implements a process to test intrusion monitoring tools every 30 days.
The organization must maintain an audit trail of test results.
DoD has defined the frequency as every 30 days. |
Information System Monitoring | Testing Of Monitoring Tools |
SI-4 (9) |
SI-4(9).1 |
Testing intrusion-monitoring tools is necessary to ensure that the tools are operating correctly and continue to meet the monitoring objectives of organizations. The frequency of testing depends on the types of tools used by organizations and methods of deployment. Related control: CP-9. |
The organization tests intrusion-monitoring tools [Assignment: organization-defined time-period]. |
| CCI-001271 |
The organization defines the frequency for testing intrusion monitoring tools. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 30 days. |
DoD has defined the frequency as every 30 days. |
Information System Monitoring | Testing Of Monitoring Tools |
SI-4 (9) |
SI-4(9).2 |
Testing intrusion-monitoring tools is necessary to ensure that the tools are operating correctly and continue to meet the monitoring objectives of organizations. The frequency of testing depends on the types of tools used by organizations and methods of deployment. Related control: CP-9. |
The organization tests intrusion-monitoring tools [Assignment: organization-defined time-period]. |
| CCI-001272 |
The organization makes provisions so encrypted traffic is visible to information system monitoring tools. |
|
|
|
|
|
|
|
| CCI-001273 |
The organization analyzes outbound communications traffic at the external boundary of the information system to discover anomalies. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of any discovered anomalies to ensure the organization being inspected/assessed analyzes outbound communications traffic at the external boundary of the information system to discover anomalies. |
The organization being inspected/assessed documents and implements a process to analyze outbound communications traffic at the external boundary of the information system to discover anomalies.
The organization must maintain a record of any discovered anomalies. |
Information System Monitoring | Analyze Communications Traffic Anomalies |
SI-4 (11) |
SI-4(11).1 |
Anomalies within organizational information systems include, for example, large file transfers, long-time persistent connections, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses. |
The organization analyzes outbound communications traffic at the external boundary of the information system and selected [Assignment: organization-defined interior points within the system (e.g., subnetworks, subsystems)] to discover anomalies. |
| CCI-001274 |
The organization employs automated mechanisms to alert security personnel of organization-defined inappropriate or unusual activities with security implications. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms used to alert security personnel when there are threats identified by authoritative sources (e.g. CTOs) and IAW with CJCSM 6510.01B.
For automated alert mechanisms that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1274.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms.
DoD has defined the activities that trigger alerts as when there are threats identified by authoritative sources (e.g. CTOs) and IAW with CJCSM 6510.01B. |
The organization being inspected/assessed documents and implements automated mechanisms to alert security personnel when there are threats identified by authoritative sources (e.g. CTOs) and IAW with CJCSM 6510.01B.
For automated alert mechanisms that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1274.
DoD has defined the activities that trigger alerts as when there are threats identified by authoritative sources (e.g. CTOs) and IAW with CJCSM 6510.01B. |
Information System Monitoring | Automated Alerts |
SI-4 (12) |
SI-4(12).1 |
This control enhancement focuses on the security alerts generated by organizations and transmitted using automated means. In contrast to the alerts generated by information systems in SI-4 (5), which tend to focus on information sources internal to the systems (e.g., audit records), the sources of information for this enhancement can include other entities as well (e.g., suspicious activity reports, reports on potential insider threats). Related controls: AC-18, IA-3. |
The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: [Assignment: organization-defined activities that trigger alerts]. |
| CCI-001275 |
The organization defines the activities which will trigger alerts to security personnel of inappropriate or unusual activities. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the activities that trigger alerts as when there are threats identified by authoritative sources (e.g. CTOs) and IAW with CJCSM 6510.01B. |
DoD has defined the activities that trigger alerts as when there are threats identified by authoritative sources (e.g. CTOs) and IAW with CJCSM 6510.01B. |
Information System Monitoring | Automated Alerts |
SI-4 (12) |
SI-4(12).2 |
This control enhancement focuses on the security alerts generated by organizations and transmitted using automated means. In contrast to the alerts generated by information systems in SI-4 (5), which tend to focus on information sources internal to the systems (e.g., audit records), the sources of information for this enhancement can include other entities as well (e.g., suspicious activity reports, reports on potential insider threats). Related controls: AC-18, IA-3. |
The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: [Assignment: organization-defined activities that trigger alerts]. |
| CCI-001276 |
The organization analyzes communications traffic/event patterns for the information system. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of analysis to ensure the organization being inspected/assessed analyzes communications traffic/event patterns for the information system. |
The organization being inspected/assessed documents and implements a process to analyze communications traffic/event patterns for the information system.
The organization must maintain a record of the analysis. |
Information System Monitoring | Analyze Traffic / Event Patterns |
SI-4 (13) |
SI-4(13).1 |
|
The organization:
(a) Analyzes communications traffic/event patterns for the information system;
(b) Develops profiles representing common traffic patterns and/or events; and
(c) Uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and the number of false negatives. |
| CCI-001277 |
The organization develops profiles representing common traffic patterns and/or events. |
The organization conducting the inspection/assessment obtains and examines the documented profiles to ensure the organization being inspected/assessed develops profiles representing common traffic patterns and/or events. |
The organization being inspected/assessed develops and documents profiles representing common traffic patterns and/or events. |
Information System Monitoring | Analyze Traffic / Event Patterns |
SI-4 (13) |
SI-4(13).2 |
|
The organization:
(a) Analyzes communications traffic/event patterns for the information system;
(b) Develops profiles representing common traffic patterns and/or events; and
(c) Uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and the number of false negatives. |
| CCI-001278 |
The organization uses the traffic/event profiles in tuning system monitoring devices to reduce the number of false positives to an organization-defined measure of false positives and the number of false negatives to an organization-defined measure of false negatives. |
|
|
|
|
|
|
|
| CCI-001279 |
The organization defines the respective measurements to which the organization must tune system monitoring devices to reduce the number of false positives. |
|
|
|
|
|
|
|
| CCI-001280 |
The organization defines the respective measurements to which the organization must tune system monitoring devices to reduce the number of false negatives. |
|
|
|
|
|
|
|
| CCI-001281 |
The organization employs a wireless intrusion detection system. |
|
|
|
|
|
|
|
| CCI-001282 |
The organization employs an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified intrusion detection system to ensure the organization being inspected/assessed employs an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.
The organization being inspected/assessed may be required to demonstrate use of the intrusion detection system. |
The organization being inspected/assessed documents and implements an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks. |
Information System Monitoring | Wireless To Wireline Communications |
SI-4 (15) |
SI-4(15).1 |
Related control: AC-18. |
The organization employs an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks. |
| CCI-001283 |
The organization correlates information from monitoring tools employed throughout the information system. |
The organization conducting the inspection/assessment obtains and examines the documented process and the correlated results to ensure the organization being inspected/assessed correlates information from monitoring tools employed throughout the information system. |
The organization being inspected/assessed documents and implements a process to correlate information from monitoring tools employed throughout the information system. |
Information System Monitoring | Correlate Monitoring Information |
SI-4 (16) |
SI-4(16).1 |
Correlating information from different monitoring tools can provide a more comprehensive view of information system activity. The correlation of monitoring tools that usually work in isolation (e.g., host monitoring, network monitoring, anti-virus software) can provide an organization-wide view and in so doing, may reveal otherwise unseen attack patterns. Understanding the capabilities/limitations of diverse monitoring tools and how to maximize the utility of information generated by those tools can help organizations to build, operate, and maintain effective monitoring programs. Related control: AU-6. |
The organization correlates information from monitoring tools employed throughout the information system. |
| CCI-001284 |
The organization correlates information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness. |
The organization conducting the inspection/assessment obtains and examines the documented process and the correlated results to ensure the organization being inspected/assessed correlates information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness. |
The organization being inspected/assessed documents and implements a process to correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness. |
Information System Monitoring | Integrated Situational Awareness |
SI-4 (17) |
SI-4(17).1 |
This control enhancement correlates monitoring information from a more diverse set of information sources to achieve integrated situational awareness. Integrated situational awareness from a combination of physical, cyber, and supply chain monitoring activities enhances the capability of organizations to more quickly detect sophisticated cyber attacks and investigate the methods and techniques employed to carry out such attacks. In contrast to SI-4 (16) which correlates the various cyber monitoring information, this control enhancement correlates monitoring beyond just the cyber domain. Such monitoring may help reveal attacks on organizations that are operating across multiple attack vectors. Related control: SA-12. |
The organization correlates information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness. |
| CCI-001674 |
The information system responds to security function anomalies in accordance with organization-defined responses and alternative action(s). |
|
|
|
|
|
|
|
| CCI-001675 |
The organization defines the personnel or roles that are to receive reports on the results of security function verification. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
Security Function Verification | Report Verification Results |
SI-6 (3) |
SI-6(3).2 |
Organizational personnel with potential interest in security function verification results include, for example, senior information security officers, information system security managers, and information systems security officers. Related controls: SA-12, SI-4, SI-5. |
The organization reports the results of security function verification to [Assignment: organization-defined personnel or roles]. |
| CCI-001676 |
The organization defines, for periodic security function verification, the frequency of the verifications. |
|
|
|
|
|
|
|
| CCI-001291 |
The information system verifies the correct operation of security functions in accordance with organization-defined conditions and in accordance with organization-defined frequency (if periodic verification). |
|
|
|
|
|
|
|
| CCI-001292 |
The organization defines the appropriate conditions, including the system transitional states if applicable, for verifying the correct operation of security functions. |
|
|
|
|
|
|
|
| CCI-001293 |
The organization defines the information system responses and alternative action(s) to anomalies discovered during security function verification. |
|
|
|
|
|
|
|
| CCI-001294 |
The information system notifies organization-defined personnel or roles of failed security verification tests. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to notify the ISSO and ISSM of failed security verification tests.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1294.
DoD has defined the personnel or roles as the ISSO and ISSM. |
The organization being inspected/assessed configures the information system to notify the ISSO and ISSM of failed security verification tests.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1294.
DoD has defined the personnel or roles as the ISSO and ISSM. |
Security Function Verification |
SI-6 |
SI-6.6 |
Transitional states for information systems include, for example, system startup, restart, shutdown, and abort. Notifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and/or hardware indications such as lights. Related controls: CA-7, CM-6. |
The information system:
a. Verifies the correct operation of [Assignment: organization-defined security functions];
b. Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]];
c. Notifies [Assignment: organization-defined personnel or roles] of failed security verification tests; and
d. [Selection (one or more): shuts the information system down; restarts the information system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered. |
| CCI-001295 |
The information system implements automated mechanisms to support the management of distributed security testing. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement automated mechanisms to support the management of distributed security testing.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1295. |
The organization being inspected/assessed configures the information system to implement automated mechanisms to support the management of distributed security testing.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1295. |
Security Function Verification | Automation Support For Distributed Testing |
SI-6 (2) |
SI-6(2).1 |
Related control: SI-2. |
The information system implements automated mechanisms to support for the management of distributed security testing. |
| CCI-001296 |
The organization reports the results of security function verification to organization-defined personnel or roles. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of reporting to ensure the organization being inspected/assessed reports the result of security function verification to at a minimum, the ISSO and ISSM.
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
The organization being inspected/assessed documents and implements a process to report the result of security function verification to at a minimum, the ISSO and ISSM.
The organization must maintain an audit trail of reporting.
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
Security Function Verification | Report Verification Results |
SI-6 (3) |
SI-6(3).1 |
Organizational personnel with potential interest in security function verification results include, for example, senior information security officers, information system security managers, and information systems security officers. Related controls: SA-12, SI-4, SI-5. |
The organization reports the results of security function verification to [Assignment: organization-defined personnel or roles]. |
| CCI-001677 |
The organization employs spam protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means. |
|
|
|
|
|
|
|
| CCI-001305 |
The organization employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means. |
|
|
|
|
|
|
|
| CCI-001306 |
The organization updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures. |
The organization conducting the inspection/assessment obtains and examines the documented process and examines the spam protection mechanisms to ensure the organization being inspected/assessed updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures. |
The organization being inspected/assessed documents and implements a process to update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures. |
Spam Protection |
SI-8 |
SI-8.3 |
Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, mobile devices, and notebook/laptop computers. Spam can be transported by different means including, for example, electronic mail, electronic mail attachments, and web accesses. Spam protection mechanisms include, for example, signature definitions. Related controls: AT-2, AT-3, SC-5, SC-7, SI-3. |
The organization:
a. Employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and
b. Updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures. |
| CCI-001307 |
The organization centrally manages spam protection mechanisms. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed centrally manages spam protection mechanisms. |
The organization being inspected/assessed documents and implements a process to centrally manage spam protection mechanisms. |
Spam Protection | Central Management |
SI-8 (1) |
SI-8(1).1 |
Central management is the organization-wide management and implementation of spam protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed spam protection security controls. Related controls: AU-3, SI-2, SI-7. |
The organization centrally manages spam protection mechanisms. |
| CCI-001308 |
The information system automatically updates spam protection mechanisms. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to automatically update spam protection mechanisms.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1308. |
The organization being inspected/assessed configures the information system to automatically update spam protection mechanisms.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1308. |
Spam Protection | Automatic Updates |
SI-8 (2) |
SI-8(2).1 |
|
The information system automatically updates spam protection mechanisms. |
| CCI-001678 |
The organization retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. |
The organization conducting the inspection/assessment obtains and examines the documented list of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements which apply to the information within the information system, as well as the documented process for information retention to ensure the organization being inspected/assessed retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. |
The organization being inspected/assessed identifies and documents federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements which apply to the information within the information system.
The organization documents and implements a process to retain information IAW those documented federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. |
Information Handling And Retention |
SI-12 |
SI-12.2 |
Information handling and retention requirements cover the full life cycle of information, in some cases extending beyond the disposal of information systems. The National Archives and Records Administration provides guidance on records retention. Related controls: AC-16, AU-5, AU-11, MP-2, MP-4. |
The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. |
| CCI-001315 |
The organization handles information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. |
The organization conducting the inspection/assessment obtains and examines the documented list of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements which apply to the information within the information system, as well as the documented process for information handling to ensure the organization being inspected/assessed handles information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. |
The organization being inspected/assessed identifies and documents federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements which apply to the information within the information system.
The organization documents and implements a process to handle information IAW those documented federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. |
Information Handling And Retention |
SI-12 |
SI-12.1 |
Information handling and retention requirements cover the full life cycle of information, in some cases extending beyond the disposal of information systems. The National Archives and Records Administration provides guidance on records retention. Related controls: AC-16, AU-5, AU-11, MP-2, MP-4. |
The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. |
| CCI-001679 |
The organization provides a mechanism to exchange active and standby roles of the components. |
|
|
|
|
|
|
|
| CCI-001316 |
The organization protects the information system from harm by considering mean time to failure rates for an organization-defined list of information system components in specific environments of operation. |
|
|
|
|
|
|
|
| CCI-001317 |
The organization defines a list of information system components for which mean time to failure rates should be considered to protect the information system from harm. |
|
|
|
|
|
|
|
| CCI-001318 |
The organization provides substitute information system components. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed provides substitute information system components. |
The organization being inspected/assessed documents and implements a process to provide substitute information system components. |
Predictable Failure Prevention |
SI-13 |
SI-13.3 |
While MTTF is primarily a reliability issue, this control addresses potential failures of specific information system components that provide security capability. Failure rates reflect installation-specific consideration, not industry-average. Organizations define criteria for substitution of information system components based on MTTF value with consideration for resulting potential harm from component failures. Transfer of responsibilities between active and standby components does not compromise safety, operational readiness, or security capability (e.g., preservation of state variables). Standby components remain available at all times except for maintenance issues or recovery failures in progress. Related controls: CP-2, CP-10, MA-6. |
The organization:
a. Determines mean time to failure (MTTF) for [Assignment: organization-defined information system components] in specific environments of operation; and
b. Provides substitute information system components and a means to exchange active and standby components at [Assignment: organization-defined MTTF substitution criteria]. |
| CCI-001319 |
The organization takes information system components out of service by transferring component responsibilities to a substitute component no later than an organization-defined fraction or percentage of mean time to failure (MTTF). |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the log of component substitution to ensure the organization being inspected/assessed takes the information system components out of service by transferring component responsibilities to a substitute component no later than a fraction or percentage of mean time to failure defined in SI-13 (1), CCI 1320. |
The organization being inspected/assessed documents and implements a process to take the information system components out of service by transferring component responsibilities to a substitute component no later than a fraction or percentage of mean time to failure defined in SI-13 (1), CCI 1320.
The organization must maintain a log of component substitution. |
Predictable Failure Prevention | Transferring Component Responsibilities |
SI-13 (1) |
SI-13(1).1 |
|
The organization takes information system components out of service by transferring component responsibilities to substitute components no later than [Assignment: organization-defined fraction or percentage] of mean time to failure. |
| CCI-001320 |
The organization defines the maximum fraction or percentage of mean time to failure (MTTF) used to determine when information system components are taken out of service by transferring component responsibilities to substitute components. |
The organization conducting the inspection/assessment obtains and examines the documented fraction or percentage to ensure the organization being inspected/assessed defines the maximum fraction or percentage of mean time to failure used to determine when information system components are taken out of service by transferring component responsibilities to substitute components.
DoD has determined the fraction or percentage is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the maximum fraction or percentage of mean time to failure used to determine when information system components are taken out of service by transferring component responsibilities to substitute components.
DoD has determined the fraction or percentage is not appropriate to define at the Enterprise level. |
Predictable Failure Prevention | Transferring Component Responsibilities |
SI-13 (1) |
SI-13(1).2 |
|
The organization takes information system components out of service by transferring component responsibilities to substitute components no later than [Assignment: organization-defined fraction or percentage] of mean time to failure. |
| CCI-001321 |
The organization does not allow a process to execute without supervision for more than an organization-defined time period. |
The organization conducting the inspection/assessment obtains and examines any applicable evidence of process supervision to ensure the organization being inspected/assessed does not allow a process to execute without supervision for more than the time period defined in SI-7 (16), CCI 1322. |
The organization being inspected/assessed does not allow a process to execute without supervision for more than the time period defined in SI-7 (16), CCI 1322. |
Software, Firmware, And Information Integrity | Time Limit On Process Execution W/O Supervision |
SI-7 (16) |
SI-7(16).1 |
This control enhancement addresses processes for which normal execution periods can be determined and situations in which organizations exceed such periods. Supervision includes, for example, operating system timers, automated responses, or manual oversight and response when information system process anomalies occur. |
The organization does not allow processes to execute without supervision for more than [Assignment: organization-defined time period]. |
| CCI-001322 |
The organization defines a time period that is the longest a process is allowed to execute without supervision. |
The organization conducting the inspection/assessment obtains and examines the documented time period to ensure the organization being inspected/assessed defines a time period that is the most a process is allowed to execute without supervision.
DoD has determined the time period is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents a time period that is the most a process is allowed to execute without supervision.
DoD has determined the time period is not appropriate to define at the Enterprise level. |
Software, Firmware, And Information Integrity | Time Limit On Process Execution W/O Supervision |
SI-7 (16) |
SI-7(16).2 |
This control enhancement addresses processes for which normal execution periods can be determined and situations in which organizations exceed such periods. Supervision includes, for example, operating system timers, automated responses, or manual oversight and response when information system process anomalies occur. |
The organization does not allow processes to execute without supervision for more than [Assignment: organization-defined time period]. |
| CCI-001323 |
The organization manually initiates a transfer between active and standby information system components in accordance with organization-defined frequency if the mean time to failure (MTTF) exceeds an organization-defined time period. |
|
|
|
|
|
|
|
| CCI-001324 |
The organization defines the minimum frequency at which the organization manually initiates a transfer between active and standby information system components if the mean time to failure (MTTF) exceeds the organization-defined time period. |
The organization conducting the inspection/assessment obtains and examines the documented frequency to ensure the organization being inspected/assessed defines the minimum frequency at which the organization manually initiates a transfer between active and standby information system components if the mean time to failure exceeds the organization-defined time period.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the minimum frequency at which the organization manually initiates a transfer between active and standby information system components if the mean time to failure exceeds the organization-defined time period.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
Predictable Failure Prevention | Manual Transfer Between Components |
SI-13 (3) |
SI-13(3).2 |
|
The organization manually initiates transfers between active and standby information system components [Assignment: organization-defined frequency] if the mean time to failure exceeds [Assignment: organization-defined time period]. |
| CCI-001325 |
The organization defines a time period that the mean time to failure (MTTF) must exceed before the organization manually initiates a transfer between active and standby information system components. |
The organization conducting the inspection/assessment obtains and examines the documented time period to ensure the organization being inspected/assessed defines a time period that the mean time to failure must exceed before the organization manually initiates a transfer between active and standby information system components.
DoD has determined the time period is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents a time period that the mean time to failure must exceed before the organization manually initiates a transfer between active and standby information system components.
The time period should be based on organizational need to maintain readiness of standby components.
DoD has determined the time period is not appropriate to define at the Enterprise level. |
Predictable Failure Prevention | Manual Transfer Between Components |
SI-13 (3) |
SI-13(3).3 |
|
The organization manually initiates transfers between active and standby information system components [Assignment: organization-defined frequency] if the mean time to failure exceeds [Assignment: organization-defined time period]. |
| CCI-001326 |
The organization, if information system component failures are detected, ensures standby components are successfully and transparently installed within an organization-defined time period. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the log of standby component installation to ensure the organization being inspected/assessed transparently installs standby components within a time period defined in SI-13 (4), CCI 1327 if information system component failures are detected. |
The organization being inspected/assessed documents and implements a process to transparently install standby components within a time period defined in SI-13 (4), CCI 1327 if information system component failures are detected.
The organization must maintain a log of standby component installation to include time periods. |
Predictable Failure Prevention | Standby Component Installation / Notification |
SI-13 (4) |
SI-13(4).1 |
Automatic or manual transfer of components from standby to active mode can occur, for example, upon detection of component failures. |
The organization, if information system component failures are detected:
(a) Ensures that the standby components are successfully and transparently installed within [Assignment: organization-defined time period]; and
(b) [Selection (one or more): activates [Assignment: organization-defined alarm]; automatically shuts down the information system]. |
| CCI-001327 |
The organization defines a time period for a standby information system component to be successfully and transparently installed for the information system component that has failed. |
The organization conducting the inspection/assessment obtains and examines the documented time period to ensure the organization being inspected/assessed defines a time period for a standby information system component to be successfully and transparently installed for the information system component that has failed.
DoD has determined the time period is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents a time period for a standby information system component to be successfully and transparently installed for the information system component that has failed
DoD has determined the time period is not appropriate to define at the Enterprise level. |
Predictable Failure Prevention | Standby Component Installation / Notification |
SI-13 (4) |
SI-13(4).2 |
Automatic or manual transfer of components from standby to active mode can occur, for example, upon detection of component failures. |
The organization, if information system component failures are detected:
(a) Ensures that the standby components are successfully and transparently installed within [Assignment: organization-defined time period]; and
(b) [Selection (one or more): activates [Assignment: organization-defined alarm]; automatically shuts down the information system]. |
| CCI-001328 |
The organization, if an information system component failure is detected, activates an organization-defined alarm and/or automatically shuts down the information system. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to activate an alarm defined in SI-13( 4), CCI 1329 and/or automatically shuts down the information system if an information system component failure is detected.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1328. |
The organization being inspected/assessed configures the information system to activate an alarm defined in SI-13( 4), CCI 1329 and/or automatically shuts down the information system if an information system component failure is detected.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1328. |
Predictable Failure Prevention | Standby Component Installation / Notification |
SI-13 (4) |
SI-13(4).3 |
Automatic or manual transfer of components from standby to active mode can occur, for example, upon detection of component failures. |
The organization, if information system component failures are detected:
(a) Ensures that the standby components are successfully and transparently installed within [Assignment: organization-defined time period]; and
(b) [Selection (one or more): activates [Assignment: organization-defined alarm]; automatically shuts down the information system]. |
| CCI-001329 |
The organization defines the alarm to be activated when an information system component failure is detected. |
The organization conducting the inspection/assessment obtains and examines the documented alarm to ensure the organization being inspected/assessed defines the alarm to be activated when an information system component failure is detected.
DoD has determined the alarm is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the alarm to be activated when an information system component failure is detected.
DoD has determined the alarm is not appropriate to define at the Enterprise level. |
Predictable Failure Prevention | Standby Component Installation / Notification |
SI-13 (4) |
SI-13(4).4 |
Automatic or manual transfer of components from standby to active mode can occur, for example, upon detection of component failures. |
The organization, if information system component failures are detected:
(a) Ensures that the standby components are successfully and transparently installed within [Assignment: organization-defined time period]; and
(b) [Selection (one or more): activates [Assignment: organization-defined alarm]; automatically shuts down the information system]. |
| CCI-001689 |
The organization, if an information system component failure is detected, automatically shuts down the information system. |
|
|
|
|
|
|
|
| CCI-001680 |
The organization develops an organization-wide information security program plan that includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
DoD components are automatically compliant with this CCI as they are covered at the DoD level by DoDI 8500.01 and the Knowledge Service. If the organization or system owner is utilizing common controls they must be documented in their Security Plan. |
DoDI 8500.01 and the Knowledge Service meet the requirement for this CCI; individual organizations and system owners must provide documentation of common control implementation in their Security Plan. |
Information Security Program Plan |
PM-1 |
PM-1.4 |
Information security program plans can be represented in single documents or compilations of documents at the discretion of organizations. The plans document the program management controls and organization-defined common controls. Information security program plans provide sufficient information about the program management controls/common controls (including specification of parameters for any assignment and selection statements either explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended.
The security plans for individual information systems and the organization-wide information security program plan together, provide complete coverage for all security controls employed within the organization. Common controls are documented in an appendix to the organization's information security program plan unless the controls are included in a separate security plan for an information system (e.g., security controls employed as part of an intrusion detection system providing organization-wide boundary protection inherited by one or more organizational information systems). The organization-wide information security program plan will indicate which separate security plans contain descriptions of common controls.
Organizations have the flexibility to describe common controls in a single document or in multiple documents. In the case of multiple documents, the documents describing common controls are included as attachments to the information security program plan. If the information security program plan contains multiple documents, the organization specifies in each document the organizational official or officials responsible for the development, implementation, assessment, authorization, and monitoring of the respective common controls. For example, the organization may require that the Facilities Management Office develop, implement, assess, authorize, and continuously monitor common physical and environmental protection controls from the PE family when such controls are not associated with a particular information system but instead, support multiple information systems. Related control: PM-8. |
The organization:
a. Develops and disseminates an organization-wide information security program plan that:
1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
3. Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and
4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
b. Reviews the organization-wide information security program plan [Assignment: organization-defined frequency];
c. Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and
d. Protects the information security program plan from unauthorized disclosure and modification. |
| CCI-000023 |
The organization develops an organization-wide information security program plan that provides sufficient information about the program management controls and common controls (including specification of parameters for any assignment and selection operations either explicitly or by reference) to enable an implementation that is unambiguously compliant with the intent of the plan, and a determination of the risk to be incurred if the plan is implemented as intended. |
|
|
|
|
|
|
|
| CCI-000073 |
The organization develops an organization-wide information security program plan that provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements. |
DoD components are automatically compliant with this CCI as they are covered at the DoD level by DoDI 8500.01 and the Knowledge Service. If the organization or system owner is utilizing common controls they must be documented in their Security Plan. |
DoDI 8500.01 and the Knowledge Service meet the requirement for this CCI; individual organizations and system owners must provide documentation of common control implementation in their Security Plan. |
Information Security Program Plan |
PM-1 |
PM-1.1 |
Information security program plans can be represented in single documents or compilations of documents at the discretion of organizations. The plans document the program management controls and organization-defined common controls. Information security program plans provide sufficient information about the program management controls/common controls (including specification of parameters for any assignment and selection statements either explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended.
The security plans for individual information systems and the organization-wide information security program plan together, provide complete coverage for all security controls employed within the organization. Common controls are documented in an appendix to the organization's information security program plan unless the controls are included in a separate security plan for an information system (e.g., security controls employed as part of an intrusion detection system providing organization-wide boundary protection inherited by one or more organizational information systems). The organization-wide information security program plan will indicate which separate security plans contain descriptions of common controls.
Organizations have the flexibility to describe common controls in a single document or in multiple documents. In the case of multiple documents, the documents describing common controls are included as attachments to the information security program plan. If the information security program plan contains multiple documents, the organization specifies in each document the organizational official or officials responsible for the development, implementation, assessment, authorization, and monitoring of the respective common controls. For example, the organization may require that the Facilities Management Office develop, implement, assess, authorize, and continuously monitor common physical and environmental protection controls from the PE family when such controls are not associated with a particular information system but instead, support multiple information systems. Related control: PM-8. |
The organization:
a. Develops and disseminates an organization-wide information security program plan that:
1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
3. Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and
4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
b. Reviews the organization-wide information security program plan [Assignment: organization-defined frequency];
c. Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and
d. Protects the information security program plan from unauthorized disclosure and modification. |
| CCI-000074 |
The organization develops an organization-wide information security program plan that is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation. |
DoD components are automatically compliant with this CCI as they are covered at the DoD level by DoDI 8500.01 and the Knowledge Service. If the organization or system owner is utilizing common controls they must be documented in their Security Plan. |
DoDI 8500.01 and the Knowledge Service meet the requirement for this CCI; individual organizations and system owners must provide documentation of common control implementation in their Security Plan. |
Information Security Program Plan |
PM-1 |
PM-1.8 |
Information security program plans can be represented in single documents or compilations of documents at the discretion of organizations. The plans document the program management controls and organization-defined common controls. Information security program plans provide sufficient information about the program management controls/common controls (including specification of parameters for any assignment and selection statements either explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended.
The security plans for individual information systems and the organization-wide information security program plan together, provide complete coverage for all security controls employed within the organization. Common controls are documented in an appendix to the organization's information security program plan unless the controls are included in a separate security plan for an information system (e.g., security controls employed as part of an intrusion detection system providing organization-wide boundary protection inherited by one or more organizational information systems). The organization-wide information security program plan will indicate which separate security plans contain descriptions of common controls.
Organizations have the flexibility to describe common controls in a single document or in multiple documents. In the case of multiple documents, the documents describing common controls are included as attachments to the information security program plan. If the information security program plan contains multiple documents, the organization specifies in each document the organizational official or officials responsible for the development, implementation, assessment, authorization, and monitoring of the respective common controls. For example, the organization may require that the Facilities Management Office develop, implement, assess, authorize, and continuously monitor common physical and environmental protection controls from the PE family when such controls are not associated with a particular information system but instead, support multiple information systems. Related control: PM-8. |
The organization:
a. Develops and disseminates an organization-wide information security program plan that:
1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
3. Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and
4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
b. Reviews the organization-wide information security program plan [Assignment: organization-defined frequency];
c. Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and
d. Protects the information security program plan from unauthorized disclosure and modification. |
| CCI-000075 |
The organization reviews the organization-wide information security program plan on an organization-defined frequency. |
DoD components are automatically compliant with this CCI as they are covered at the DoD level by DoDI 8500.01 and the Knowledge Service. If the organization or system owner is utilizing common controls they must be documented in their Security Plan. |
DoDI 8500.01 and the Knowledge Service meet the requirement for this CCI; individual organizations and system owners must provide documentation of common control implementation in their Security Plan. |
Information Security Program Plan |
PM-1 |
PM-1.9 |
Information security program plans can be represented in single documents or compilations of documents at the discretion of organizations. The plans document the program management controls and organization-defined common controls. Information security program plans provide sufficient information about the program management controls/common controls (including specification of parameters for any assignment and selection statements either explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended.
The security plans for individual information systems and the organization-wide information security program plan together, provide complete coverage for all security controls employed within the organization. Common controls are documented in an appendix to the organization's information security program plan unless the controls are included in a separate security plan for an information system (e.g., security controls employed as part of an intrusion detection system providing organization-wide boundary protection inherited by one or more organizational information systems). The organization-wide information security program plan will indicate which separate security plans contain descriptions of common controls.
Organizations have the flexibility to describe common controls in a single document or in multiple documents. In the case of multiple documents, the documents describing common controls are included as attachments to the information security program plan. If the information security program plan contains multiple documents, the organization specifies in each document the organizational official or officials responsible for the development, implementation, assessment, authorization, and monitoring of the respective common controls. For example, the organization may require that the Facilities Management Office develop, implement, assess, authorize, and continuously monitor common physical and environmental protection controls from the PE family when such controls are not associated with a particular information system but instead, support multiple information systems. Related control: PM-8. |
The organization:
a. Develops and disseminates an organization-wide information security program plan that:
1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
3. Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and
4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
b. Reviews the organization-wide information security program plan [Assignment: organization-defined frequency];
c. Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and
d. Protects the information security program plan from unauthorized disclosure and modification. |
| CCI-000076 |
The organization defines the frequency with which to review the organization-wide information security program plan. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropriate. |
DoD has defined the frequency as reviewed annually - updated as appropriate. |
Information Security Program Plan |
PM-1 |
PM-1.10 |
Information security program plans can be represented in single documents or compilations of documents at the discretion of organizations. The plans document the program management controls and organization-defined common controls. Information security program plans provide sufficient information about the program management controls/common controls (including specification of parameters for any assignment and selection statements either explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended.
The security plans for individual information systems and the organization-wide information security program plan together, provide complete coverage for all security controls employed within the organization. Common controls are documented in an appendix to the organization's information security program plan unless the controls are included in a separate security plan for an information system (e.g., security controls employed as part of an intrusion detection system providing organization-wide boundary protection inherited by one or more organizational information systems). The organization-wide information security program plan will indicate which separate security plans contain descriptions of common controls.
Organizations have the flexibility to describe common controls in a single document or in multiple documents. In the case of multiple documents, the documents describing common controls are included as attachments to the information security program plan. If the information security program plan contains multiple documents, the organization specifies in each document the organizational official or officials responsible for the development, implementation, assessment, authorization, and monitoring of the respective common controls. For example, the organization may require that the Facilities Management Office develop, implement, assess, authorize, and continuously monitor common physical and environmental protection controls from the PE family when such controls are not associated with a particular information system but instead, support multiple information systems. Related control: PM-8. |
The organization:
a. Develops and disseminates an organization-wide information security program plan that:
1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
3. Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and
4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
b. Reviews the organization-wide information security program plan [Assignment: organization-defined frequency];
c. Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and
d. Protects the information security program plan from unauthorized disclosure and modification. |
| CCI-000077 |
The organization updates the plan to address organizational changes and problems identified during plan implementation or security control assessments. |
DoD components are automatically compliant with this CCI as they are covered at the DoD level by DoDI 8500.01 and the Knowledge Service. If the organization or system owner is utilizing common controls they must be documented in their Security Plan. |
DoDI 8500.01 and the Knowledge Service meet the requirement for this CCI; individual organizations and system owners must provide documentation of common control implementation in their Security Plan. |
Information Security Program Plan |
PM-1 |
PM-1.11 |
Information security program plans can be represented in single documents or compilations of documents at the discretion of organizations. The plans document the program management controls and organization-defined common controls. Information security program plans provide sufficient information about the program management controls/common controls (including specification of parameters for any assignment and selection statements either explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended.
The security plans for individual information systems and the organization-wide information security program plan together, provide complete coverage for all security controls employed within the organization. Common controls are documented in an appendix to the organization's information security program plan unless the controls are included in a separate security plan for an information system (e.g., security controls employed as part of an intrusion detection system providing organization-wide boundary protection inherited by one or more organizational information systems). The organization-wide information security program plan will indicate which separate security plans contain descriptions of common controls.
Organizations have the flexibility to describe common controls in a single document or in multiple documents. In the case of multiple documents, the documents describing common controls are included as attachments to the information security program plan. If the information security program plan contains multiple documents, the organization specifies in each document the organizational official or officials responsible for the development, implementation, assessment, authorization, and monitoring of the respective common controls. For example, the organization may require that the Facilities Management Office develop, implement, assess, authorize, and continuously monitor common physical and environmental protection controls from the PE family when such controls are not associated with a particular information system but instead, support multiple information systems. Related control: PM-8. |
The organization:
a. Develops and disseminates an organization-wide information security program plan that:
1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
3. Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and
4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
b. Reviews the organization-wide information security program plan [Assignment: organization-defined frequency];
c. Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and
d. Protects the information security program plan from unauthorized disclosure and modification. |
| CCI-001543 |
The organization disseminates the most recent information security program plan to appropriate entities in the organization that includes roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
|
|
|
|
|
|
|
| CCI-000021 |
The information system enforces dual authorization for organization-defined privileged commands and/or other organization-defined actions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce dual authorization for privileged commands defined in AC-3 (2), CCI 1408 and/or other actions defined in AC-3 (2), CCI 2152.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 21. |
The organization being inspected/assessed configures the information system to enforce dual authorization for privileged commands defined in AC-3 (2), CCI 1408 and/or other actions defined in AC-3 (2), CCI 2152.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 21. |
Access Enforcement | Dual Authorization |
AC-3 (2) |
AC-3(2).1 |
Dual authorization mechanisms require the approval of two authorized individuals in order to execute. Organizations do not require dual authorization mechanisms when immediate responses are necessary to ensure public and environmental safety. Dual authorization may also be known as two-person control. Related controls: CP-9, MP-6. |
The information system enforces dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions]. |
| CCI-000022 |
The information system enforces one or more organization-defined nondiscretionary access control policies over an organization-defined set of users and resources. |
|
|
|
|
|
|
|
| CCI-000024 |
The information system prevents access to organization-defined security-relevant information except during secure, non-operable system states. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prevent access to security-relevant information defined in AC-3 (5), CCI 1411 except during secure, non-operable system states.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 24. |
The organization being inspected/assessed configures the information system to prevent access to security-relevant information defined in AC-3 (5), CCI 1411 except during secure, non-operable system states.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 24. |
Access Enforcement | Security-Relevant Information |
AC-3 (5) |
AC-3(5).1 |
Security-relevant information is any information within information systems that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce system security policies or maintain the isolation of code and data. Security-relevant information includes, for example, filtering rules for routers/firewalls, cryptographic key management information, configuration parameters for security services, and access control lists. Secure, non-operable system states include the times in which information systems are not performing mission/business-related processing (e.g., the system is off-line for maintenance, troubleshooting, boot-up, shut down). Related control: CM-3. |
The information system prevents access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states. |
| CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 213. |
The organization being inspected/assessed configures the information system to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 213. |
Access Enforcement |
AC-3 |
AC-3.1 |
Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security. Related controls: AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AU-9, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PE-3. |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
| CCI-000214 |
The organization establishes a Discretionary Access Control (DAC) policy that limits propagation of access rights. |
|
|
|
|
|
|
|
| CCI-000215 |
The organization establishes a Discretionary Access Control (DAC) policy that includes or excludes access to the granularity of a single user. |
|
|
|
|
|
|
|
| CCI-001408 |
The organization defines privileged commands for which dual authorization is to be enforced. |
The organization conducting the inspection/assessment obtains and examines the documented privileged commands to ensure they have been defined.
DoD has determined the other actions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents privileged commands for which dual authorization is to be enforced.
DoD has determined the other actions are not appropriate to define at the Enterprise level. |
Access Enforcement | Dual Authorization |
AC-3 (2) |
AC-3(2).2 |
Dual authorization mechanisms require the approval of two authorized individuals in order to execute. Organizations do not require dual authorization mechanisms when immediate responses are necessary to ensure public and environmental safety. Dual authorization may also be known as two-person control. Related controls: CP-9, MP-6. |
The information system enforces dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions]. |
| CCI-001409 |
The organization defines nondiscretionary access control policies to be enforced over the organization-defined set of users and resources, where the rule set for each policy specifies access control information employed by the policy rule set (e.g., position, nationality, age, project, time of day) and required relationships among the access control information to permit access. |
|
|
|
|
|
|
|
| CCI-001410 |
The organization defines the set of users and resources over which the information system is to enforce nondiscretionary access control policies. |
|
|
|
|
|
|
|
| CCI-001411 |
The organization defines security-relevant information to which the information system prevents access except during secure, non-operable system states. |
The organization conducting the inspection/assessment obtains and examines the documented security-relevant information to ensure it has been defined and at a minimum, includes installing and updating crypto keys.
DoD has determined the security-relevant information is not appropriate to define at the Enterprise level, but at a minimum, installing and updating crypto keys. |
The organization being inspected/assessed defines and documents security-relevant information to which the information system prevents access except during secure, nonoperable system states. At a minimum, the security-relevant information shall include installing and updating crypto keys.
DoD has determined the security-relevant information is not appropriate to define at the Enterprise level, but at a minimum, installing and updating crypto keys. |
Access Enforcement | Security-Relevant Information |
AC-3 (5) |
AC-3(5).2 |
Security-relevant information is any information within information systems that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce system security policies or maintain the isolation of code and data. Security-relevant information includes, for example, filtering rules for routers/firewalls, cryptographic key management information, configuration parameters for security services, and access control lists. Secure, non-operable system states include the times in which information systems are not performing mission/business-related processing (e.g., the system is off-line for maintenance, troubleshooting, boot-up, shut down). Related control: CM-3. |
The information system prevents access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states. |
| CCI-001412 |
The organization encrypts or stores off-line, in a secure location, organization-defined user information. |
|
|
|
|
|
|
|
| CCI-001413 |
The organization encrypts or stores off-line, in a secure location, organization-defined system information. |
|
|
|
|
|
|
|
| CCI-001362 |
The information system enforces a Discretionary Access Control (DAC) policy that allows users to specify and control sharing by named individuals or groups of individuals, or by both. |
|
|
|
|
|
|
|
| CCI-001363 |
The organization establishes a Discretionary Access Control (DAC) policy that allows users to specify and control sharing by named individuals or groups of individuals, or by both. |
|
|
|
|
|
|
|
| CCI-001366 |
The organization defines user information to be encrypted or stored off-line in a secure location. |
|
|
|
|
|
|
|
| CCI-001367 |
The organization defines system information to be encrypted or stored off-line in a secure location. |
|
|
|
|
|
|
|
| CCI-001693 |
The information system enforces a Discretionary Access Control (DAC) policy that limits propagation of access rights. |
|
|
|
|
|
|
|
| CCI-001694 |
The information system enforces a Discretionary Access Control (DAC) policy that includes or excludes access to the granularity of a single user. |
|
|
|
|
|
|
|
| CCI-000036 |
The organization separates organization-defined duties of individuals. |
The organization conducting the inspection/assessment obtains and examines the documented processes to ensure the organization being inspected/assessed maintains separation of the duties defined in AC-5, CCI 2219 across different individuals within the organization. |
The organization being inspected/assessed documents and implements processes to maintain separation of the duties defined in AC-5, CCI 2219 across different individuals within the organization. |
Separation Of Duties |
AC-5 |
AC-5.1 |
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions. Related controls: AC-3, AC-6, PE-3, PE-4, PS-2. |
The organization:
a. Separates [Assignment: organization-defined duties of individuals];
b. Documents separation of duties of individuals; and
c. Defines information system access authorizations to support separation of duties. |
| CCI-000037 |
The organization implements separation of duties through assigned information system access authorizations. |
|
|
|
|
|
|
|
| CCI-001380 |
The organization documents separation of duties of individuals. |
The organization conducting the inspection/assessment obtains and examines the documented separation of duties to ensure the organization being inspected/assessed documents separation of duties of individuals. |
The organization being inspected/assessed documents separation of duties of individuals. |
Separation Of Duties |
AC-5 |
AC-5.3 |
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions. Related controls: AC-3, AC-6, PE-3, PE-4, PS-2. |
The organization:
a. Separates [Assignment: organization-defined duties of individuals];
b. Documents separation of duties of individuals; and
c. Defines information system access authorizations to support separation of duties. |
| CCI-000043 |
The organization defines the maximum number of consecutive invalid logon attempts to the information system by a user during an organization-defined time period. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the maximum number as three. |
DoD has defined the maximum number as three. |
Unsuccessful Login Attempts |
AC-7 |
AC-7.1 |
This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels. Related controls: AC-2, AC-9, AC-14, IA-5. |
The information system:
a. Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and
b. Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded. |
| CCI-000044 |
The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to limit invalid logon attempts by a user to three attempts during a 15 minute time period.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 44.
DoD has defined the maximum number as three.
DoD has defined the time period as 15 minutes. |
The organization being inspected/assessed configures the information system to limit invalid logon attempts by a user to three attempts during a 15 minute time period.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 44.
DoD has defined the maximum number as three.
DoD has defined the time period as 15 minutes. |
Unsuccessful Login Attempts |
AC-7 |
AC-7.2 |
This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels. Related controls: AC-2, AC-9, AC-14, IA-5. |
The information system:
a. Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and
b. Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded. |
| CCI-000045 |
The organization defines in the security plan, explicitly or by reference, the time period for lock out mode or delay period. |
|
|
|
|
|
|
|
| CCI-000046 |
The organization selects either a lock out mode for the organization-defined time period or delays the next login prompt for the organization-defined delay period for information system responses to consecutive invalid access attempts. |
|
|
|
|
|
|
|
| CCI-000047 |
The information system delays next login prompt according to the organization-defined delay algorithm, when the maximum number of unsuccessful attempts is exceeded, automatically locks the account/node for an organization-defined time period or locks the account/node until released by an Administrator IAW organizational policy. |
|
|
|
|
|
|
|
| CCI-001423 |
The organization defines the time period in which the organization-defined maximum number of consecutive invalid logon attempts occur. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 15 minutes. |
DoD has defined the time period as 15 minutes. |
Unsuccessful Login Attempts |
AC-7 |
AC-7.3 |
This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels. Related controls: AC-2, AC-9, AC-14, IA-5. |
The information system:
a. Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and
b. Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded. |
| CCI-001452 |
The information system enforces the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted. |
|
|
|
|
|
|
|
| CCI-001382 |
The organization defines the number of consecutive, unsuccessful login attempts to the mobile device. |
|
|
|
|
|
|
|
| CCI-001383 |
The information system provides additional protection for mobile devices accessed via login by purging information from the device after an organization-defined number of consecutive, unsuccessful login attempts to the mobile device. |
|
|
|
|
|
|
|
| CCI-000048 |
The information system displays an organization-defined system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to display the DoD Information Systems – Standard Consent Banner and User Agreement before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 48.
DoD has defined the use notification message or banner as the content of DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems – Standard Consent Banner and User Agreement," March 2013. |
The organization being inspected/assessed configures the information system to display the DoD Information Systems – Standard Consent Banner and User Agreement before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 48.
DoD has defined the use notification message or banner as the content of DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems – Standard Consent Banner and User Agreement," March 2013. |
System Use Notification |
AC-8 |
AC-8.1 |
System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content. |
The information system:
a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
c. For publicly accessible systems:
1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Includes a description of the authorized uses of the system. |
| CCI-000049 |
The organization defines a system use notification message or banner displayed before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: (i) users are accessing a U.S. Government information system; (ii) system usage may be monitored, recorded, and subject to audit; (iii) unauthorized use of the system is prohibited and subject to criminal and civil penalties; and (iv) use of the system indicates consent to monitoring and recording. |
|
|
|
|
|
|
|
| CCI-000050 |
The information system retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 50. |
The organization being inspected/assessed configures the information system to retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 50. |
System Use Notification |
AC-8 |
AC-8.7 |
System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content. |
The information system:
a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
c. For publicly accessible systems:
1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Includes a description of the authorized uses of the system. |
| CCI-000051 |
The organization approves the information system use notification message before its use. |
|
|
|
|
|
|
|
| CCI-001384 |
The information system, for publicly accessible systems, displays system use information organization-defined conditions before granting further access. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to display the content of DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems - Standard Consent Banner and User Agreement," March 2013 before granting further access for publicly accessible systems
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1384.
DoD has defined the conditions as the content of DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems - Standard Consent Banner and User Agreement," March 2013. |
The organization being inspected/assessed configures the information system to display the content of DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems - Standard Consent Banner and User Agreement," March 2013 before granting further access for publicly accessible systems
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1384.
DoD has defined the conditions as the content of DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems - Standard Consent Banner and User Agreement," March 2013. |
System Use Notification |
AC-8 |
AC-8.8 |
System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content. |
The information system:
a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
c. For publicly accessible systems:
1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Includes a description of the authorized uses of the system. |
| CCI-001385 |
The information system, for publicly accessible systems, displays references, if any, to monitoring that are consistent with privacy accommodations for such systems that generally prohibit those activities. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to display references, if any, to monitoring that are consistent with privacy accommodations for such systems that generally prohibit those activities for publicly accessible systems.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1385. |
The organization being inspected/assessed configures the information system to display references, if any, to monitoring that are consistent with privacy accommodations for such systems that generally prohibit those activities for publicly accessible systems.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1385. |
System Use Notification |
AC-8 |
AC-8.10 |
System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content. |
The information system:
a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
c. For publicly accessible systems:
1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Includes a description of the authorized uses of the system. |
| CCI-001386 |
The information system, for publicly accessible systems, displays references, if any, to recording that are consistent with privacy accommodations for such systems that generally prohibit those activities. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to display references, if any, to recording that are consistent with privacy accommodations for such systems that generally prohibit those activities for publicly accessible systems.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1386. |
The organization being inspected/assessed configures the information system to display references, if any, to recording that are consistent with privacy accommodations for such systems that generally prohibit those activities for publicly accessible systems.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1386. |
System Use Notification |
AC-8 |
AC-8.11 |
System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content. |
The information system:
a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
c. For publicly accessible systems:
1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Includes a description of the authorized uses of the system. |
| CCI-001387 |
The information system, for publicly accessible systems, displays references, if any, to auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to display references, if any, to auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities for publicly accessible systems.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1387. |
The organization being inspected/assessed configures the information system to display references, if any, to auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities for publicly accessible systems.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1387. |
System Use Notification |
AC-8 |
AC-8.12 |
System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content. |
The information system:
a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
c. For publicly accessible systems:
1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Includes a description of the authorized uses of the system. |
| CCI-001388 |
The information system, for publicly accessible systems, includes a description of the authorized uses of the system. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to include a description of the authorized uses of the system for publicly accessible systems.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1388. |
The organization being inspected/assessed configures the information system to include a description of the authorized uses of the system for publicly accessible systems.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1388. |
System Use Notification |
AC-8 |
AC-8.13 |
System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content. |
The information system:
a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
c. For publicly accessible systems:
1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Includes a description of the authorized uses of the system. |
| CCI-000052 |
The information system notifies the user, upon successful logon (access) to the system, of the date and time of the last logon (access). |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to notify the user, upon successful logon (access) to the system, of the date and time of the last logon (access).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 52. |
The organization being inspected/assessed configures the information system to notify the user, upon successful logon (access) to the system, of the date and time of the last logon (access).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 52. |
Previous Logon (Access) Notification |
AC-9 |
AC-9.1 |
This control is applicable to logons to information systems via human user interfaces and logons to systems that occur in other types of architectures (e.g., service-oriented architectures). Related controls: AC-7, PL-4. |
The information system notifies the user, upon successful logon (access) to the system, of the date and time of the last logon (access). |
| CCI-000053 |
The information system notifies the user, upon successful logon/access, of the number of unsuccessful logon/access attempts since the last successful logon/access. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to notify the user, upon successful logon/access, of the number of unsuccessful logon/access attempts since the last successful logon/access.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 53. |
The organization being inspected/assessed configures the information system to notify the user, upon successful logon/access, of the number of unsuccessful logon/access attempts since the last successful logon/access.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 53. |
Previous Logon Notification | Unsuccessful Logons |
AC-9 (1) |
AC-9(1).1 |
|
The information system notifies the user, upon successful logon/access, of the number of unsuccessful logon/access attempts since the last successful logon/access. |
| CCI-001389 |
The organization defines the time period that the information system notifies the user of the number of successful logon/access attempts. |
DoD has determined this CCI is not applicable because this option is not selected. |
DoD has determined this CCI is not applicable because this option is not selected. |
Previous Logon (Access) Notification | Successful/ Unsuccessful Logons |
AC-9 (2) |
AC-9(2).1 |
|
The information system notifies the user of the number of [Selection: successful logons/accesses; unsuccessful logon/access attempts; both] during [Assignment: organization-defined time period]. |
| CCI-001390 |
The organization defines the time period that the information system notifies the user of the number of unsuccessful logon/access attempts. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as the time since the last successful login (for unsuccessful logon/access attempts). |
DoD has defined the time period as the time since the last successful login (for unsuccessful logon/access attempts). |
Previous Logon (Access) Notification | Successful/ Unsuccessful Logons |
AC-9 (2) |
AC-9(2).2 |
|
The information system notifies the user of the number of [Selection: successful logons/accesses; unsuccessful logon/access attempts; both] during [Assignment: organization-defined time period]. |
| CCI-001391 |
The information system notifies the user of the number of successful logins/accesses that occur during the organization-defined time period. |
DoD has determined this CCI is not applicable because this option is not selected. |
DoD has determined this CCI is not applicable because this option is not selected. |
Previous Logon (Access) Notification | Successful/ Unsuccessful Logons |
AC-9 (2) |
AC-9(2).3 |
|
The information system notifies the user of the number of [Selection: successful logons/accesses; unsuccessful logon/access attempts; both] during [Assignment: organization-defined time period]. |
| CCI-001392 |
The information system notifies the user of the number of unsuccessful login/access attempts that occur during organization-defined time period. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to notify the user of the number of unsuccessful login/access attempts that occur during the time period defined in AC-9 (2), CCI 1389.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1392. |
The organization being inspected/assessed configures the information system to notify the user of the number of unsuccessful login/access attempts that occur during the time period defined in AC-9 (2), CCI 1389.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1392. |
Previous Logon (Access) Notification | Successful/ Unsuccessful Logons |
AC-9 (2) |
AC-9(2).4 |
|
The information system notifies the user of the number of [Selection: successful logons/accesses; unsuccessful logon/access attempts; both] during [Assignment: organization-defined time period]. |
| CCI-001393 |
The organization defines the security-related characteristics/parameters of the user^s account which, when changed, will result in a notification being provided to the user during the organization-defined time period. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the security-related characteristics/parameters as access and/or privilege parameters. |
DoD has defined the security-related characteristics/parameters as access and/or privilege parameters. |
Previous Logon (Access) Notification | Notification Of Account Changes |
AC-9 (3) |
AC-9(3).1 |
|
The information system notifies the user of changes to [Assignment: organization-defined security-related characteristics/parameters of the user's account] during [Assignment: organization-defined time period]. |
| CCI-001394 |
The organization defines the time period during which organization-defined security-related changes to the user^s account are to be tracked. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as since last successful login. |
DoD has defined the time period as since last successful login. |
Previous Logon (Access) Notification | Notification Of Account Changes |
AC-9 (3) |
AC-9(3).2 |
|
The information system notifies the user of changes to [Assignment: organization-defined security-related characteristics/parameters of the user's account] during [Assignment: organization-defined time period]. |
| CCI-001395 |
The information system notifies the user of changes to organization-defined security-related characteristics/parameters of the user^s account that occur during the organization-defined time period. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to notify the user of changes to access and/or privilege parameters that occur since last successful login.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1395.
DoD has defined the time period as since last successful login.
DoD has defined the security-related characteristics/parameters as access and/or privilege parameters. |
The organization being inspected/assessed configures the information system to notify the user of changes to access and/or privilege parameters that occur since last successful login.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1395.
DoD has defined the time period as since last successful login.
DoD has defined the security-related characteristics/parameters as access and/or privilege parameters. |
Previous Logon (Access) Notification | Notification Of Account Changes |
AC-9 (3) |
AC-9(3).3 |
|
The information system notifies the user of changes to [Assignment: organization-defined security-related characteristics/parameters of the user's account] during [Assignment: organization-defined time period]. |
| CCI-000054 |
The information system limits the number of concurrent sessions for each organization-defined account and/or account type to an organization-defined number of sessions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to limit the number of concurrent sessions for all accounts and/or account types to a number of sessions defined in AC-10, CCI 55.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 54.
DoD has defined the account types and/or accounts as all account types and/or accounts. |
The organization being inspected/assessed configures the information system to limit the number of concurrent sessions for all accounts and/or account types to a number of sessions defined in AC-10, CCI 55.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 54.
DoD has defined the account types and/or accounts as all account types and/or accounts. |
Concurrent Session Control |
AC-10 |
AC-10.1 |
Organizations may define the maximum number of concurrent sessions for information system accounts globally, by account type (e.g., privileged user, non-privileged user, domain, specific application), by account, or a combination. For example, organizations may limit the number of concurrent sessions for system administrators or individuals working in particularly sensitive domains or mission-critical applications. This control addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. |
The information system limits the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number]. |
| CCI-000055 |
The organization defines the maximum number of concurrent sessions to be allowed for each organization-defined account and/or account type. |
The organization conducting the inspection/assessment obtains and examines the documented maximum number to ensure the organization being inspected/assessed defines the maximum number of concurrent sessions to be allowed for each organization-defined account and/or account type.
DoD has determined the maximum number is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the maximum number of concurrent sessions to be allowed for each organization-defined account and/or account type.
The maximum number of concurrent sessions should be defined based upon the systems operational environment and mission needs.
DoD has determined the maximum number is not appropriate to define at the Enterprise level. |
Concurrent Session Control |
AC-10 |
AC-10.2 |
Organizations may define the maximum number of concurrent sessions for information system accounts globally, by account type (e.g., privileged user, non-privileged user, domain, specific application), by account, or a combination. For example, organizations may limit the number of concurrent sessions for system administrators or individuals working in particularly sensitive domains or mission-critical applications. This control addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. |
The information system limits the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number]. |
| CCI-000056 |
The information system retains the session lock until the user reestablishes access using established identification and authentication procedures. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to retain the session lock until the user reestablishes access using established identification and authentication procedures.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 56. |
The organization being inspected/assessed configures the information system to retain the session lock until the user reestablishes access using established identification and authentication procedures.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 56. |
Session Lock |
AC-11 |
AC-11.4 |
Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of information systems but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined. This is typically at the operating system level, but can also be at the application level. Session locks are not an acceptable substitute for logging out of information systems, for example, if organizations require users to log out at the end of workdays. Related control: AC-7. |
The information system:
a. Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and
b. Retains the session lock until the user reestablishes access using established identification and authentication procedures. |
| CCI-000057 |
The information system initiates a session lock after the organization-defined time period of inactivity. |
|
|
|
|
|
|
|
| CCI-000058 |
The information system provides the capability for users to directly initiate session lock mechanisms. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide the capability for users to directly initiate session lock mechanisms.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 58. |
The organization being inspected/assessed configures the information system to provide the capability for users to directly initiate session lock mechanisms.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 58. |
Session Lock |
AC-11 |
AC-11.2 |
Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of information systems but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined. This is typically at the operating system level, but can also be at the application level. Session locks are not an acceptable substitute for logging out of information systems, for example, if organizations require users to log out at the end of workdays. Related control: AC-7. |
The information system:
a. Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and
b. Retains the session lock until the user reestablishes access using established identification and authentication procedures. |
| CCI-000059 |
The organization defines the time period of inactivity after which the information system initiates a session lock. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 15 minutes. |
DoD has defined the time period as 15 minutes. |
Session Lock |
AC-11 |
AC-11.3 |
Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of information systems but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined. This is typically at the operating system level, but can also be at the application level. Session locks are not an acceptable substitute for logging out of information systems, for example, if organizations require users to log out at the end of workdays. Related control: AC-7. |
The information system:
a. Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and
b. Retains the session lock until the user reestablishes access using established identification and authentication procedures. |
| CCI-000060 |
The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to conceal, via the session lock, information previously visible on the display with a publicly viewable image.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 60. |
The organization being inspected/assessed configures the information system to conceal, via the session lock, information previously visible on the display with a publicly viewable image.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 60. |
Session Lock | Pattern-Hiding Displays |
AC-11 (1) |
AC-11(1).1 |
Publicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information. |
The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. |
| CCI-000061 |
The organization identifies and defines organization-defined user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions. |
The organization conducting the inspection/assessment obtains and examines the documented user actions to ensure the organization being inspected/assessed identifies and defines the user actions that can be performed on the information system without identification and authentication.
DoD has determined the user actions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed identifies, defines, and documents user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions.
DoD has determined the user actions are not appropriate to define at the Enterprise level. |
Permitted Actions Without Identification Or Authentication |
AC-14 |
AC-14.1 |
This control addresses situations in which organizations determine that no identification or authentication is required in organizational information systems. Organizations may allow a limited number of user actions without identification or authentication including, for example, when individuals access public websites or other publicly accessible federal information systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations also identify actions that normally require identification or authentication but may under certain circumstances (e.g., emergencies), allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational information systems without identification and authentication and thus, the values for assignment statements can be none. Related controls: CP-2, IA-2. |
The organization:
a. Identifies [Assignment: organization-defined user actions] that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and
b. Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication. |
| CCI-000062 |
The organization permits actions to be performed without identification and authentication only to the extent necessary to accomplish mission/business objectives. |
|
|
|
|
|
|
|
| CCI-000232 |
The organization documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification and authentication. |
The organization conducting the inspection/assessment obtains and examines the security plan to ensure the organization being inspected/assessed documents the supporting rationale for the actions defined in AC-14, CCI 61 to not require identification and authentication. |
The organization being inspected/assessed documents supporting rationale in the security plan for the actions defined in AC-14, CCI 61 to not require identification and authentication. |
Permitted Actions Without Identification Or Authentication |
AC-14 |
AC-14.2 |
This control addresses situations in which organizations determine that no identification or authentication is required in organizational information systems. Organizations may allow a limited number of user actions without identification or authentication including, for example, when individuals access public websites or other publicly accessible federal information systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations also identify actions that normally require identification or authentication but may under certain circumstances (e.g., emergencies), allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational information systems without identification and authentication and thus, the values for assignment statements can be none. Related controls: CP-2, IA-2. |
The organization:
a. Identifies [Assignment: organization-defined user actions] that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and
b. Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication. |
| CCI-000264 |
The organization develops a plan of action and milestones for the information system to document the organization^s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system. |
The organization conducting the inspection/assessment obtains and examines the security POA&M for compliance with DoDI 8510.01. |
The organization being inspected/assessed will develop a security POA&M in accordance with DoDI 8510.01 Enclosure 6.
POA&M templates are available on the Knowledge Service. |
Plan Of Action And Milestones |
CA-5 |
CA-5.1 |
Plans of action and milestones are key documents in security authorization packages and are subject to federal reporting requirements established by OMB. Related controls: CA-2, CA-7, CM-4, PM-4. |
The organization:
a. Develops a plan of action and milestones for the information system to document the organization's planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and
b. Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. |
| CCI-000265 |
The organization defines the frequency with which to update the existing plan of action and milestones for the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at least every 90 days. |
DoD has defined the frequency as at least every 90 days. |
Plan Of Action And Milestones |
CA-5 |
CA-5.2 |
Plans of action and milestones are key documents in security authorization packages and are subject to federal reporting requirements established by OMB. Related controls: CA-2, CA-7, CM-4, PM-4. |
The organization:
a. Develops a plan of action and milestones for the information system to document the organization's planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and
b. Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. |
| CCI-000266 |
The organization updates, on an organization-defined frequency, the existing plan of action and milestones for the information system based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. |
The organization conducting the inspection/assessment obtains and examines current POA&M. The objective is to validate the organization is providing updates to the POA&M at least every 90 days. Review of POA&M without change must be documented (i.e., adding review date to the POA&M header information).
DoD has defined the frequency as at least every 90 days. |
The organization being inspected/assessed will update the POA&M at least every 90 days.
The updates are to be based upon the assessment of the identified vulnerabilities and weaknesses, prioritization of the vulnerabilities and weaknesses, progress being made in addressing and resolving the security weaknesses and vulnerabilities found in programs and systems, and continuous monitoring activities.
DoD has defined the frequency as at least every 90 days. |
Plan Of Action And Milestones |
CA-5 |
CA-5.3 |
Plans of action and milestones are key documents in security authorization packages and are subject to federal reporting requirements established by OMB. Related controls: CA-2, CA-7, CM-4, PM-4. |
The organization:
a. Develops a plan of action and milestones for the information system to document the organization's planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and
b. Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. |
| CCI-000267 |
The organization employs automated mechanisms to help ensure the plan of action and milestones for the information system is accurate. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed will identify and document the automated mechanisms in use to ensure the security POA&M is accurate. |
Plan Of Action And Milestones | Automation Support For Accuracy / Currency |
CA-5 (1) |
CA-5(1).1 |
|
The organization employs automated mechanisms to help ensure that the plan of action and milestones for the information system is accurate, up to date, and readily available. |
| CCI-000268 |
The organization employs automated mechanisms to help ensure the plan of action and milestones for the information system is up to date. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed will identify and document the automated mechanisms in use to ensure the POA&M is up to date. |
Plan Of Action And Milestones | Automation Support For Accuracy / Currency |
CA-5 (1) |
CA-5(1).2 |
|
The organization employs automated mechanisms to help ensure that the plan of action and milestones for the information system is accurate, up to date, and readily available. |
| CCI-000269 |
The organization employs automated mechanisms to help ensure the plan of action and milestones for the information system is readily available. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed will identify and document the automated mechanisms in use to ensure the POA&M is readily available. |
Plan Of Action And Milestones | Automation Support For Accuracy / Currency |
CA-5 (1) |
CA-5(1).3 |
|
The organization employs automated mechanisms to help ensure that the plan of action and milestones for the information system is accurate, up to date, and readily available. |
| CCI-000270 |
The organization assigns a senior-level executive or manager as the authorizing official for the information system. |
The organization conducting the inspection/assessment obtains and examines the written appointment memorandum. |
The organization being inspected/assessed will assign a senior-level executive or manager as the official role, and the responsibility, for authorizing the information system(s).
Assignment must be in writing and IAW with DoDI 8510.01 (i.e. Appointment memorandum). |
Security Authorization |
CA-6 |
CA-6.1 |
Security authorizations are official management decisions, conveyed through authorization decision documents, by senior organizational officials or executives (i.e., authorizing officials) to authorize operation of information systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon security controls. Authorizing officials provide budgetary oversight for organizational information systems or assume responsibility for the mission/business operations supported by those systems. The security authorization process is an inherently federal responsibility and therefore, authorizing officials must be federal employees. Through the security authorization process, authorizing officials assume responsibility and are accountable for security risks associated with the operation and use of organizational information systems. Accordingly, authorizing officials are in positions with levels of authority commensurate with understanding and accepting such information security-related risks. OMB policy requires that organizations conduct ongoing authorizations of information systems by implementing continuous monitoring programs. Continuous monitoring programs can satisfy three-year reauthorization requirements, so separate reauthorization processes are not necessary. Through the employment of comprehensive continuous monitoring processes, critical information contained in authorization packages (i.e., security plans, security assessment reports, and plans of action and milestones) is updated on an ongoing basis, providing authorizing officials and information system owners with an up-to-date status of the security state of organizational information systems and environments of operation. To reduce the administrative cost of security reauthorization, authorizing officials use the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions. Related controls: CA-2, CA-7, PM-9, PM-10. |
The organization:
a. Assigns a senior-level executive or manager as the authorizing official for the information system;
b. Ensures that the authorizing official authorizes the information system for processing before commencing operations; and
c. Updates the security authorization [Assignment: organization - defined frequency]. |
| CCI-000271 |
The organization ensures the authorizing official authorizes the information system for processing before commencing operations. |
The organization conducting the inspection/assessment obtains and examines the authorization document to ensure the information system is authorized prior to being placed into operational status. |
The organization being inspected/assessed will ensure that an authorization document (e.g. authorization to operate (ATO), interim authorization to operate (IATO)) has been issued by the authorizing official (AO) prior to placing the information system into an operational status. |
Security Authorization |
CA-6 |
CA-6.2 |
Security authorizations are official management decisions, conveyed through authorization decision documents, by senior organizational officials or executives (i.e., authorizing officials) to authorize operation of information systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon security controls. Authorizing officials provide budgetary oversight for organizational information systems or assume responsibility for the mission/business operations supported by those systems. The security authorization process is an inherently federal responsibility and therefore, authorizing officials must be federal employees. Through the security authorization process, authorizing officials assume responsibility and are accountable for security risks associated with the operation and use of organizational information systems. Accordingly, authorizing officials are in positions with levels of authority commensurate with understanding and accepting such information security-related risks. OMB policy requires that organizations conduct ongoing authorizations of information systems by implementing continuous monitoring programs. Continuous monitoring programs can satisfy three-year reauthorization requirements, so separate reauthorization processes are not necessary. Through the employment of comprehensive continuous monitoring processes, critical information contained in authorization packages (i.e., security plans, security assessment reports, and plans of action and milestones) is updated on an ongoing basis, providing authorizing officials and information system owners with an up-to-date status of the security state of organizational information systems and environments of operation. To reduce the administrative cost of security reauthorization, authorizing officials use the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions. Related controls: CA-2, CA-7, PM-9, PM-10. |
The organization:
a. Assigns a senior-level executive or manager as the authorizing official for the information system;
b. Ensures that the authorizing official authorizes the information system for processing before commencing operations; and
c. Updates the security authorization [Assignment: organization - defined frequency]. |
| CCI-000272 |
The organization updates the security authorization on an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the security authorization documentation to confirm the security authorization has been updated within the last three years, when there was a significant change to the system, or if there was a change to the environment in which the system operates.
DoD has defined the frequency as at least every three years, whenever there is a significant change to the system, or if there is a change to the environment in which the system operates. |
The organization being inspected/assessed updates the security authorization at least every three years, whenever there is a significant change to the system, or if there is a change to the environment in which the system operates.
DoD has defined the frequency as at least every three years, whenever there is a significant change to the system, or if there is a change to the environment in which the system operates. |
Security Authorization |
CA-6 |
CA-6.3 |
Security authorizations are official management decisions, conveyed through authorization decision documents, by senior organizational officials or executives (i.e., authorizing officials) to authorize operation of information systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon security controls. Authorizing officials provide budgetary oversight for organizational information systems or assume responsibility for the mission/business operations supported by those systems. The security authorization process is an inherently federal responsibility and therefore, authorizing officials must be federal employees. Through the security authorization process, authorizing officials assume responsibility and are accountable for security risks associated with the operation and use of organizational information systems. Accordingly, authorizing officials are in positions with levels of authority commensurate with understanding and accepting such information security-related risks. OMB policy requires that organizations conduct ongoing authorizations of information systems by implementing continuous monitoring programs. Continuous monitoring programs can satisfy three-year reauthorization requirements, so separate reauthorization processes are not necessary. Through the employment of comprehensive continuous monitoring processes, critical information contained in authorization packages (i.e., security plans, security assessment reports, and plans of action and milestones) is updated on an ongoing basis, providing authorizing officials and information system owners with an up-to-date status of the security state of organizational information systems and environments of operation. To reduce the administrative cost of security reauthorization, authorizing officials use the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions. Related controls: CA-2, CA-7, PM-9, PM-10. |
The organization:
a. Assigns a senior-level executive or manager as the authorizing official for the information system;
b. Ensures that the authorizing official authorizes the information system for processing before commencing operations; and
c. Updates the security authorization [Assignment: organization - defined frequency]. |
| CCI-000273 |
The organization defines the frequency with which to update the security authorization. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at least every three years, whenever there is a significant change to the system, or if there is a change to the environment in which the system operates. |
DoD has defined the frequency as at least every three years, whenever there is a significant change to the system, or if there is a change to the environment in which the system operates. |
Security Authorization |
CA-6 |
CA-6.4 |
Security authorizations are official management decisions, conveyed through authorization decision documents, by senior organizational officials or executives (i.e., authorizing officials) to authorize operation of information systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon security controls. Authorizing officials provide budgetary oversight for organizational information systems or assume responsibility for the mission/business operations supported by those systems. The security authorization process is an inherently federal responsibility and therefore, authorizing officials must be federal employees. Through the security authorization process, authorizing officials assume responsibility and are accountable for security risks associated with the operation and use of organizational information systems. Accordingly, authorizing officials are in positions with levels of authority commensurate with understanding and accepting such information security-related risks. OMB policy requires that organizations conduct ongoing authorizations of information systems by implementing continuous monitoring programs. Continuous monitoring programs can satisfy three-year reauthorization requirements, so separate reauthorization processes are not necessary. Through the employment of comprehensive continuous monitoring processes, critical information contained in authorization packages (i.e., security plans, security assessment reports, and plans of action and milestones) is updated on an ongoing basis, providing authorizing officials and information system owners with an up-to-date status of the security state of organizational information systems and environments of operation. To reduce the administrative cost of security reauthorization, authorizing officials use the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions. Related controls: CA-2, CA-7, PM-9, PM-10. |
The organization:
a. Assigns a senior-level executive or manager as the authorizing official for the information system;
b. Ensures that the authorizing official authorizes the information system for processing before commencing operations; and
c. Updates the security authorization [Assignment: organization - defined frequency]. |
| CCI-000082 |
The organization establishes usage restrictions for organization-controlled mobile devices. |
The organization conducting the inspection/assessment obtains and examines the documented usage restrictions to ensure the organization being inspected/assessed establishes usage restrictions for organization controlled mobile devices. |
The organization being inspected/assessed establishes and documents usage restrictions for organization controlled mobile devices. |
Access Control For Mobile Devices |
AC-19 |
AC-19.1 |
A mobile device is a computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, E-readers, and tablets. Mobile devices are typically associated with a single individual and the device is usually in close proximity to the individual; however, the degree of proximity can vary depending upon on the form factor and size of the device. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of desktop systems, depending upon the nature and intended purpose of the device. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different classes/types of such devices. Usage restrictions and specific implementation guidance for mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the need to provide adequate security for mobile devices goes beyond the requirements in this control. Many safeguards and countermeasures for mobile devices are reflected in other security controls in the catalog allocated in the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some degree of overlap in the requirements articulated by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled. Related controls: AC-3, AC-7, AC-18, AC-20, CA-9, CM-2, IA-2, IA-3, MP-2, MP-4, MP-5, PL-4, SC-7, SC-43, SI-3, SI-4. |
The organization:
a. Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and
b. Authorizes the connection of mobile devices to organizational information systems. |
| CCI-000083 |
The organization establishes implementation guidance for organization-controlled mobile devices. |
The organization conducting the inspection/assessment obtains and examines the documented implementation guidance to ensure the organization being inspected/assessed establishes implementation guidance for organization controlled mobile devices. |
The organization being inspected/assessed establishes and documents implementation guidance for organization controlled mobile devices. |
Access Control For Mobile Devices |
AC-19 |
AC-19.2 |
A mobile device is a computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, E-readers, and tablets. Mobile devices are typically associated with a single individual and the device is usually in close proximity to the individual; however, the degree of proximity can vary depending upon on the form factor and size of the device. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of desktop systems, depending upon the nature and intended purpose of the device. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different classes/types of such devices. Usage restrictions and specific implementation guidance for mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the need to provide adequate security for mobile devices goes beyond the requirements in this control. Many safeguards and countermeasures for mobile devices are reflected in other security controls in the catalog allocated in the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some degree of overlap in the requirements articulated by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled. Related controls: AC-3, AC-7, AC-18, AC-20, CA-9, CM-2, IA-2, IA-3, MP-2, MP-4, MP-5, PL-4, SC-7, SC-43, SI-3, SI-4. |
The organization:
a. Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and
b. Authorizes the connection of mobile devices to organizational information systems. |
| CCI-000084 |
The organization authorizes connection of mobile devices to organizational information systems. |
The organization conducting the inspection/assessment obtains and examines the audit trail of authorizations to ensure the organization being inspected/assessed authorizes connection of mobile devices to organizational information systems. |
The organization being inspected/assessed authorizes connection of mobile devices to organizational information systems.
The organization must maintain an audit trail of authorizations. |
Access Control For Mobile Devices |
AC-19 |
AC-19.5 |
A mobile device is a computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, E-readers, and tablets. Mobile devices are typically associated with a single individual and the device is usually in close proximity to the individual; however, the degree of proximity can vary depending upon on the form factor and size of the device. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of desktop systems, depending upon the nature and intended purpose of the device. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different classes/types of such devices. Usage restrictions and specific implementation guidance for mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the need to provide adequate security for mobile devices goes beyond the requirements in this control. Many safeguards and countermeasures for mobile devices are reflected in other security controls in the catalog allocated in the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some degree of overlap in the requirements articulated by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled. Related controls: AC-3, AC-7, AC-18, AC-20, CA-9, CM-2, IA-2, IA-3, MP-2, MP-4, MP-5, PL-4, SC-7, SC-43, SI-3, SI-4. |
The organization:
a. Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and
b. Authorizes the connection of mobile devices to organizational information systems. |
| CCI-000085 |
The organization monitors for unauthorized connections of mobile devices to organizational information systems. |
|
|
|
|
|
|
|
| CCI-000086 |
The organization enforces requirements for the connection of mobile devices to organizational information systems. |
|
|
|
|
|
|
|
| CCI-000087 |
The organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction. |
|
|
|
|
|
|
|
| CCI-000088 |
The organization issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. |
|
|
|
|
|
|
|
| CCI-000089 |
The organization applies organization-defined inspection and preventative measures to mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. |
|
|
|
|
|
|
|
| CCI-000090 |
The organization restricts the use of writable, removable media in organizational information systems. |
|
|
|
|
|
|
|
| CCI-000091 |
The organization prohibits the use of personally-owned, removable media in organizational information systems. |
|
|
|
|
|
|
|
| CCI-000092 |
The organization prohibits the use of removable media in organizational information systems when the media has no identifiable owner. |
|
|
|
|
|
|
|
| CCI-001456 |
The organization defines locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. |
|
|
|
|
|
|
|
| CCI-001457 |
The organization defines inspection and preventative measures to be applied on mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. |
|
|
|
|
|
|
|
| CCI-001458 |
The organization requires that if classified information is found on mobile devices, the incident handling policy be followed. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed requires that if classified information is found on mobile devices, the incident handling policy is followed. |
The organization being inspected/assessed documents and implements a process to require that if classified information is found on mobile devices, the incident handling policy is followed. |
Access Control For Mobile Devices | Restrictions For Classified Information |
AC-19 (4) |
AC-19(4).7 |
Related controls: CA-6, IR-4. |
The organization:
(a) Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and
(b) Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information:
(1) Connection of unclassified mobile devices to classified information systems is prohibited;
(2) Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official;
(3) Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and
(4) Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed.
(c) Restricts the connection of classified mobile devices to classified information systems in accordance with [Assignment: organization-defined security policies]. |
| CCI-001330 |
The organization prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official. |
The organization being inspected/assessed documents and implements a process to prohibit the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official. |
Access Control For Mobile Devices | Restrictions For Classified Information |
AC-19 (4) |
AC-19(4).1 |
Related controls: CA-6, IR-4. |
The organization:
(a) Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and
(b) Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information:
(1) Connection of unclassified mobile devices to classified information systems is prohibited;
(2) Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official;
(3) Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and
(4) Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed.
(c) Restricts the connection of classified mobile devices to classified information systems in accordance with [Assignment: organization-defined security policies]. |
| CCI-001331 |
The organization prohibits connection of unclassified mobile devices to classified information systems. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed prohibits connection of unclassified mobile devices to classified information systems. |
The organization being inspected/assessed documents and implements a process to prohibit connection of unclassified mobile devices to classified information systems. |
Access Control For Mobile Devices | Restrictions For Classified Information |
AC-19 (4) |
AC-19(4).2 |
Related controls: CA-6, IR-4. |
The organization:
(a) Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and
(b) Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information:
(1) Connection of unclassified mobile devices to classified information systems is prohibited;
(2) Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official;
(3) Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and
(4) Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed.
(c) Restricts the connection of classified mobile devices to classified information systems in accordance with [Assignment: organization-defined security policies]. |
| CCI-001332 |
The organization requires approval from the authorizing official for the connection of unclassified mobile devices to unclassified information systems. |
The organization conducting the inspection/assessment obtains and examines the documented process and the audit trail of approvals to ensure the organization being inspected/assessed requires approval from the authorizing official for the connection of unclassified mobile devices to unclassified information systems. |
The organization being inspected/assessed documents and implements a process to require approval from the authorizing official for the connection of unclassified mobile devices to unclassified information systems.
The organization must maintain an audit trail of approvals. |
Access Control For Mobile Devices | Restrictions For Classified Information |
AC-19 (4) |
AC-19(4).3 |
Related controls: CA-6, IR-4. |
The organization:
(a) Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and
(b) Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information:
(1) Connection of unclassified mobile devices to classified information systems is prohibited;
(2) Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official;
(3) Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and
(4) Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed.
(c) Restricts the connection of classified mobile devices to classified information systems in accordance with [Assignment: organization-defined security policies]. |
| CCI-001333 |
The organization prohibits use of internal or external modems or wireless interfaces within unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed prohibits use of internal or external modems or wireless interfaces within unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information. |
The organization being inspected/assessed documents and implements a process to prohibit use of internal or external modems or wireless interfaces within unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information. |
Access Control For Mobile Devices | Restrictions For Classified Information |
AC-19 (4) |
AC-19(4).4 |
Related controls: CA-6, IR-4. |
The organization:
(a) Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and
(b) Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information:
(1) Connection of unclassified mobile devices to classified information systems is prohibited;
(2) Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official;
(3) Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and
(4) Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed.
(c) Restricts the connection of classified mobile devices to classified information systems in accordance with [Assignment: organization-defined security policies]. |
| CCI-001334 |
The organization requires that unclassified mobile devices used in facilities containing information systems processing, storing, or transmitting classified information and the information stored on those devices be subject to random reviews and inspections by organization-defined security officials. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed requires that unclassified mobile devices used in facilities containing information systems processing, storing, or transmitting classified information and the information stored on those devices are subject to random reviews and inspections by the ISSM/ISSO.
DoD has defined the security officials as the ISSM/ISSO. |
The organization being inspected/assessed documents and implements a process to require that unclassified mobile devices used in facilities containing information systems processing, storing, or transmitting classified information and the information stored on those devices are subject to random reviews and inspections by the ISSM/ISSO.
DoD has defined the security officials as the ISSM/ISSO. |
Access Control For Mobile Devices | Restrictions For Classified Information |
AC-19 (4) |
AC-19(4).5 |
Related controls: CA-6, IR-4. |
The organization:
(a) Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and
(b) Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information:
(1) Connection of unclassified mobile devices to classified information systems is prohibited;
(2) Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official;
(3) Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and
(4) Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed.
(c) Restricts the connection of classified mobile devices to classified information systems in accordance with [Assignment: organization-defined security policies]. |
| CCI-001335 |
The organization defines security officials to perform reviews and inspections of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the security officials as the ISSM/ISSO. |
DoD has defined the security officials as the ISSM/ISSO. |
Access Control For Mobile Devices | Restrictions For Classified Information |
AC-19 (4) |
AC-19(4).6 |
Related controls: CA-6, IR-4. |
The organization:
(a) Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and
(b) Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information:
(1) Connection of unclassified mobile devices to classified information systems is prohibited;
(2) Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official;
(3) Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and
(4) Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed.
(c) Restricts the connection of classified mobile devices to classified information systems in accordance with [Assignment: organization-defined security policies]. |
| CCI-000093 |
The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to access the information system from the external information systems. |
The organization conducting the inspection/assessment obtains and examines the documented terms and conditions to ensure the organization being inspected/assessed establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to access the information system from the external information systems. |
The organization being inspected/assessed establishes and documents terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to access the information system from the external information systems. |
Use Of External Information Systems |
AC-20 |
AC-20.1 |
External information systems are information systems or components of information systems that are outside of the authorization boundary established by organizations and for which organizations typically have no direct supervision and authority over the application of required security controls or the assessment of control effectiveness. External information systems include, for example: (i) personally owned information systems/devices (e.g., notebook computers, smart phones, tablets, personal digital assistants); (ii) privately owned computing and communications devices resident in commercial or public facilities (e.g., hotels, train stations, convention centers, shopping malls, or airports); (iii) information systems owned or controlled by nonfederal governmental organizations; and (iv) federal information systems that are not owned by, operated by, or under the direct supervision and authority of organizations. This control also addresses the use of external information systems for the processing, storage, or transmission of organizational information, including, for example, accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational information systems.
For some external information systems (i.e., information systems operated by other federal agencies, including organizations subordinate to those agencies), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Information systems within these organizations would not be considered external. These situations occur when, for example, there are pre-existing sharing/trust agreements (either implicit or explicit) established between federal agencies or organizations subordinate to those agencies, or when such trust agreements are specified by applicable laws, Executive Orders, directives, or policies. Authorized individuals include, for example, organizational personnel, contractors, or other individuals with authorized access to organizational information systems and over which organizations have the authority to impose rules of behavior with regard to system access. Restrictions that organizations impose on authorized individuals need not be uniform, as those restrictions may vary depending upon the trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.
This control does not apply to the use of external information systems to access public interfaces to organizational information systems (e.g., individuals accessing federal information through www.usa.gov). Organizations establish terms and conditions for the use of external information systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: types of applications that can be accessed on organizational information systems from external information systems; and the highest security category of information that can be processed, stored, or transmitted on external information systems. If terms and conditions with the owners of external information systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems. Related controls: AC-3, AC-17, AC-19, CA-3, PL-4, SA-9. |
The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:
a. Access the information system from external information systems; and
b. Process, store, or transmit organization-controlled information using external information systems. |
| CCI-000094 |
The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to process organization-controlled information using the external information systems. |
|
|
|
|
|
|
|
| CCI-000095 |
The organization prohibits authorized individuals from using an external information system to access the information system except in situations where the organization can verify the implementation of required security controls on the external system as specified in the organization^s information security policy and security plan. |
|
|
|
|
|
|
|
| CCI-000096 |
The organization prohibits authorized individuals from using an external information system to access the information system or to process, store, or transmit organization-controlled information except in situations where the organization has approved information system connection or processing agreements with the organizational entity hosting the external information system. |
|
|
|
|
|
|
|
| CCI-000097 |
The organization restricts or prohibits the use of organization-controlled portable storage devices by authorized individuals on external information systems. |
The organization conducting the inspection/assessment obtains and examines |
The organization being inspected/assessed |
Use Of External Information Systems | Portable Storage Devices |
AC-20 (2) |
AC-20(2).1 |
Limits on the use of organization-controlled portable storage devices in external information systems include, for example, complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used. |
The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems. |
| CCI-001465 |
The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to store organization-controlled information using the external information systems. |
|
|
|
|
|
|
|
| CCI-001466 |
The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to transmit organization-controlled information using the external information systems. |
|
|
|
|
|
|
|
| CCI-001467 |
The organization prohibits authorized individuals from using an external information system to process organization-controlled information except in situations where the organization can verify the implementation of required security controls on the external system as specified in the organization^s information security policy and security plan. |
|
|
|
|
|
|
|
| CCI-001468 |
The organization prohibits authorized individuals from using an external information system to store organization-controlled information except in situations where the organization can verify the implementation of required security controls on the external system as specified in the organization^s information security policy and security plan. |
|
|
|
|
|
|
|
| CCI-001469 |
The organization prohibits authorized individuals from using an external information system to transmit organization-controlled information except in situations where the organization can verify the implementation of required security controls on the external system as specified in the organization^s information security policy and security plan. |
|
|
|
|
|
|
|
| CCI-000098 |
The organization facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for organization-defined information circumstances where user discretion is required. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed determines whether access authorizations assigned to the sharing partner match the access restrictions on the information for information circumstances defined in AC-21, CCI 1470 where user discretion is required. |
The organization being inspected/assessed documents and implements a process to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for information circumstances defined in AC-21, CCI 1470 where user discretion is required. |
Information Sharing |
AC-21 |
AC-21.1 |
This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program/compartment. Related control: AC-3. |
The organization:
a. Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and
b. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions. |
| CCI-000099 |
The information system enforces information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 99. |
The organization being inspected/assessed configures the information system to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 99. |
Information Sharing | Automated Decision Support |
AC-21 (1) |
AC-21(1).1 |
|
The information system enforces information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared. |
| CCI-001470 |
The organization defines information sharing circumstances where user discretion is required. |
The organization conducting the inspection/assessment obtains and examines the documented information sharing circumstances to ensure the organization being inspected/assessed defines information sharing circumstances where user discretion is required.
DoD has determined the information sharing circumstances are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents information sharing circumstances where user discretion is required.
DoD has determined the information sharing circumstances are not appropriate to define at the Enterprise level. |
Information Sharing |
AC-21 |
AC-21.2 |
This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program/compartment. Related control: AC-3. |
The organization:
a. Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and
b. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions. |
| CCI-001471 |
The organization employs organization-defined automated mechanisms or manual processes required to assist users in making information sharing/collaboration decisions. |
The organization conducting the inspection/assessment obtains and examines the documented process defined per AC-21, CCI 1472 to ensure the organization being inspected/assessed assists users in making information sharing/collaboration decisions. |
The organization being inspected/assessed implements the process defined in AC-21, CCI 1472 to assist users in making information sharing/collaboration decisions. |
Information Sharing |
AC-21 |
AC-21.3 |
This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program/compartment. Related control: AC-3. |
The organization:
a. Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and
b. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions. |
| CCI-001472 |
The organization defines the automated mechanisms or manual processes required to assist users in making information sharing/collaboration decisions. |
The organization conducting the inspection/assessment obtains and examines the documented automated mechanisms to ensure the organization being inspected/assessed defines the automated mechanisms or manual processes required to assist users in making information sharing/collaboration decisions.
DoD has determined the automated mechanisms or manual processes are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the automated mechanisms or manual processes required to assist users in making information sharing/collaboration decisions.
DoD has determined the automated mechanisms or manual processes are not appropriate to define at the Enterprise level. |
Information Sharing |
AC-21 |
AC-21.4 |
This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program/compartment. Related control: AC-3. |
The organization:
a. Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and
b. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions. |
| CCI-000106 |
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors) as part of initial training for new users. |
DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DISA's DoD IA awareness CBT is the DoD baseline standard.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. |
DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DISA's DoD IA awareness CBT is the DoD baseline standard.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. |
Security Awareness Training |
AT-2 |
AT-2.2 |
Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events. Related controls: AT-3, AT-4, PL-4. |
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):
a. As part of initial training for new users;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-000107 |
The organization includes practical exercises in security awareness training that simulate actual cyber attacks. |
DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DISA's DoD IA awareness CBT is the DoD baseline standard.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. |
DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DISA's DoD IA awareness CBT is the DoD baseline standard.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. |
Security Awareness | Practical Exercises |
AT-2 (1) |
AT-2(1).1 |
Practical exercises may include, for example, no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking, via spear phishing attacks, malicious web links. Related controls: CA-2, CA-7, CP-4, IR-3. |
The organization includes practical exercises in security awareness training that simulate actual cyber attacks. |
| CCI-000112 |
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors) when required by information system changes. |
DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DISA's DoD IA awareness CBT is the DoD baseline standard.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. |
DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DISA's DoD IA awareness CBT is the DoD baseline standard.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. |
Security Awareness Training |
AT-2 |
AT-2.3 |
Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events. Related controls: AT-3, AT-4, PL-4. |
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):
a. As part of initial training for new users;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-001479 |
The organization provides refresher security awareness training to all information system users (including managers, senior executives, and contractors) in accordance with the organization-defined frequency. |
DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DISA's DoD IA awareness CBT is the DoD baseline standard.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. |
DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DISA's DoD IA awareness CBT is the DoD baseline standard.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. |
Security Awareness Training |
AT-2 |
AT-2.4 |
Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events. Related controls: AT-3, AT-4, PL-4. |
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):
a. As part of initial training for new users;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-001480 |
The organization defines the frequency for providing refresher security awareness training to all information system users (including managers, senior executives, and contractors). |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level (DoDD 8570.01).
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Security Awareness Training |
AT-2 |
AT-2.1 |
Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events. Related controls: AT-3, AT-4, PL-4. |
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):
a. As part of initial training for new users;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-000113 |
The organization documents individual information system security training activities, including basic security awareness training and specific information system security training. |
The organization conducting the inspection/assessment obtains and examines the security awareness training activities to ensure the organization being inspected/assessed documents training activities to include basic security awareness training (per AT-2) and role-based security related training (per AT-3) IAW DoD 8570.01M. |
The organization being inspected/assessed identifies and documents training activities to include basic security awareness training (per AT-2) and role-based security related training (per AT-3) IAW DoD 8570.01M. |
Security Training Records |
AT-4 |
AT-4.1 |
Documentation for specialized training may be maintained by individual supervisors at the option of the organization. Related controls: AT-2, AT-3, PM-14. |
The organization:
a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and
b. Retains individual training records for [Assignment: organization-defined time period]. |
| CCI-000114 |
The organization monitors individual information system security training activities, including basic security awareness training and specific information system security training. |
The organization conducting the inspection/assessment obtains and examines records identifying personnel who have received training and the date the training was received |
The organization being inspected/assessed maintains and monitors records identifying personnel who have received training and the date the training was received |
Security Training Records |
AT-4 |
AT-4.2 |
Documentation for specialized training may be maintained by individual supervisors at the option of the organization. Related controls: AT-2, AT-3, PM-14. |
The organization:
a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and
b. Retains individual training records for [Assignment: organization-defined time period]. |
| CCI-001336 |
The organization retains individual training records for an organization-defined time period. |
The organization conducting the inspection/assessment obtains and examines training records to ensure records have been maintained for at least 5 years or 5 years after completion of a specific training program.
DoD has defined the frequency as at least 5 years or 5 years after completion of a specific training program. |
The organization being inspected/assessed will maintain records training records for at least 5 years or 5 years after completion of a specific training program.
DoD has defined the frequency as at least 5 years or 5 years after completion of a specific training program. |
Security Training Records |
AT-4 |
AT-4.3 |
Documentation for specialized training may be maintained by individual supervisors at the option of the organization. Related controls: AT-2, AT-3, PM-14. |
The organization:
a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and
b. Retains individual training records for [Assignment: organization-defined time period]. |
| CCI-001337 |
The organization defines a time period for retaining individual training records. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at least 5 years or 5 years after completion of a specific training program. |
DoD has defined the frequency as at least 5 years or 5 years after completion of a specific training program. |
Security Training Records |
AT-4 |
AT-4.4 |
Documentation for specialized training may be maintained by individual supervisors at the option of the organization. Related controls: AT-2, AT-3, PM-14. |
The organization:
a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and
b. Retains individual training records for [Assignment: organization-defined time period]. |
| CCI-000115 |
The organization establishes contact with selected groups and associations within the security community to facilitate ongoing security education and training; to stay up to date with the latest recommended security practices, techniques, and technologies; and to share current security-related information including threats, vulnerabilities, and incidents. |
|
|
|
|
|
|
|
| CCI-000116 |
The organization institutionalizes contact with selected groups and associations within the security community to facilitate ongoing security education and training; to stay up to date with the latest recommended security practices, techniques, and technologies; and to share current security-related information including threats, vulnerabilities, and incidents. |
|
|
|
|
|
|
|
| CCI-000130 |
The information system generates audit records containing information that establishes what type of event occurred. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to generate audit records containing information that establishes what type of event occurred. The organization conducting the inspection/assessment reviews the audit records generated to ensure that the records contain information that establishes what type of event occurred.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 130. |
The organization being inspected/assessed configures the information system to generate audit records containing information that establishes what type of event occurred
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 130. |
Content Of Audit Records |
AU-3 |
AU-3.1 |
Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). Related controls: AU-2, AU-8, AU-12, SI-11. |
The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event. |
| CCI-000131 |
The information system generates audit records containing information that establishes when an event occurred. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to generate audit records containing information that establishes when an event occurred. The organization conducting the inspection/assessment reviews the audit records generated to ensure that the records contain information that establishes when an event occurred.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 131. |
The organization being inspected/assessed configures the information system to generate audit records containing information that establishes when an event occurred
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 131. |
Content Of Audit Records |
AU-3 |
AU-3.2 |
Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). Related controls: AU-2, AU-8, AU-12, SI-11. |
The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event. |
| CCI-000132 |
The information system generates audit records containing information that establishes where the event occurred. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to generate audit records containing information that establishes where the event occurred. The organization conducting the inspection/assessment reviews the audit records generated to ensure that the records contain information that establishes where the event occurred.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 132. |
The organization being inspected/assessed configures the information system to generate audit records containing information that establishes where the event occurred
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 132. |
Content Of Audit Records |
AU-3 |
AU-3.3 |
Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). Related controls: AU-2, AU-8, AU-12, SI-11. |
The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event. |
| CCI-000133 |
The information system generates audit records containing information that establishes the source of the event. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to generate audit records containing information that establishes the source of the event. The organization conducting the inspection/assessment reviews the audit records generated to ensure that the records contain information that establishes the source of the event.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 133. |
The organization being inspected/assessed configures the information system to generate audit records containing information that establishes the source of the event.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 133. |
Content Of Audit Records |
AU-3 |
AU-3.4 |
Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). Related controls: AU-2, AU-8, AU-12, SI-11. |
The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event. |
| CCI-000134 |
The information system generates audit records containing information that establishes the outcome of the event. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to generate audit records containing information that establishes the outcome of the event. The organization conducting the inspection/assessment reviews the audit records generated to ensure that the records contain information that establishes the outcome of the event.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 134. |
The organization being inspected/assessed configures the information system to generate audit records containing information that establishes the outcome of the event.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 134. |
Content Of Audit Records |
AU-3 |
AU-3.5 |
Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). Related controls: AU-2, AU-8, AU-12, SI-11. |
The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event. |
| CCI-000135 |
The information system generates audit records containing the organization-defined additional, more detailed information that is to be included in the audit records. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to generate audit records containing the organization defined additional, more detailed information as defined in AU-3 (1), CCI 1488 that is to be included in the audit records. The organization conducting the inspection/assessment reviews the audit records generated to ensure that the records contain organization defined additional, more detailed information that is to be included in the audit records.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 135. |
The organization being inspected/assessed configures the information system to generate audit records containing the organization defined additional, more detailed information as defined in AU-3 (1), CCI 1488 that is to be included in the audit records.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 135. |
Content Of Audit Records | Additional Audit Information |
AU-3 (1) |
AU-3(1).1 |
Detailed information that organizations may consider in audit records includes, for example, full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. |
The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information]. |
| CCI-000136 |
The organization centrally manages the content of audit records generated by organization-defined information system components. |
|
|
|
|
|
|
|
| CCI-001487 |
The information system generates audit records containing information that establishes the identity of any individuals or subjects associated with the event. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to generate audit records containing information that establishes the identity of any individuals or subjects associated with the event. The organization conducting the inspection/assessment reviews the audit records generated to ensure that the records contain information that establishes the identity of any individuals or subjects associated with the event.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1487. |
The organization being inspected/assessed configures the information system to generate audit records containing information that establishes the identity of any individuals or subjects associated with the event.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1487. |
Content Of Audit Records |
AU-3 |
AU-3.6 |
Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). Related controls: AU-2, AU-8, AU-12, SI-11. |
The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event. |
| CCI-001488 |
The organization defines additional, more detailed information to be included in the audit records. |
The organization conducting the inspection/assessment obtains and examines the documented list of additional more detailed information to be included in the audit records to ensure that:
1. The list is defined; and
2. The list includes full-text recording of privileged commands or the individual identities of group account users.
DoD has determined that additional, more detailed information must include, at a minimum, full-text recording of privileged commands or the individual identities of group account users. DoD has determined that it is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents additional, more detailed information to be included in the audit records. The additional information must include at a minimum, full-text recording of privileged commands or the individual identities of group account users. The additional information must provide sufficient detail to reconstruct events to determine cause of compromise and magnitude of damage, malfunction, or security violation.
DoD has determined that additional, more detailed information must include, at a minimum, full-text recording of privileged commands or the individual identities of group account users. DoD has determined that all additional, more detailed information is not appropriate to define at the Enterprise level. |
Content Of Audit Records | Additional Audit Information |
AU-3 (1) |
AU-3(1).2 |
Detailed information that organizations may consider in audit records includes, for example, full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. |
The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information]. |
| CCI-001489 |
The organization defines information system components for which generated audit records are centrally managed by the organization. |
|
|
|
|
|
|
|
| CCI-000137 |
The organization allocates audit record storage capacity. |
|
|
|
|
|
|
|
| CCI-000138 |
The organization configures auditing to reduce the likelihood of storage capacity being exceeded. |
|
|
|
|
|
|
|
| CCI-000148 |
The organization reviews and analyzes information system audit records on an organization-defined frequency for indications of organization-defined inappropriate or unusual activity. |
The organization conducting the inspection/assessment obtains and examines the documented process for audit trail reviews as well as the audit trail showing the reviews to ensure the organization being inspected/assessed reviews and analyzes information system audit records every seven days or more frequently if required by an alarm event or anomaly for indications of activity defined in AU-6, CCI 1862.
DoD has defined the frequency as every seven days or more frequently if required by an alarm event or anomaly. |
The organization being inspected/assessed documents and implements a process to review and analyze information system audit records every seven days or more frequently if required by an alarm event or anomaly for indications of activity defined in AU-6, CCI 1862.
The organization must maintain an audit trail of the reviews.
DoD has defined the frequency as every seven days or more frequently if required by an alarm event or anomaly. |
Audit Review, Analysis, And Reporting |
AU-6 |
AU-6.1 |
Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review/analysis may be carried out by other organizations granted such authority. Related controls: AC-2, AC-3, AC-6, AC-17, AT-3, AU-7, AU-16, CA-7, CM-5, CM-10, CM-11, IA-3, IA-5, IR-5, IR-6, MA-4, MP-4, PE-3, PE-6, PE-14, PE-16, RA-5, SC-7, SC-18, SC-19, SI-3, SI-4, SI-7. |
The organization:
a. Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and
b. Reports findings to [Assignment: organization-defined personnel or roles]. |
| CCI-000149 |
The organization reports any findings to organization-defined personnel or roles for indications of organization-defined inappropriate or unusual activity. |
The organization conducting the inspection/assessment obtains and examines the documented process for reporting findings as well as a sampling of historical reports to ensure the organization being inspected/assessed reports any findings of inappropriate or unusual activity as defined in AU-6, CCI 1862 to at a minimum, the ISSO and ISSM.
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
The organization being inspected/assessed documents and implements a process for reporting any findings of inappropriate or unusual activity as defined in AU-6, CCI 1862 to at a minimum, the ISSO and ISSM.
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
Audit Review, Analysis, And Reporting |
AU-6 |
AU-6.4 |
Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review/analysis may be carried out by other organizations granted such authority. Related controls: AC-2, AC-3, AC-6, AC-17, AT-3, AU-7, AU-16, CA-7, CM-5, CM-10, CM-11, IA-3, IA-5, IR-5, IR-6, MA-4, MP-4, PE-3, PE-6, PE-14, PE-16, RA-5, SC-7, SC-18, SC-19, SI-3, SI-4, SI-7. |
The organization:
a. Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and
b. Reports findings to [Assignment: organization-defined personnel or roles]. |
| CCI-000150 |
The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk to organizational operations, organizational assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information. |
|
|
|
|
|
|
|
| CCI-000151 |
The organization defines the frequency for the review and analysis of information system audit records for organization-defined inappropriate or unusual activity. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every seven days or more frequently if required by an alarm event or anomaly. |
DoD has defined the frequency as every seven days or more frequently if required by an alarm event or anomaly. |
Audit Review, Analysis, And Reporting |
AU-6 |
AU-6.2 |
Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review/analysis may be carried out by other organizations granted such authority. Related controls: AC-2, AC-3, AC-6, AC-17, AT-3, AU-7, AU-16, CA-7, CM-5, CM-10, CM-11, IA-3, IA-5, IR-5, IR-6, MA-4, MP-4, PE-3, PE-6, PE-14, PE-16, RA-5, SC-7, SC-18, SC-19, SI-3, SI-4, SI-7. |
The organization:
a. Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and
b. Reports findings to [Assignment: organization-defined personnel or roles]. |
| CCI-000152 |
The information system integrates audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. |
|
|
|
|
|
|
|
| CCI-000153 |
The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of analysis to ensure the organization being inspected/assessed analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. |
The organization being inspected/assessed documents and implements a process to analyze and correlate audit records across different repositories to gain organization-wide situational awareness.
The organization must maintain a record of the analysis. |
Audit Review, Analysis, And Reporting | Correlate Audit Repositories |
AU-6 (3) |
AU-6(3).1 |
Organization-wide situational awareness includes awareness across all three tiers of risk management (i.e., organizational, mission/business process, and information system) and supports cross-organization awareness. Related controls: AU-12, IR-4. |
The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. |
| CCI-000154 |
The information system provides the capability to centrally review and analyze audit records from multiple components within the system. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to provide a capability to centrally review and analyze audit records from multiple components within the system.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 154. |
The organization being inspected/assessed configures the information system to provide a capability to centrally review and analyze audit records from multiple components within the system.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 154. |
Audit Review, Analysis, And Reporting | Central Review And Analysis |
AU-6 (4) |
AU-6(4).1 |
Automated mechanisms for centralized reviews and analyses include, for example, Security Information Management products. Related controls: AU-2, AU-12. |
The information system provides the capability to centrally review and analyze audit records from multiple components within the system. |
| CCI-000155 |
The organization integrates analysis of audit records with analysis of vulnerability scanning information, performance data, and network monitoring information to further enhance the ability to identify inappropriate or unusual activity. |
|
|
|
|
|
|
|
| CCI-001344 |
The organization specifies the permitted actions for each authorized information system process, role, and/or user in the audit and accountability policy. |
|
|
|
|
|
|
|
| CCI-001345 |
The organization employs automated mechanisms to alert security personnel of any organization-defined inappropriate or unusual activities with security implications. |
|
|
|
|
|
|
|
| CCI-001346 |
The organization defines a list of inappropriate or unusual activities with security implications that are to result in alerts to security personnel. |
|
|
|
|
|
|
|
| CCI-001347 |
The organization performs, in a physically dedicated information system, full-text analysis of privileged functions executed. |
|
|
|
|
|
|
|
| CCI-001491 |
The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. |
The organization conducting the inspection/assessment obtains and examines the documented process and correlated results to ensure the organization being inspected/assessed correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. |
The organization being inspected/assessed will document and implement a process to correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. |
Audit Review, Analysis, And Reporting | Correlation With Physical Monitoring |
AU-6 (6) |
AU-6(6).1 |
The correlation of physical audit information and audit logs from information systems may assist organizations in identifying examples of suspicious behavior or supporting evidence of such behavior. For example, the correlation of an individual's identity for logical access to certain information systems with the additional physical security information that the individual was actually present at the facility when the logical access occurred, may prove to be useful in investigations. |
The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. |
| CCI-000156 |
The information system provides an audit reduction capability. |
|
|
|
|
|
|
|
| CCI-000157 |
The information system provides a report generation capability. |
|
|
|
|
|
|
|
| CCI-000158 |
The information system provides the capability to process audit records for events of interest based on organization-defined audit fields within audit records. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed employs information systems that provides the capability to process audit records for events of interest based on audit fields within audit records as defined in AU-7 (1), CCI 1883.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 158. |
The organization being inspected/assessed must employ information systems that provide the capability to process audit records for events of interest based on audit fields within audit records defined in AU-7 (1), CCI 1883.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 158. |
Audit Reduction And Report Generation | Automatic Processing |
AU-7 (1) |
AU-7(1).1 |
Events of interest can be identified by the content of specific audit record fields including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific information system component. Related controls: AU-2, AU-12. |
The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records]. |
| CCI-000159 |
The information system uses internal system clocks to generate time stamps for audit records. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to use internal system clocks to generate time stamps for audit records.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 159. |
The organization being inspected/assessed configures the information system to use internal system clocks to generate time stamps for audit records.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 159. |
Time Stamps |
AU-8 |
AU-8.1 |
Time stamps generated by the information system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. Organizations may define different time granularities for different system components. Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities. Related controls: AU-3, AU-12. |
The information system:
a. Uses internal system clocks to generate time stamps for audit records; and
b. Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity of time measurement]. |
| CCI-000160 |
The information system synchronizes internal information system clocks on an organization-defined frequency with an organization-defined authoritative time source. |
|
|
|
|
|
|
|
| CCI-000161 |
The organization defines the frequency for the synchronization of internal information system clocks. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 24 hours for networked systems. |
DoD has defined the frequency as every 24 hours for networked systems. |
Time Stamps | Synchronization With Authoritative Time Source |
AU-8 (1) |
AU-8(1).1 |
This control enhancement provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. |
The information system:
(a) Compares the internal information system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]; and
(b) Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period]. |
| CCI-001492 |
The organization defines an authoritative time source for the synchronization of internal information system clocks. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the authoritative time source as an authoritative time server which is synchronized with redundant United States Naval Observatory (USNO) time servers as designated for the appropriate DoD network (NIPRNet / SIPRNet) and/or the Global Positioning System (GPS). |
DoD has defined the authoritative time source as an authoritative time server which is synchronized with redundant United States Naval Observatory (USNO) time servers as designated for the appropriate DoD network (NIPRNet / SIPRNet) and/or the Global Positioning System (GPS). |
Time Stamps | Synchronization With Authoritative Time Source |
AU-8 (1) |
AU-8(1).2 |
This control enhancement provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. |
The information system:
(a) Compares the internal information system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]; and
(b) Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period]. |
| CCI-000166 |
The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed protects against an individual falsely denying having performed actions to be covered by non-repudiation defined in DoDI 8520.02 and DoDI 8520.03.
DoDI 8520.02 and DoDI 8520.03 meet the DoD requirement to define the actions to be covered by non-repudiation.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 166. |
The organization being inspected/assessed configures the information system to protect against an individual falsely denying having performed actions to be covered by non-repudiation defined in DoDI 8520.02 and DoDI 8520.03.
DoDI 8520.02 and DoDI 8520.03 meet the DoD requirement to define the actions to be covered by non-repudiation.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 166. |
Non-Repudiation |
AU-10 |
AU-10.1 |
Types of individual actions covered by non-repudiation include, for example, creating information, sending and receiving messages, approving information (e.g., indicating concurrence or signing a contract). Non-repudiation protects individuals against later claims by: (i) authors of not having authored particular documents; (ii) senders of not having transmitted messages; (iii) receivers of not having received messages; or (iv) signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from a particular individual, or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request) or received specific information. Organizations obtain non-repudiation services by employing various techniques or mechanisms (e.g., digital signatures, digital message receipts). Related controls: SC-12, SC-8, SC-13, SC-16, SC-17, SC-23. |
The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed [Assignment: organization-defined actions to be covered by non-repudiation]. |
| CCI-001338 |
The information system associates the identity of the information producer with the information. |
|
|
|
|
|
|
|
| CCI-001339 |
The information system validates the binding of the information producer's identity to the information. |
|
|
|
|
|
|
|
| CCI-001340 |
The information system maintains reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to maintain reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1340. |
The organization being inspected/assessed configures the information system to maintain reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1340. |
Non-Repudiation | Chain Of Custody |
AU-10 (3) |
AU-10(3).1 |
Chain of custody is a process that tracks the movement of evidence through its collection, safeguarding, and analysis life cycle by documenting each person who handled the evidence, the date and time it was collected or transferred, and the purpose for the transfer. If the reviewer is a human or if the review function is automated but separate from the release/transfer function, the information system associates the identity of the reviewer of the information to be released with the information and the information label. In the case of human reviews, this control enhancement provides organizational officials the means to identify who reviewed and released the information. In the case of automated reviews, this control enhancement ensures that only approved review functions are employed. Related controls: AC-4, AC-16. |
The information system maintains reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released. |
| CCI-001341 |
The information system validates the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer between organization-defined security domains. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to validate the binding of the information reviewers identity at the transfer or release points between security domains defined in AU-10 (4), CCI 1907. |
The organization being inspected/assessed configures the information system to validate the binding of the information reviewers identity at the transfer or release points between security domains defined in AU-10 (4), CCI 1907. |
Non-Repudiation | Validate Binding Of Information Reviewer Identity |
AU-10 (4) |
AU-10(4).1 |
This control enhancement prevents the modification of information between review and transfer/release. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Organizations determine validations are in response to user requests or generated automatically. Related controls: AC-4, AC-16. |
The information system:
(a) Validates the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer between [Assignment: organization-defined security domains]; and
(b) Performs [Assignment: organization-defined actions] in the event of a validation error. |
| CCI-001342 |
The organization employs either FIPS-validated or NSA-approved cryptography to implement digital signatures. |
|
|
|
|
|
|
|
| CCI-001148 |
The organization employs FIPS-validated or NSA-approved cryptography to implement digital signatures. |
|
|
|
|
|
|
|
| CCI-000167 |
The organization retains audit records for an organization-defined time period to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. |
The organization conducting the inspection/assessment reviews the information system audit records and any other relevant documents or records to ensure the organization being inspected/assessed retains its audit records for 5 years for SAMI; otherwise for at least 1 year.
DoD has defined the time period as 5 years for SAMI; otherwise for at least 1 year. |
The organization being inspected/assessed will take action to ensure it retains audit records for 5 years for SAMI; otherwise for at least 1 year to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.
DoD has defined the time period as 5 years for SAMI; otherwise for at least 1 year. |
Audit Record Retention |
AU-11 |
AU-11.1 |
Organizations retain audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention. Related controls: AU-4, AU-5, AU-9, MP-6. |
The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. |
| CCI-000168 |
The organization defines the time period for retention of audit records, which is consistent with its records retention policy, to provide support for after-the-fact investigations of security incidents and meet regulatory and organizational information retention requirements. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 5 years for SAMI; otherwise for at least 1 year. |
DoD has defined the time period as 5 years for SAMI; otherwise for at least 1 year. |
Audit Record Retention |
AU-11 |
AU-11.2 |
Organizations retain audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention. Related controls: AU-4, AU-5, AU-9, MP-6. |
The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. |
| CCI-000206 |
The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 206. |
The organization being inspected/assessed configures the information system to obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 206. |
Authenticator Feedback |
IA-6 |
IA-6.1 |
The feedback from information systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of information systems or system components, for example, desktops/notebooks with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with 2-4 inch screens, this threat may be less significant, and may need to be balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring the feedback of authentication information includes, for example, displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before fully obscuring it. Related control: PE-18. |
The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized
individuals. |
| CCI-000209 |
The organization develops the results of information security measures of performance. |
The Federal Information Systems Management Act (FISMA) meets the DoD requirements for information security performance measures of performance.
DoD organizations are automatically compliant with this CCI as they are covered at the DoD level by FISMA. |
The Federal Information Systems Management Act (FISMA) meets the DoD requirements for information security performance measures of performance. |
Information Security Measures Of Performance |
PM-6 |
PM-6.1 |
Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security program and the security controls employed in support of the program. |
The organization develops, monitors, and reports on the results of information security measures of performance. |
| CCI-000210 |
The organization monitors the results of information security measures of performance. |
The Federal Information Systems Management Act (FISMA) meets the DoD requirements for information security performance measures of performance.
DoD organizations are automatically compliant with this CCI as they are covered at the DoD level by FISMA. |
The Federal Information Systems Management Act (FISMA) meets the DoD requirements for information security performance measures of performance. |
Information Security Measures Of Performance |
PM-6 |
PM-6.2 |
Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security program and the security controls employed in support of the program. |
The organization develops, monitors, and reports on the results of information security measures of performance. |
| CCI-000211 |
The organization reports on the results of information security measures of performance. |
The organization conducting the inspection/assessment obtains and examines FISMA reporting documentation. |
The organization being inspected/assessed reports the results of information security measures of performance IAW FISMA reporting guidance. |
Information Security Measures Of Performance |
PM-6 |
PM-6.3 |
Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security program and the security controls employed in support of the program. |
The organization develops, monitors, and reports on the results of information security measures of performance. |
| CCI-000212 |
The organization develops an enterprise architecture with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation. |
The GIG IA Architecture meets the DoD requirements for enterprise architecture.
DoD components are automatically compliant with this CCI as they covered at the DoD level. |
The GIG IA Architecture meets the DoD requirements for enterprise architecture.
DoD components are automatically compliant with this CCI as they covered at the DoD level. |
Enterprise Architecture |
PM-7 |
PM-7.1 |
The enterprise architecture developed by the organization is aligned with the Federal Enterprise Architecture. The integration of information security requirements and associated security controls into the organization's enterprise architecture helps to ensure that security considerations are addressed by organizations early in the system development life cycle and are directly and explicitly related to the organization's mission/business processes. This process of security requirements integration also embeds into the enterprise architecture, an integral information security architecture consistent with organizational risk management and information security strategies. For PM-7, the information security architecture is developed at a system-of-systems level (organization-wide), representing all of the organizational information systems. For PL-8, the information security architecture is developed at a level representing an individual information system but at the same time, is consistent with the information security architecture defined for the organization. Security requirements and security control integration are most effectively accomplished through the application of the Risk Management Framework and supporting security standards and guidelines. The Federal Segment Architecture Methodology provides guidance on integrating information security requirements and security controls into enterprise architectures. Related controls: PL-2, PL-8, PM-11, RA-2, SA-3. |
The organization develops an enterprise architecture with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.
|
| CCI-000078 |
The organization appoints a senior information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program. |
DoD organizations are automatically compliant with this CCI as they are covered by the appointment of the DoD SISO. |
The Deputy DoD CIO for Cyber Security is the DoD Senior Information Security Officer (SISO), appointed in writing with the mission and resources to coordinate, develop, implement and maintain a DoD-wide information security program. |
Senior Information Security Officer |
PM-2 |
PM-2.1 |
The security officer described in this control is an organizational official. For a federal agency (as defined in applicable federal laws, Executive Orders, directives, policies, or regulations) this official is the Senior Agency Information Security Officer. Organizations may also refer to this official as the Senior Information Security Officer or Chief Information Security Officer. |
The organization appoints a senior information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program. |
| CCI-000080 |
The organization ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement. |
The organization being inspected/assessed documents and implements a process to ensure that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement. |
Information Security Resources |
PM-3 |
PM-3.1 |
Organizations consider establishing champions for information security efforts and as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board (or similar group) to manage and provide oversight for the information security-related aspects of the capital planning and investment control process. Related controls: PM-4, SA-2. |
The organization:
a. Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement;
b. Employs a business case/Exhibit 300/Exhibit 53 to record the resources required; and
c. Ensures that information security resources are available for expenditure as planned. |
| CCI-000081 |
The organization employs a business case/Exhibit 300/Exhibit 53 to record the resources required. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed employs a business case/Exhibit 300/Exhibit 53 to record the resources required. |
The organization being inspected/assessed documents and implements a process to employ a business case/Exhibit 300/Exhibit 53 to record the resources required. |
Information Security Resources |
PM-3 |
PM-3.2 |
Organizations consider establishing champions for information security efforts and as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board (or similar group) to manage and provide oversight for the information security-related aspects of the capital planning and investment control process. Related controls: PM-4, SA-2. |
The organization:
a. Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement;
b. Employs a business case/Exhibit 300/Exhibit 53 to record the resources required; and
c. Ensures that information security resources are available for expenditure as planned. |
| CCI-000141 |
The organization ensures that information security resources are available for expenditure as planned. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed ensure that information security resources are available for expenditure as planned. |
The organization being inspected/assessed documents and implements a process to ensure that information security resources are available for expenditure as planned. |
Information Security Resources |
PM-3 |
PM-3.3 |
Organizations consider establishing champions for information security efforts and as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board (or similar group) to manage and provide oversight for the information security-related aspects of the capital planning and investment control process. Related controls: PM-4, SA-2. |
The organization:
a. Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement;
b. Employs a business case/Exhibit 300/Exhibit 53 to record the resources required; and
c. Ensures that information security resources are available for expenditure as planned. |
| CCI-000142 |
The organization implements a process for ensuring that plans of action and milestones for the security program and the associated organizational information systems are maintained. |
DoDI 8510.01 and the Knowledge Service meet the DoD requirements to maintain a process for plans of action and milestones for the security program.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01 and the Knowledge Service. |
DoDI 8510.01 and the Knowledge Service meet the DoD requirements to maintain a process for plans of action and milestones for the security program.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01 and the Knowledge Service. |
Plan Of Action And Milestones Process |
PM-4 |
PM-4.1 |
The plan of action and milestones is a key document in the information security program and is subject to federal reporting requirements established by OMB. With the increasing emphasis on organization-wide risk management across all three tiers in the risk management hierarchy (i.e., organization, mission/business process, and information system), organizations view plans of action and milestones from an organizational perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from security control assessments and continuous monitoring activities. OMB FISMA reporting guidance contains instructions regarding organizational plans of action and milestones. Related control: CA-5. |
The organization:
a. Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems:
1. Are developed and maintained;
2. Document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and
3. Are reported in accordance with OMB FISMA reporting requirements.
b. Reviews plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. |
| CCI-000170 |
The organization implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation. |
DoDI 8510.01 and the Knowledge Service meet the DoD requirements to maintain a process to document the remedial information security actions that mitigate risk to organizational operations and assets, individuals, other organizations, and the Nation.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01 and the Knowledge Service. |
DoDI 8510.01 and the Knowledge Service meet the DoD requirements to maintain a process to document the remedial information security actions that mitigate risk to organizational operations and assets, individuals, other organizations, and the Nation.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01 and the Knowledge Service. |
Plan Of Action And Milestones Process |
PM-4 |
PM-4.3 |
The plan of action and milestones is a key document in the information security program and is subject to federal reporting requirements established by OMB. With the increasing emphasis on organization-wide risk management across all three tiers in the risk management hierarchy (i.e., organization, mission/business process, and information system), organizations view plans of action and milestones from an organizational perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from security control assessments and continuous monitoring activities. OMB FISMA reporting guidance contains instructions regarding organizational plans of action and milestones. Related control: CA-5. |
The organization:
a. Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems:
1. Are developed and maintained;
2. Document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and
3. Are reported in accordance with OMB FISMA reporting requirements.
b. Reviews plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. |
| CCI-000207 |
The organization develops and maintains an inventory of its information systems. |
DITPR is the inventory for all DoD information systems.
The organization conducting the inspection/assessment obtains and examines the inventory of information systems via DITPR to ensure the organization being inspected/assessed registers their information systems in DITPR. |
DITPR is the inventory for all DoD information systems.
The organization being inspected/assessed must register and maintain their information systems in DITPR.
|
Information System Inventory |
PM-5 |
PM-5.1 |
This control addresses the inventory requirements in FISMA. OMB provides guidance on developing information systems inventories and associated reporting requirements. For specific information system inventory reporting requirements, organizations consult OMB annual FISMA reporting guidance. |
The organization develops and maintains an inventory of its information systems. |
| CCI-000227 |
The organization develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems. |
DoD Risk Management Framework meets the requirement for a comprehensive organizational risk strategy.
DoD components are automatically compliant with this CCI because they are covered by DoD Risk Management Framework (DoDI 8510.01). |
DoD Risk Management Framework meets the requirement for a comprehensive organizational risk strategy.
DoD components are automatically compliant with this CCI because they are covered by the DoD Risk Management Framework (DoDI 8510.01). |
Risk Management Strategy |
PM-9 |
PM-9.1 |
An organization-wide risk management strategy includes, for example, an unambiguous expression of the risk tolerance for the organization, acceptable risk assessment methodologies, risk mitigation strategies, a process for consistently evaluating risk across the organization with respect to the organization's risk tolerance, and approaches for monitoring risk over time. The use of a risk executive function can facilitate consistent, organization-wide application of the risk management strategy. The organization-wide risk management strategy can be informed by risk-related inputs from other sources both internal and external to the organization to ensure the strategy is both broad-based and comprehensive. Related control: RA-3. |
The organization:
a. Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems;
b. Implements the risk management strategy consistently across the organization; and
c. Reviews and updates the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes. |
| CCI-000228 |
The organization implements a comprehensive strategy to manage risk to organization operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems consistently across the organization. |
DoD Risk Management Framework meets the requirement for a comprehensive organizational risk strategy.
DoD components are automatically compliant with this CCI because they are covered by DoD Risk Management Framework (DoDI 8510.01). |
DoD Risk Management Framework meets the requirement for a comprehensive organizational risk strategy.
DoD components are automatically compliant with this CCI because they are covered by the DoD Risk Management Framework (DoDI 8510.01). |
Risk Management Strategy |
PM-9 |
PM-9.2 |
An organization-wide risk management strategy includes, for example, an unambiguous expression of the risk tolerance for the organization, acceptable risk assessment methodologies, risk mitigation strategies, a process for consistently evaluating risk across the organization with respect to the organization's risk tolerance, and approaches for monitoring risk over time. The use of a risk executive function can facilitate consistent, organization-wide application of the risk management strategy. The organization-wide risk management strategy can be informed by risk-related inputs from other sources both internal and external to the organization to ensure the strategy is both broad-based and comprehensive. Related control: RA-3. |
The organization:
a. Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems;
b. Implements the risk management strategy consistently across the organization; and
c. Reviews and updates the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes. |
| CCI-000229 |
The organization documents the security state of organizational information systems and the environments in which those systems operate through security authorization processes. |
DoDI 8510.01 meets the DoD requirement to manage the security authorization process.
DoD components are automatically compliant with this CCI because they are covered at the DoD level, DoDI 8510.01. |
DoDI 8510.01 meets the DoD requirement to manage the security authorization process.
DoD components are automatically compliant with this CCI because they are covered at the DoD level, DoDI 8510.01. |
Security Authorization Process |
PM-10 |
PM-10.1 |
Security authorization processes for information systems and environments of operation require the implementation of an organization-wide risk management process, a Risk Management Framework, and associated security standards and guidelines. Specific roles within the risk management process include an organizational risk executive (function) and designated authorizing officials for each organizational information system and common control provider. Security authorization processes are integrated with organizational continuous monitoring processes to facilitate ongoing understanding and acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation. Related control: CA-6. |
The organization:
a. Manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes;
b. Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and
c. Fully integrates the security authorization processes into an organization-wide risk management program. |
| CCI-000230 |
The organization tracks the security state of organizational information systems and the environments in which those systems operate through security authorization processes. |
DoDI 8510.01 meets the DoD requirement to manage the security authorization process.
DoD components are automatically compliant with this CCI because they are covered at the DoD level, DoDI 8510.01. |
DoDI 8510.01 meets the DoD requirement to manage the security authorization process.
DoD components are automatically compliant with this CCI because they are covered at the DoD level, DoDI 8510.01. |
Security Authorization Process |
PM-10 |
PM-10.2 |
Security authorization processes for information systems and environments of operation require the implementation of an organization-wide risk management process, a Risk Management Framework, and associated security standards and guidelines. Specific roles within the risk management process include an organizational risk executive (function) and designated authorizing officials for each organizational information system and common control provider. Security authorization processes are integrated with organizational continuous monitoring processes to facilitate ongoing understanding and acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation. Related control: CA-6. |
The organization:
a. Manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes;
b. Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and
c. Fully integrates the security authorization processes into an organization-wide risk management program. |
| CCI-000231 |
The organization reports the security state of organizational information systems and the environments in which those systems operate through security authorization processes. |
DoDI 8510.01 meets the DoD requirement to manage the security authorization process.
DoD components are automatically compliant with this CCI because they are covered at the DoD level, DoDI 8510.01. |
DoDI 8510.01 meets the DoD requirement to manage the security authorization process.
DoD components are automatically compliant with this CCI because they are covered at the DoD level, DoDI 8510.01. |
Security Authorization Process |
PM-10 |
PM-10.3 |
Security authorization processes for information systems and environments of operation require the implementation of an organization-wide risk management process, a Risk Management Framework, and associated security standards and guidelines. Specific roles within the risk management process include an organizational risk executive (function) and designated authorizing officials for each organizational information system and common control provider. Security authorization processes are integrated with organizational continuous monitoring processes to facilitate ongoing understanding and acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation. Related control: CA-6. |
The organization:
a. Manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes;
b. Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and
c. Fully integrates the security authorization processes into an organization-wide risk management program. |
| CCI-000233 |
The organization designates individuals to fulfill specific roles and responsibilities within the organizational risk management process. |
DoDI 8510.01 meets the DoD requirement to designate roles and responsibilities for the risk management process.
DoD components are automatically compliant with this CCI because they are covered at the DoD level, DoDI 8510.01. |
DoDI 8510.01 meets the DoD requirement to designate roles and responsibilities for the risk management process.
DoD components are automatically compliant with this CCI because they are covered at the DoD level, DoDI 8510.01. |
Security Authorization Process |
PM-10 |
PM-10.4 |
Security authorization processes for information systems and environments of operation require the implementation of an organization-wide risk management process, a Risk Management Framework, and associated security standards and guidelines. Specific roles within the risk management process include an organizational risk executive (function) and designated authorizing officials for each organizational information system and common control provider. Security authorization processes are integrated with organizational continuous monitoring processes to facilitate ongoing understanding and acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation. Related control: CA-6. |
The organization:
a. Manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes;
b. Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and
c. Fully integrates the security authorization processes into an organization-wide risk management program. |
| CCI-000234 |
The organization fully integrates the security authorization processes into an organization-wide risk management program. |
DoDI 8510.01 meets the DoD requirement to fully integrate the security authorization process.
DoD components are automatically compliant with this CCI because they are covered at the DoD level, DoDI 8510.01. |
DoDI 8510.01 meets the DoD requirement to fully integrate the security authorization process.
DoD components are automatically compliant with this CCI because they are covered at the DoD level, DoDI 8510.01. |
Security Authorization Process |
PM-10 |
PM-10.5 |
Security authorization processes for information systems and environments of operation require the implementation of an organization-wide risk management process, a Risk Management Framework, and associated security standards and guidelines. Specific roles within the risk management process include an organizational risk executive (function) and designated authorizing officials for each organizational information system and common control provider. Security authorization processes are integrated with organizational continuous monitoring processes to facilitate ongoing understanding and acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation. Related control: CA-6. |
The organization:
a. Manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes;
b. Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and
c. Fully integrates the security authorization processes into an organization-wide risk management program. |
| CCI-000235 |
The organization defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation. |
DoDI 8510.01 meets the DoD requirement to define mission/business processes.
DoD components are automatically complaint with this CCI as they are covered at the DoD level, DoDI 8510.01. |
DoDI 8510.01 meets the DoD requirement to define mission/business processes.
DoD components are automatically complaint with this CCI as they are covered at the DoD level, DoDI 8510.01. |
Mission/Business Process Definition |
PM-11 |
PM-11.1 |
Information protection needs are technology-independent, required capabilities to counter threats to organizations, individuals, or the Nation through the compromise of information (i.e., loss of confidentiality, integrity, or availability). Information protection needs are derived from the mission/business needs defined by the organization, the mission/business processes selected to meet the stated needs, and the organizational risk management strategy. Information protection needs determine the required security controls for the organization and the associated information systems supporting the mission/business processes. Inherent in defining an organization's information protection needs is an understanding of the level of adverse impact that could result if a compromise of information occurs. The security categorization process is used to make such potential impact determinations. Mission/business process definitions and associated information protection requirements are documented by the organization in accordance with organizational policy and procedure. Related controls: PM-7, PM-8, RA-2. |
The organization:
a. Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and
b. Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained. |
| CCI-000236 |
The organization determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until an achievable set of protection needs are obtained. |
The organization conducting the inspection/assessment obtains and examines the security plan to ensure the security categorization has been documented IAW CNSSI 1253. |
The organization being inspected/asssessed determines information protection needs IAW CNSSI 1253 and as identified in RA-2. |
Mission/Business Process Definition |
PM-11 |
PM-11.2 |
Information protection needs are technology-independent, required capabilities to counter threats to organizations, individuals, or the Nation through the compromise of information (i.e., loss of confidentiality, integrity, or availability). Information protection needs are derived from the mission/business needs defined by the organization, the mission/business processes selected to meet the stated needs, and the organizational risk management strategy. Information protection needs determine the required security controls for the organization and the associated information systems supporting the mission/business processes. Inherent in defining an organization's information protection needs is an understanding of the level of adverse impact that could result if a compromise of information occurs. The security categorization process is used to make such potential impact determinations. Mission/business process definitions and associated information protection requirements are documented by the organization in accordance with organizational policy and procedure. Related controls: PM-7, PM-8, RA-2. |
The organization:
a. Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and
b. Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained. |
| CCI-001460 |
The organization monitors organization-defined open source information and/or information sites per organization-defined frequency for evidence of unauthorized exfiltration or disclosure of organizational information. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of monitoring activity to ensure the organization being inspected/assessed monitors open source information and/or information sites defined in AU-13, CCI 1915 for evidence of unauthorized exfiltration or disclosure of organizational information on a frequency defined in AU-13, CCI 1461. |
The organization being inspected/assessed documents and implements a process to monitor open source information and/or information sites defined in AU-13, CCI 1915 for evidence of unauthorized exfiltration or disclosure of organizational information on a frequency defined in AU-13, CCI 1461.
The organization must maintain an audit trail of monitoring activity. |
Monitoring For Information Disclosure |
AU-13 |
AU-13.1 |
Open source information includes, for example, social networking sites. Related controls: PE-3, SC-7. |
The organization monitors [Assignment: organization-defined open source information and/or information sites] [Assignment: organization-defined frequency] for evidence of unauthorized disclosure of organizational information. |
| CCI-001461 |
The organization defines a frequency for monitoring open source information and/or information sites for evidence of unauthorized exfiltration or disclosure of organizational information. |
The organization conducting the inspection/assessment obtains and examines the documented frequency to ensure the organization being inspected/assessed defines the frequency for monitoring open source information and/or information sites for evidence of unauthorized exfiltration or disclosure of organizational information.
DoD has determined that the frequency should be defined at the Component level, not appropriate to define at the Enterprise level. Note: The value in this control may not be used to deny reciprocal acceptance of a C&A (A&A) package. |
The organization being inspected/assessed defines and documents the frequency for monitoring open source information and/or information sites for evidence of unauthorized exfiltration or disclosure of organizational information.
DoD has determined that the frequency should be defined at the Component level, not appropriate to define at the Enterprise level. Note: The value in this control may not be used to deny reciprocal acceptance of a C&A (A&A) package. |
Monitoring For Information Disclosure |
AU-13 |
AU-13.2 |
Open source information includes, for example, social networking sites. Related controls: PE-3, SC-7. |
The organization monitors [Assignment: organization-defined open source information and/or information sites] [Assignment: organization-defined frequency] for evidence of unauthorized disclosure of organizational information. |
| CCI-000338 |
The organization defines physical access restrictions associated with changes to the information system. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy to ensure the organization being inspected/assessed defines physical access restrictions associated with changes to the information system. |
The organization being inspected/assessed defines and documents in the configuration management policy, physical access restrictions associated with changes to the information system. |
Access Restrictions For Change |
CM-5 |
CM-5.1 |
Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover). Related controls: AC-3, AC-6, PE-3. |
The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system. |
| CCI-000339 |
The organization documents physical access restrictions associated with changes to the information system. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy to ensure the organization being inspected/assessed documents physical access restrictions associated with changes to the information system. |
The organization being inspected/assessed documents, in the configuration management policy, physical access restrictions associated with changes to the information system. |
Access Restrictions For Change |
CM-5 |
CM-5.2 |
Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover). Related controls: AC-3, AC-6, PE-3. |
The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system. |
| CCI-000340 |
The organization approves physical access restrictions associated with changes to the information system. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of approvals to ensure the organization being inspected/assessed approves physical access restrictions associated with changes to the information system. |
The organization being inspected/assessed documents and implements a process to approve physical access restrictions associated with changes to the information system.
The organization must maintain an audit trail of approvals. |
Access Restrictions For Change |
CM-5 |
CM-5.3 |
Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover). Related controls: AC-3, AC-6, PE-3. |
The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system. |
| CCI-000341 |
The organization enforces physical access restrictions associated with changes to the information system. |
The organization conducting the inspection/assessment the documented process to ensure the organization being inspected/assessed enforces physical access restrictions associated with changes to the information system as documented in the configuration management policy. |
The organization being inspected/assessed documents and implements a process to enforce physical access restrictions associated with changes to the information system. |
Access Restrictions For Change |
CM-5 |
CM-5.4 |
Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover). Related controls: AC-3, AC-6, PE-3. |
The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system. |
| CCI-000342 |
The organization defines logical access restrictions associated with changes to the information system. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy to ensure the organization being inspected/assessed defines logical access restrictions associated with changes to the information system. |
The organization being inspected/assessed defines and documents in the configuration management policy, logical access restrictions associated with changes to the information system. |
Access Restrictions For Change |
CM-5 |
CM-5.5 |
Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover). Related controls: AC-3, AC-6, PE-3. |
The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system. |
| CCI-000343 |
The organization documents logical access restrictions associated with changes to the information system. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy to ensure the organization being inspected/assessed documents logical access restrictions associated with changes to the information system. |
The organization being inspected/assessed documents, in the configuration management policy, logical access restrictions associated with changes to the information system. |
Access Restrictions For Change |
CM-5 |
CM-5.6 |
Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover). Related controls: AC-3, AC-6, PE-3. |
The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system. |
| CCI-000344 |
The organization approves logical access restrictions associated with changes to the information system. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of approvals to ensure the organization being inspected/assessed approves logical access restrictions associated with changes to the information system. |
The organization being inspected/assessed documents and implements a process to approve logical access restrictions associated with changes to the information system.
The organization must maintain an audit trail of approvals. |
Access Restrictions For Change |
CM-5 |
CM-5.7 |
Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover). Related controls: AC-3, AC-6, PE-3. |
The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system. |
| CCI-000345 |
The organization enforces logical access restrictions associated with changes to the information system. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the logical access audit trail to ensure the organization being inspected/assessed enforces logical access restrictions associated with changes to the information system as documented in the configuration management policy. |
The organization being inspected/assessed documents and implements a process to enforce logical access restrictions associated with changes to the information system.
The information system must maintain an audit trail of logical access to the information system pertaining to information system changes. |
Access Restrictions For Change |
CM-5 |
CM-5.8 |
Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover). Related controls: AC-3, AC-6, PE-3. |
The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system. |
| CCI-000346 |
The organization employs automated mechanisms to enforce access restrictions. |
|
|
|
|
|
|
|
| CCI-000347 |
The organization employs automated mechanisms to support auditing of the enforcement actions. |
|
|
|
|
|
|
|
| CCI-000348 |
The organization defines a frequency with which to conduct reviews of information system changes. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 90 days or more frequently as the organization defines for high systems AND at least annually or more frequently as the organization defines for low and moderate systems. |
DoD has defined the frequency as every 90 days or more frequently as the organization defines for high systems AND at least annually or more frequently as the organization defines for low and moderate systems. |
Access Restrictions For Change | Review System Changes |
CM-5 (2) |
CM-5(2).1 |
Indications that warrant review of information system changes and the specific circumstances justifying such reviews may be obtained from activities carried out by organizations during the configuration change process. Related controls: AU-6, AU-7, CM-3, CM-5, PE-6, PE-8. |
The organization reviews information system changes [Assignment: organization-defined frequency] and [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred. |
| CCI-000349 |
The organization reviews information system changes per organization-defined frequency to determine whether unauthorized changes have occurred. |
The organization conducting the inspection/assessment obtains and examines the documented process for information system change review as well as the audit trail of reviews to ensure the organization being inspected/assessed reviews IS changes every 90 days or more frequently as the organization defines for high systems AND at least annually or more frequently as the organization defines for low and moderate systems to determine whether unauthorized changes have occurred.
DoD has defined the frequency as every 90 days or more frequently as the organization defines for high systems AND at least annually or more frequently as the organization defines for low and moderate systems. |
The organization being inspected/assessed documents in the configuration management policy and implements a process to review information system changes every 90 days or more frequently as the organization defines for high systems AND at least annually or more frequently as the organization defines for low and moderate systems to determine whether unauthorized changes have occurred.
The organization must maintain this review as an audit trail.
DoD has defined the frequency as every 90 days or more frequently as the organization defines for high systems AND at least annually or more frequently as the organization defines for low and moderate systems.
|
Access Restrictions For Change | Review System Changes |
CM-5 (2) |
CM-5(2).2 |
Indications that warrant review of information system changes and the specific circumstances justifying such reviews may be obtained from activities carried out by organizations during the configuration change process. Related controls: AU-6, AU-7, CM-3, CM-5, PE-6, PE-8. |
The organization reviews information system changes [Assignment: organization-defined frequency] and [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred. |
| CCI-000350 |
The organization reviews information system changes upon organization-defined circumstances to determine whether unauthorized changes have occurred. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of reviews to ensure the organization being inspected/assessed reviews the information system changes when there is an incident or when planned changes have been performed to determine whether unauthorized changes have occurred.
DoD has defined the circumstances as when there is an incident or when planned changes have been performed. |
The organization being inspected/assessed documents and implements a process to review the information system changes when there is an incident or when planned changes have been performed to determine whether unauthorized changes have occurred.
The organization must maintain this review as an audit trail.
DoD has defined the circumstances as when there is an incident or when planned changes have been performed. |
Access Restrictions For Change | Review System Changes |
CM-5 (2) |
CM-5(2).3 |
Indications that warrant review of information system changes and the specific circumstances justifying such reviews may be obtained from activities carried out by organizations during the configuration change process. Related controls: AU-6, AU-7, CM-3, CM-5, PE-6, PE-8. |
The organization reviews information system changes [Assignment: organization-defined frequency] and [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred. |
| CCI-000351 |
The organization defines critical software programs that the information system will prevent from being installed if such software programs are not signed with a recognized and approved certificate. |
|
|
|
|
|
|
|
| CCI-000352 |
The information system prevents the installation of organization-defined critical software programs that are not signed with a certificate that is recognized and approved by the organization. |
|
|
|
|
|
|
|
| CCI-000353 |
The organization defines information system components requiring enforcement of a dual authorization for information system changes. |
The organization conducting the inspection/assessment obtains and examines the documented information system components to ensure the organization being inspected/assessed defines the information system components requiring enforcement of a dual authorization for information system changes.
DoD has determined to the information system components are not appropriate to define at the Enterprise level. |
The organizationg being inspected/assessed defines and documents information system components requiring enforcement of a dual authorization for information system changes.
DoD has determined to the information system components are not appropriate to define at the Enterprise level. |
Access Restrictions For Change | Dual Authorization |
CM-5 (4) |
CM-5(4).1 |
Organizations employ dual authorization to ensure that any changes to selected information system components and information cannot occur unless two qualified individuals implement such changes. The two individuals possess sufficient skills/expertise to determine if the proposed changes are correct implementations of approved changes. Dual authorization may also be known as two-person control. Related controls: AC-5, CM-3. |
The organization enforces dual authorization for implementing changes to [Assignment: organization-defined information system components and system-level information]. |
| CCI-000354 |
The organization enforces dual authorization for changes to organization-defined information system components. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed enforces dual authorization for changes to information system components defined in CM-5 (4), CCI 353. |
The organization being inspected/assessed documents and implements a process to enforce dual authorization for changes to information system components defined in CM-5 (4), CCI 353. |
Access Restrictions For Change | Dual Authorization |
CM-5 (4) |
CM-5(4).2 |
Organizations employ dual authorization to ensure that any changes to selected information system components and information cannot occur unless two qualified individuals implement such changes. The two individuals possess sufficient skills/expertise to determine if the proposed changes are correct implementations of approved changes. Dual authorization may also be known as two-person control. Related controls: AC-5, CM-3. |
The organization enforces dual authorization for implementing changes to [Assignment: organization-defined information system components and system-level information]. |
| CCI-000355 |
The organization limits information system developer/integrator privileges to change hardware components directly within a production environment. |
|
|
|
|
|
|
|
| CCI-000356 |
The organization limits information system developer/integrator privileges to change software components directly within a production environment. |
|
|
|
|
|
|
|
| CCI-000357 |
The organization limits information system developer/integrator privileges to change firmware components directly within a production environment. |
|
|
|
|
|
|
|
| CCI-000358 |
The organization limits information system developer/integrator privileges to change system information directly within a production environment. |
|
|
|
|
|
|
|
| CCI-000359 |
The organization defines the frequency to review information system developer/integrator privileges. |
|
|
|
|
|
|
|
| CCI-000360 |
The organization defines the frequency to reevaluate information system developer/integrator privileges. |
|
|
|
|
|
|
|
| CCI-000361 |
The organization reviews information system developer/integrator privileges per organization-defined frequency. |
|
|
|
|
|
|
|
| CCI-000362 |
The organization reevaluates information system developer/integrator privileges per organization-defined frequency. |
|
|
|
|
|
|
|
| CCI-001499 |
The organization limits privileges to change software resident within software libraries. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed limits privileges to change software resident within software libraries.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1499. |
The organization being inspected/assessed documents and implements a process to limit privileges to accounts authorized to change software resident within software libraries.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1499. |
Access Restrictions For Change | Limit Library Privileges |
CM-5 (6) |
CM-5(6).1 |
|
The organization limits privileges to change software resident within software libraries. |
| CCI-001500 |
The information system automatically implements organization-defined safeguards and countermeasures if security functions (or mechanisms) are changed inappropriately. |
|
|
|
|
|
|
|
| CCI-001501 |
The organization defines safeguards and countermeasures to be employed by the information system if security functions (or mechanisms) are changed inappropriately. |
|
|
|
|
|
|
|
| CCI-000389 |
The organization develops an inventory of information system components that accurately reflects the current information system. |
The organization conducting the inspection/assessment obtains and examines the documented inventory and examines a sampling of information system components to ensure inventory accurately reflects the current information system. |
The organization being inspected/assessed documents inventory of information system components that accurately reflects the current information system. |
Information System Component Inventory |
CM-8 |
CM-8.1 |
Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location. Related controls: CM-2, CM-6, PM-5. |
The organization:
a. Develops and documents an inventory of information system components that:
1. Accurately reflects the current information system;
2. Includes all components within the authorization boundary of the information system;
3. Is at the level of granularity deemed necessary for tracking and reporting; and
4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and
b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. |
| CCI-000390 |
The organization documents an inventory of information system components that accurately reflects the current information system. |
|
|
|
|
|
|
|
| CCI-000391 |
The organization maintains an inventory of information system components that accurately reflects the current information system. |
|
|
|
|
|
|
|
| CCI-000392 |
The organization develops an inventory of information system components that includes all components within the authorization boundary of the information system. |
The organization conducting the inspection/assessment obtains and examines the documented inventory and examines a sampling of information system components to ensure inventory includes all components within the authorization boundary of the information system. |
The organization being inspected/assessed documents inventory of information system components that includes all components within the authorization boundary of the information system. |
Information System Component Inventory |
CM-8 |
CM-8.2 |
Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location. Related controls: CM-2, CM-6, PM-5. |
The organization:
a. Develops and documents an inventory of information system components that:
1. Accurately reflects the current information system;
2. Includes all components within the authorization boundary of the information system;
3. Is at the level of granularity deemed necessary for tracking and reporting; and
4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and
b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. |
| CCI-000393 |
The organization documents an inventory of information system components that includes all components within the authorization boundary of the information system. |
|
|
|
|
|
|
|
| CCI-000394 |
The organization maintains an inventory of information system components that is consistent with the authorization boundary of the information system. |
|
|
|
|
|
|
|
| CCI-000395 |
The organization develops an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting. |
The organization conducting the inspection/assessment obtains and examines the documented inventory and examines a sampling of information system components to ensure inventory is at the level of granularity deemed necessary for tracking and reporting. |
The organization being inspected/assessed documents inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting. |
Information System Component Inventory |
CM-8 |
CM-8.3 |
Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location. Related controls: CM-2, CM-6, PM-5. |
The organization:
a. Develops and documents an inventory of information system components that:
1. Accurately reflects the current information system;
2. Includes all components within the authorization boundary of the information system;
3. Is at the level of granularity deemed necessary for tracking and reporting; and
4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and
b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. |
| CCI-000396 |
The organization documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting. |
|
|
|
|
|
|
|
| CCI-000397 |
The organization maintains an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting. |
|
|
|
|
|
|
|
| CCI-000398 |
The organization defines information deemed necessary to achieve effective information system component accountability. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the information as hardware inventory specifications (manufacturer, type, model, serial number, physical location), software license information, information system/component owner, and for a networked component/device, the machine name. |
DoD has defined the information as hardware inventory specifications (manufacturer, type, model, serial number, physical location), software license information, information system/component owner, and for a networked component/device, the machine name. |
Information System Component Inventory |
CM-8 |
CM-8.4 |
Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location. Related controls: CM-2, CM-6, PM-5. |
The organization:
a. Develops and documents an inventory of information system components that:
1. Accurately reflects the current information system;
2. Includes all components within the authorization boundary of the information system;
3. Is at the level of granularity deemed necessary for tracking and reporting; and
4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and
b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. |
| CCI-000399 |
The organization develops an inventory of information system components that includes organization-defined information deemed necessary to achieve effective information system component accountability. |
The organization conducting the inspection/assessment obtains and examines the documented inventory and examines a sampling of information system components to ensure inventory includes organization defined information deemed necessary to achieve effective information system component accountability. |
The organization being inspected/assessed documents inventory of information system components that includes organization defined information deemed necessary to achieve effective information system component accountability. |
Information System Component Inventory |
CM-8 |
CM-8.5 |
Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location. Related controls: CM-2, CM-6, PM-5. |
The organization:
a. Develops and documents an inventory of information system components that:
1. Accurately reflects the current information system;
2. Includes all components within the authorization boundary of the information system;
3. Is at the level of granularity deemed necessary for tracking and reporting; and
4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and
b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. |
| CCI-000400 |
The organization documents an inventory of information system components that includes organization-defined information deemed necessary to achieve effective information system component accountability. |
|
|
|
|
|
|
|
| CCI-000401 |
The organization maintains an inventory of information system components that includes organization-defined information deemed necessary to achieve effective property accountability. |
|
|
|
|
|
|
|
| CCI-000402 |
The organization develops an inventory of information system components that is available for review by designated organizational officials. |
|
|
|
|
|
|
|
| CCI-000403 |
The organization documents an inventory of information system components that is available for review by designated organizational officials. |
|
|
|
|
|
|
|
| CCI-000404 |
The organization maintains an inventory of information system components that is available for review by designated organizational officials. |
|
|
|
|
|
|
|
| CCI-000405 |
The organization develops an inventory of information system components that is available for audit by designated organizational officials. |
|
|
|
|
|
|
|
| CCI-000406 |
The organization documents an inventory of information system components that is available for audit by designated organizational officials. |
|
|
|
|
|
|
|
| CCI-000407 |
The organization maintains an inventory of information system components that is available for audit by designated organizational officials. |
|
|
|
|
|
|
|
| CCI-000408 |
The organization updates the inventory of information system components as an integral part of component installations. |
The organization conducting the inspection/assessment obtains and examines the documented process for updates as well as the audit trail of updates and the log of changes to the information system to ensure the organization being inspected/assessed updates the inventory of information system components as an integral part of component installations. |
The organization being inspected/assessed documents and implements a process to update the inventory of information system components as an integral part of component installations.
The organization must maintain an audit trail of updates. The audit trail may be recorded within the inventory itself. |
Information System Component Inventory | Updates During Installations / Removals |
CM-8 (1) |
CM-8(1).1 |
|
The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. |
| CCI-000409 |
The organization updates the inventory of information system components as an integral part of component removals. |
The organization conducting the inspection/assessment obtains and examines the documented process for updates as well as the audit trail of updates and the log of changes to the information system to ensure the organization being inspected/assessed updates the inventory of information system components as an integral part of component removals. |
The organization being inspected/assessed documents and implements a process to update the inventory of information system components as an integral part of component removals.
The organization must maintain an audit trail of updates. The audit trail may be recorded within the inventory itself. |
Information System Component Inventory | Updates During Installations / Removals |
CM-8 (1) |
CM-8(1).2 |
|
The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. |
| CCI-000410 |
The organization updates the inventory of information system components as an integral part of information system updates. |
The organization conducting the inspection/assessment obtains and examines the documented process for updates as well as the audit trail of updates and the log of changes to the information system to ensure the organization being inspected/assessed updates the inventory of information system components as an integral part of information system updates. |
The organization being inspected/assessed documents and implements a process to update the inventory of information system components as an integral part of information system updates.
The organization must maintain an audit trail of updates. The audit trail may be recorded within the inventory itself. |
Information System Component Inventory | Updates During Installations / Removals |
CM-8 (1) |
CM-8(1).3 |
|
The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. |
| CCI-000411 |
The organization employs automated mechanisms to help maintain an up-to-date inventory of information system components. |
The organization conducting the inspection/assessment obtains and examines the documentation identifying the automated mechanism used to help maintain an up-to-date inventory of information system components and examines the mechanism to ensure the organization being inspected/assessed employs automated mechanisms to help maintain an up-to-date inventory of information system components. |
The organization being inspected/assessed documents and implements automated mechanisms to help maintain an up-to-date inventory of information system components.
An automated mechanism implemented IAW CM-2 (2) satisfies the requirements of this CCI if the automated mechanism maintains an up-to-date inventory. |
Information System Component Inventory | Automated Maintenance |
CM-8 (2) |
CM-8(2).1 |
Organizations maintain information system inventories to the extent feasible. Virtual machines, for example, can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. This control enhancement can be satisfied by the implementation of CM-2 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related control: SI-7. |
The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components. |
| CCI-000412 |
The organization employs automated mechanisms to help maintain a complete inventory of information system components. |
The organization conducting the inspection/assessment obtains and examines the documentation identifying the automated mechanism used to help maintain a complete inventory of information system components and examines the mechanism to ensure the organization being inspected/assessed employs automated mechanisms to help maintain a complete inventory of information system components. |
The organization being inspected/assessed documents and implements automated mechanisms to help maintain a complete inventory of information system components.
An automated mechanism implemented IAW CM-2 (2) satisfies the requirements of this CCI if the automated mechanism maintains a complete inventory. |
Information System Component Inventory | Automated Maintenance |
CM-8 (2) |
CM-8(2).2 |
Organizations maintain information system inventories to the extent feasible. Virtual machines, for example, can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. This control enhancement can be satisfied by the implementation of CM-2 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related control: SI-7. |
The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components. |
| CCI-000413 |
The organization employs automated mechanisms to help maintain an accurate inventory of information system components. |
The organization conducting the inspection/assessment obtains and examines the documentation identifying the automated mechanism used to help maintain an accurate inventory of information system components and examines the mechanism to ensure the organization being inspected/assessed employs automated mechanisms to help maintain an accurate inventory of information system components. |
The organization being inspected/assessed documents and implements automated mechanisms to help maintain an accurate inventory of information system components.
An automated mechanism implemented IAW CM-2 (2) satisfies the requirements of this CCI if the automated mechanism maintains an accurate inventory. |
Information System Component Inventory | Automated Maintenance |
CM-8 (2) |
CM-8(2).3 |
Organizations maintain information system inventories to the extent feasible. Virtual machines, for example, can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. This control enhancement can be satisfied by the implementation of CM-2 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related control: SI-7. |
The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components. |
| CCI-000414 |
The organization employs automated mechanisms to help maintain a readily available inventory of information system components. |
The organization conducting the inspection/assessment obtains and examines the documentation identifying the automated mechanism used to help maintain a readily available inventory of information system components and examines the mechanism to ensure the organization being inspected/assessed employs automated mechanisms to help maintain a readily available inventory of information system components. |
The organization being inspected/assessed documents and implements automated mechanisms to help maintain a readily available inventory of information system components.
An automated mechanism implemented IAW CM-2 (2) satisfies the requirements of this CCI if the automated mechanism maintains a readily available inventory. |
Information System Component Inventory | Automated Maintenance |
CM-8 (2) |
CM-8(2).4 |
Organizations maintain information system inventories to the extent feasible. Virtual machines, for example, can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. This control enhancement can be satisfied by the implementation of CM-2 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related control: SI-7. |
The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components. |
| CCI-000415 |
The organization defines the frequency of employing automated mechanisms to detect the presence of unauthorized hardware, software, and firmware components within the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as continuously. |
DoD has defined the frequency as continuously. |
Information System Component Inventory | Automated Unauthorized Component Detection |
CM-8 (3) |
CM-8(3).1 |
This control enhancement is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms can be implemented within information systems or in other separate devices. Isolation can be achieved, for example, by placing unauthorized information system components in separate domains or subnets or otherwise quarantining such components. This type of component isolation is commonly referred to as sandboxing. Related controls: AC-17, AC-18, AC-19, CA-7, SI-3, SI-4, SI-7, RA-5. |
The organization:
(a) Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and
(b) Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]]. |
| CCI-000416 |
The organization employs automated mechanisms, per organization-defined frequency, to detect the presence of unauthorized hardware, software, and firmware components within the information system. |
The organization conducting the inspection/assessment obtains and examines the documentation identifying the automated mechanisms and examines the implemented automated mechanisms to ensure the organization being inspected/assessed employs automated mechanisms, continuously, to detect the presence of unauthorized hardware, software, and firmware components within the information system.
DoD has defined the frequency as continuously. |
The organization being inspected/assessed documents and implements automated mechanisms to detect the presence of unauthorized hardware, software, and firmware components within the information system continuously.
DoD has defined the frequency as continuously. |
Information System Component Inventory | Automated Unauthorized Component Detection |
CM-8 (3) |
CM-8(3).2 |
This control enhancement is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms can be implemented within information systems or in other separate devices. Isolation can be achieved, for example, by placing unauthorized information system components in separate domains or subnets or otherwise quarantining such components. This type of component isolation is commonly referred to as sandboxing. Related controls: AC-17, AC-18, AC-19, CA-7, SI-3, SI-4, SI-7, RA-5. |
The organization:
(a) Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and
(b) Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]]. |
| CCI-000417 |
The organization disables network access by unauthorized components/devices or notifies designated organizational officials. |
|
|
|
|
|
|
|
| CCI-000418 |
The organization includes, in the information system component inventory information, a means for identifying by name, position, and/or role, individuals responsible/accountable for administering those components. |
The organization conducting the inspection/assessment obtains and examines the information system component inventory to verify that the organization being inspected/assessed identifies within their inventory, the name and position or role of individuals responsible/accountable for administering those components or a means of identifying those individuals. |
The organization being inspected/assessed documents within their information system component inventory, the name and position or role of individuals responsible/accountable for administering those components or a means of identifying those individuals. |
Information System Component Inventory | Accountability Information |
CM-8 (4) |
CM-8(4).1 |
Identifying individuals who are both responsible and accountable for administering information system components helps to ensure that the assigned components are properly administered and organizations can contact those individuals if some action is required (e.g., component is determined to be the source of a breach/compromise, component needs to be recalled/replaced, or component needs to be relocated). |
The organization includes in the information system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible/accountable for administering those components. |
| CCI-000419 |
The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories. |
The organization conducting the inspection/assessment obtains and examines the inventory list of the authorized information system and verifies that all components identified during the inspection are not duplicated in other information system inventories. |
The organization being inspected/assessed verifies that all components within the authorization boundary of the information system are not duplicated in other information system inventories. |
Information System Component Inventory | No Duplicate Accounting Of Components |
CM-8 (5) |
CM-8(5).1 |
This control enhancement addresses the potential problem of duplicate accounting of information system components in large or complex interconnected systems. |
The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories. |
| CCI-000420 |
The organization includes assessed component configurations and any approved deviations to current deployed configurations in the information system component inventory. |
The organization conducting the inspection/assessment obtains and examines the organization's configuration management policy and plan; procedures addressing information system component inventory; information system design documentation; information system inventory records; information system component installation records; and any other relevant documents or records. The purpose of the reviews is to validate the organization is including assessed component configurations, and any approved deviations to deployed configurations, in the information system component's inventory. |
The organization being inspected/assessed will institute procedures to ensure assessed component configurations, and any approved deviations to current deployed configurations, are included in the information system component inventory. |
Information System Component Inventory | Assessed Configurations / Approved Deviations |
CM-8 (6) |
CM-8(6).1 |
This control enhancement focuses on configuration settings established by organizations for information system components, the specific components that have been assessed to determine compliance with the required configuration settings, and any approved deviations from established configuration settings. Related controls: CM-2, CM-6. |
The organization includes assessed component configurations and any approved deviations to current deployed configurations in the information system component inventory. |
| CCI-000421 |
The organization develops a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures. |
The organization conducting the inspection/assessment obtains and examines the configuration management plan to verify that it addresses and documents roles, responsibilities, and configuration management processes and procedures |
The organization being inspected/assessed will develop and document a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures. |
Configuration Management Plan |
CM-9 |
CM-9.1 |
Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10. |
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification. |
| CCI-000422 |
The organization documents a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures. |
|
|
|
|
|
|
|
| CCI-000423 |
The organization implements a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures. |
The organization conducting the inspection/assessment obtains and examines the configuration management plan as well as evidence of implementation (e.g., completed change requests, meeting minutes, and other relevant documents) to ensure the organization being inspected/assessed implements a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures. |
The organization being inspected/assessed will implement a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures. |
Configuration Management Plan |
CM-9 |
CM-9.2 |
Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10. |
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification. |
| CCI-000424 |
The organization develops a configuration management plan for the information system that defines the configuration items for the information system. |
The organization conducting the inspection/assessment obtains and examines the configuration management plan to ensure it defines and documents the configuration items for the information system. |
The organization being inspected/assessed will develop and document a configuration management plan for the information system that defines the configuration items. |
Configuration Management Plan |
CM-9 |
CM-9.7 |
Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10. |
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification. |
| CCI-000425 |
The organization documents a configuration management plan for the information system that defines the configuration items for the information system. |
|
|
|
|
|
|
|
| CCI-000426 |
The organization implements a configuration management plan for the information system that defines the configuration items for the information system. |
The organization conducting the inspection/assessment obtains and examines the configuration management plan to ensure the organization being inspected/assessed implements a configuration management plan for the information system that defines the configuration items. |
The organization being inspected/assessed will implement a configuration management plan for the information system that defines the configuration items. |
Configuration Management Plan |
CM-9 |
CM-9.8 |
Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10. |
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification. |
| CCI-000427 |
The organization develops a configuration management plan for the information system when in the system development life cycle the configuration items are placed under configuration management. |
|
|
|
|
|
|
|
| CCI-000428 |
The organization documents a configuration management plan for the information system when in the system development life cycle the configuration items are placed under configuration management. |
|
|
|
|
|
|
|
| CCI-000429 |
The organization implements a configuration management plan for the information system when in the system development life cycle the configuration items are placed under configuration management. |
|
|
|
|
|
|
|
| CCI-000430 |
The organization develops a configuration management plan for the information system that establishes the means for identifying configuration items throughout the system development life cycle. |
|
|
|
|
|
|
|
| CCI-000431 |
The organization documents a configuration management plan for the information system that establishes the means for identifying configuration items throughout the system development life cycle. |
|
|
|
|
|
|
|
| CCI-000432 |
The organization implements a configuration management plan for the information system that establishes the means for identifying configuration items throughout the system development life cycle. |
|
|
|
|
|
|
|
| CCI-000433 |
The organization develops a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items. |
|
|
|
|
|
|
|
| CCI-000434 |
The organization documents a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items. |
|
|
|
|
|
|
|
| CCI-000435 |
The organization implements a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items. |
|
|
|
|
|
|
|
| CCI-000436 |
The organization assigns responsibility for developing the configuration management process to organizational personnel that are not directly involved in information system development. |
The organization conducting the inspection/assessment obtains and examines documentation of stakeholder role assignments to verify that the personnel assigned CM roles are not assigned roles for information system development. |
The organization being inspected/assessed will assign responsibility for developing the configuration management process to organizational personnel that are not directly involved in information system development. |
Configuration Management Plan | Assignment Of Responsibility |
CM-9 (1) |
CM-9(1).1 |
In the absence of dedicated configuration management teams assigned within organizations, system developers may be tasked to develop configuration management processes using personnel who are not directly involved in system development or integration. This separation of duties ensures that organizations establish and maintain a sufficient degree of independence between the information system development and integration processes and configuration management processes to facilitate quality control and more effective oversight. |
The organization assigns responsibility for developing the configuration management process to organizational personnel that are not directly involved in information system development. |
| CCI-000485 |
The organization defines the frequency of refresher contingency training to information system users. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at least annually |
DoD has defined the frequency as at least annually. |
Contingency Training |
CP-3 |
CP-3.4 |
Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles/responsibilities reflects the specific continuity requirements in the contingency plan. Related controls: AT-2, AT-3, CP-2, IR-2. |
The organization provides contingency training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-000486 |
The organization provides contingency training to information system users consistent with assigned roles and responsibilities within an organization-defined time period of assuming a contingency role or responsibility. |
The organization conducting the inspection/assessment obtains and examines the list of contingency personnel and documentation of initial contingency training for the purpose of ensuring that all personnel with contingency roles and responsibilities have received initial contingency training at a maximum, 10 working days of assuming a contingency role or responsibility.
DoD has defined the time period as at a maximum, 10 working days. |
The organization being inspected/assessed provides initial contingency training to personnel with contingency roles and responsibilities IAW CP-2, CCI 449 at a maximum, 10 working days of assuming a contingency role or responsibility.
The organization will maintain documentation of the training activity dates, location, and personnel for audit trail purposes and future reference (e.g., scheduling refresher training, etc.).
DoD has defined the time period as at a maximum, 10 working days. |
Contingency Training |
CP-3 |
CP-3.1 |
Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles/responsibilities reflects the specific continuity requirements in the contingency plan. Related controls: AT-2, AT-3, CP-2, IR-2. |
The organization provides contingency training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-000487 |
The organization provides refresher contingency training to information system users consistent with assigned roles and responsibilities in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the list of contingency personnel and documentation of refresher contingency training for the purpose of ensuring that all personnel with contingency roles and responsibilities have received refresher contingency training at least annually.
DoD has defined the frequency as at least annually. |
The organization being inspected/assessed provides refresher contingency training to personnel with contingency roles and responsibilities IAW CP-2, CCI 449 at least annually.
The organization will maintain documentation of the training activity dates, location, and personnel for audit trail purposes and future reference (e.g., scheduling refresher training, etc.).
DoD has defined the frequency as at least annually. |
Contingency Training |
CP-3 |
CP-3.5 |
Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles/responsibilities reflects the specific continuity requirements in the contingency plan. Related controls: AT-2, AT-3, CP-2, IR-2. |
The organization provides contingency training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-000488 |
The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations. |
The organization conducting the inspection/assessment obtains and examines contingency training materials to ensure that simulated events have been included. |
The organization being inspected/assessed will include simulated events into contingency training to facilitate effective response by personnel in crisis situations. |
Contingency Training | Simulated Events |
CP-3 (1) |
CP-3(1).1 |
|
The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations. |
| CCI-000489 |
The organization employs automated mechanisms to provide a more thorough and realistic contingency training environment. |
The organization conducting the inspection/assessment obtains and examines the automated mechanism such as scenario-based interactive online training/CBT to verify that it provides a realistic contingency training environment. |
The organization being inspected/assessed employs an automated mechanism such as scenario-based interactive online training/CBT providing a realistic contingency training environment. |
Contingency Training | Automated Training Environments |
CP-3 (2) |
CP-3(2).1 |
|
The organization employs automated mechanisms to provide a more thorough and realistic contingency training environment. |
| CCI-000490 |
The organization defines the frequency with which to test the contingency plan for the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at least annually. |
DoD has defined the frequency as at least annually. |
Contingency Plan Testing |
CP-4 |
CP-4.1 |
Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions. Related controls: CP-2, CP-3, IR-3. |
The organization:
a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;
b. Reviews the contingency plan test results; and
c. Initiates corrective actions, if needed. |
| CCI-000491 |
The organization defines the frequency to exercise the contingency plan for the information system. |
|
|
|
|
|
|
|
| CCI-000492 |
The organization defines contingency plan tests to be conducted for the information system. |
The organization conducting the inspection/assessment obtains and examines the documented contingency plan tests to ensure the organization being inspected/assessed defines contingency plan tests to be conducted for the information system.
DoD has determined the contingency plan tests are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents contingency plan tests to be conducted for the information system.
DoD has determined the contingency plan tests are not appropriate to define at the Enterprise level. |
Contingency Plan Testing |
CP-4 |
CP-4.2 |
Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions. Related controls: CP-2, CP-3, IR-3. |
The organization:
a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;
b. Reviews the contingency plan test results; and
c. Initiates corrective actions, if needed. |
| CCI-000493 |
The organization defines contingency plan exercises to be conducted for the information system. |
|
|
|
|
|
|
|
| CCI-000494 |
The organization tests the contingency plan for the information system in accordance with organization-defined frequency using organization-defined tests to determine the effectiveness of the plan and the organizational readiness to execute the plan. |
The organization conducting the inspection/assessment obtains and examines the record of test results to ensure the organization being inspected/assessed conduct tests defined in CP-4, 492 at least annually to determine the effectiveness of the plan and the organizational readiness to execute the plan.
DoD has defined the frequency as at least annually. |
The organization being inspected/assessed conduct tests defined in CP-4, 492 at least annually to determine the effectiveness of the plan and the organizational readiness to execute the plan.
The organization must maintain a record of test results.
DoD has defined the frequency as at least annually. |
Contingency Plan Testing |
CP-4 |
CP-4.3 |
Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions. Related controls: CP-2, CP-3, IR-3. |
The organization:
a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;
b. Reviews the contingency plan test results; and
c. Initiates corrective actions, if needed. |
| CCI-000495 |
The organization exercises the contingency plan using organization-defined exercises in accordance with organization-defined frequency. |
|
|
|
|
|
|
|
| CCI-000496 |
The organization reviews the contingency plan test results. |
The organization conducting the inspection/assessment obtains and examines the audit trail of issues identified during the reviews of the contingency plan test results to ensure the organization being inspected/assessed reviews the contingency plan test results. |
The organization being inspected/assessed will review the contingency plan test results.
The organization must maintain an audit trail of issues identified during the reviews of the contingency plan test results. |
Contingency Plan Testing |
CP-4 |
CP-4.4 |
Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions. Related controls: CP-2, CP-3, IR-3. |
The organization:
a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;
b. Reviews the contingency plan test results; and
c. Initiates corrective actions, if needed. |
| CCI-000497 |
The organization initiates corrective actions, if needed, after reviewing the contingency plan test results. |
The organization conducting the inspection/assessment obtains and examines the contingency plan test results as well as any documented corrective actions required and ensures the corrective actions are being implemented and tracked within the POA&M. |
The organization being inspected/assessed identifies and documents any corrective actions required after reviewing the contingency plan test results. The organization initiates corrective actions and tracks those actions within the POA&M. |
Contingency Plan Testing |
CP-4 |
CP-4.5 |
Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions. Related controls: CP-2, CP-3, IR-3. |
The organization:
a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;
b. Reviews the contingency plan test results; and
c. Initiates corrective actions, if needed. |
| CCI-000498 |
The organization coordinates contingency plan testing with organizational elements responsible for related plans. |
The organization conducting the inspection/assessment obtains and examines documentation of agreements with entities responsible for the contingency or related plans to ensure there is evidence of coordination of those tests. |
The organization being inspected/assessed coordinates the testing of its contingency plan with other organizational elements responsible for related plans.
The organization documents any applicable agreements with responsible internal or external entities. For external entities the agreements could entail MOUs, MOAs, SLAs or contracts. |
Contingency Plan Testing | Coordinate With Related Plans |
CP-4 (1) |
CP-4(1).1 |
Plans related to contingency plans for organizational information systems include, for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. This control enhancement does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. It does require, however, that if such organizational elements are responsible for related plans, organizations should coordinate with those elements. Related controls: IR-8, PM-8. |
The organization coordinates contingency plan testing with organizational elements responsible for related plans. |
| CCI-000499 |
The organization coordinates contingency plan exercises with organizational elements responsible for related plans. |
|
|
|
|
|
|
|
| CCI-000500 |
The organization tests the contingency plan at the alternate processing site to familiarize contingency personnel with the facility and available resources. |
The organization conducting the inspection/assessment obtains and examines the record of personnel who participated in the contingency plan testing at the alternate site to ensure the organization being inspected/assessed tests the contingency plan at the alternate processing site to familiarize personnel expected to implement the contingency plan at the alternate site with the facility and available resources. |
The organization being inspected/assessed will include personnel expected to implement the contingency plan at the alternate site in the testing at the alternate site to familiarize
contingency personnel with the facility and available resources.
The organization must maintain a record of personnel who participated in the contingency plan testing at the alternate site. |
Contingency Plan Testing | Alternate Processing Site |
CP-4 (2) |
CP-4(2).1 |
Related control: CP-7. |
The organization tests the contingency plan at the alternate processing site:
(a) To familiarize contingency personnel with the facility and available resources; and
(b) To evaluate the capabilities of the alternate processing site to support contingency operations. |
| CCI-000501 |
The organization exercises the contingency plan at the alternate processing site to familiarize contingency personnel with the facility and available resources and to evaluate the site^s capabilities to support contingency operations. |
|
|
|
|
|
|
|
| CCI-000502 |
The organization employs automated mechanisms to more thoroughly and effectively test the contingency plan. |
The organization conducting the inspection/assessment obtains and examines the identified automated mechanisms in use to thoroughly test the contingency plan. |
The organization being inspected/assessed will identify and employ automated mechanisms to thoroughly test the contingency plan, for example by providing more complete coverage of contingency issues, selecting more realistic test scenarios and environments, and more effectively stressing the information system and supported missions. |
Contingency Plan Testing | Automated Testing |
CP-4 (3) |
CP-4(3).1 |
Automated mechanisms provide more thorough and effective testing of contingency plans, for example: (i) by providing more complete coverage of contingency issues; (ii) by selecting more realistic test scenarios and environments; and (iii) by effectively stressing the information system and supported missions. |
The organization employs automated mechanisms to more thoroughly and effectively test the contingency plan. |
| CCI-000503 |
The organization employs automated mechanisms to more thoroughly and effectively exercise the contingency plan by providing more complete coverage of contingency issues, selecting more realistic exercise scenarios and environments, and more effectively stressing the information and supported missions. |
|
|
|
|
|
|
|
| CCI-000504 |
The organization includes a full recovery and reconstitution of the information system to a known state as part of contingency plan testing. |
The organization conducting the inspection/assessment obtains and examines the full recovery and reconstitution procedures and contingency plan testing results to ensure all tests were performed IAW CP-2, CCIs 446 and 447. |
The organization being inspected/assessed demonstrates full recovery and reconstitution of its information system to a known state as part of its contingency plan testing.
The organization documents full recovery and reconstitution as part of its contingency plan testing results. |
Contingency Plan Testing | Full Recovery / Reconstitution |
CP-4 (4) |
CP-4(4).1 |
Related controls: CP-10, SC-24. |
The organization includes a full recovery and reconstitution of the information system to a known state as part of contingency plan testing. |
| CCI-000968 |
The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis. |
The organization conducting the inspection/assessment conducts visual inspections and interviews physical security/safety personnel to validate the organization has installed and implemented an automatic fire suppression capability which is operational during those times the facility is not staffed. |
The organization being inspected/assessed must implement and maintain an automatic fire suppression capability that is fully operational when the facility is not staffed on a continuous basis. |
Fire Protection | Automatic Fire Suppression |
PE-13 (3) |
PE-13(3).1 |
|
The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis. |
| CCI-000969 |
The organization ensures that the facility undergoes, on an organization-defined frequency, fire marshal inspections and promptly resolves identified deficiencies. |
|
|
|
|
|
|
|
| CCI-000970 |
The organization defines a frequency for fire marshal inspections. |
|
|
|
|
|
|
|
| CCI-000965 |
The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source. |
The organization conducting the inspection/assessment will conduct visual observation and interview organizational personnel with responsibilities for fire detection and suppression devices/systems. The purpose of the reviews and interviews is to validate the fire suppression and detection devices/systems for the information system are supported by an independent energy source. |
The organization being inspected/assessed must implement and maintain fire suppression and detection devices/systems for the information system that are supported by an independent energy source.
An independent energy source is some source other than the primary energy source for that facility.
Examples include sprinkler systems, hand held fire extinguishers, fixed fire hoses, and smoke detectors. |
Fire Protection |
PE-13 |
PE-13.1 |
This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Fire suppression and detection devices/systems include, for example, sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors. |
The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source. |
| CCI-000966 |
The organization employs fire detection devices/systems for the information system that activate automatically and notify the organization and emergency responders in the event of a fire. |
|
|
|
|
|
|
|
| CCI-000967 |
The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to the organization and emergency responders. |
|
|
|
|
|
|
|
| CCI-000971 |
The organization maintains temperature and humidity levels within the facility where the information system resides at organization-defined acceptable levels. |
The organization conducting the inspection/assessment reviews temperature and humidity controls to validate that they are set within DoD specified guidelines.
DoD has defined the acceptable levels as for commercial grade information systems: 64.4 – 80.6 degrees F; 45% – 60% Relative Humidity; Dew Point 41.9 ° – 59°F; measured at the air intake inlet of the IT equipment casing; for other systems, levels within manufacturer specifications. |
Humidity controls are not required for general office areas where information system components may be in use and are only required where there are concentrations of information systems such as server farms, mainframes, etc.
The organization being inspected/assessed must maintain temperature and where applicable humidity levels of for commercial grade information systems: 64.4 – 80.6 degrees F; 45% – 60% Relative Humidity; Dew Point 41.9 ° – 59°F; measured at the air intake inlet of the IT equipment casing; for other systems, levels within manufacturer specifications.
DoD has defined the acceptable levels as for commercial grade information systems: 64.4 – 80.6 degrees F; 45% – 60% Relative Humidity; Dew Point 41.9 ° – 59°F; measured at the air intake inlet of the IT equipment casing; for other systems, levels within manufacturer specifications. |
Temperature And Humidity Controls |
PE-14 |
PE-14.1 |
This control applies primarily to facilities containing concentrations of information system resources, for example, data centers, server rooms, and mainframe computer rooms. Related control: AT-3. |
The organization:
a. Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization - defined acceptable levels]; and
b. Monitors temperature and humidity levels [Assignment: organization-defined frequency]. |
| CCI-000972 |
The organization defines acceptable temperature and humidity levels to be maintained within the facility where the information system resides. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the acceptable levels as for commercial grade information systems: 64.4 – 80.6 degrees F; 45% – 60% Relative Humidity; Dew Point 41.9 ° – 59°F; measured at the air intake inlet of the IT equipment casing; for other systems, levels within manufacturer specifications. |
DoD has defined the acceptable levels as for commercial grade information systems: 64.4 – 80.6 degrees F; 45% – 60% Relative Humidity; Dew Point 41.9 ° – 59°F; measured at the air intake inlet of the IT equipment casing; for other systems, levels within manufacturer specifications. |
Temperature And Humidity Controls |
PE-14 |
PE-14.2 |
This control applies primarily to facilities containing concentrations of information system resources, for example, data centers, server rooms, and mainframe computer rooms. Related control: AT-3. |
The organization:
a. Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization - defined acceptable levels]; and
b. Monitors temperature and humidity levels [Assignment: organization-defined frequency]. |
| CCI-000973 |
The organization monitors temperature and humidity levels in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment will visually observe the inspected organization's independent monitoring device, obtain and examine audit logs, and interview physical security/safety personnel to validate the inspected organization monitors temperature and humidity levels continuously unless manufacturer specifications allow for a wide enough tolerance that control is not required.
DoD has defined the frequency as continuously unless manufacturer specifications allow for a wide enough tolerance that control is not required. |
The organization being inspected/assessed will maintain an independent monitor device for temperature and humidity levels not located in the immediate vicinity of the controller continuously unless manufacturer specifications allow for a wide enough tolerance that control is not required.
Records of monitoring must be maintained as an audit trail within the authorization lifecycle.
DoD has defined the frequency as continuously unless manufacturer specifications allow for a wide enough tolerance that control is not required. |
Temperature And Humidity Controls |
PE-14 |
PE-14.3 |
This control applies primarily to facilities containing concentrations of information system resources, for example, data centers, server rooms, and mainframe computer rooms. Related control: AT-3. |
The organization:
a. Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization - defined acceptable levels]; and
b. Monitors temperature and humidity levels [Assignment: organization-defined frequency]. |
| CCI-000974 |
The organization defines a frequency for monitoring temperature and humidity levels. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as continuously unless manufacturer specifications allow for a wide enough tolerance that control is not required. |
DoD has defined the frequency as continuously unless manufacturer specifications allow for a wide enough tolerance that control is not required. |
Temperature And Humidity Controls |
PE-14 |
PE-14.4 |
This control applies primarily to facilities containing concentrations of information system resources, for example, data centers, server rooms, and mainframe computer rooms. Related control: AT-3. |
The organization:
a. Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization - defined acceptable levels]; and
b. Monitors temperature and humidity levels [Assignment: organization-defined frequency]. |
| CCI-000975 |
The organization employs automatic temperature and humidity controls in the facility to prevent fluctuations potentially harmful to the information system. |
The organization conducting the inspection/assessment conducts visual inspections and interviews personnel responsible for maintaining automatic temperature and humidity controls to validate the organization is employing automatic temperature and humidity controls for the information system to prevent fluctuations potentially harmful to the information system. |
Humidity controls are not required for general office areas where information system components may be in use and are only required where there are concentrations of information systems such as server farms, mainframes, etc.
The organization being inspected/assessed must implement and maintain automatic temperature and humidity controls in the facility designed to prevent temperature and humidity fluctuations that would be potentially harmful to the information system. |
Temperature And Humidity Controls | Automatic Controls |
PE-14 (1) |
PE-14(1).1 |
|
The organization employs automatic temperature and humidity controls in the facility to prevent fluctuations potentially harmful to the information system. |
| CCI-000976 |
The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment. |
The organization conducting the inspection/assessment conducts visual inspections and interviews personnel responsible for maintaining automatic temperature and humidity controls to validate the inspected organization is employing automatic temperature and humidity controls that provide an alarm or notification of changes potentially harmful to personnel or equipment. |
Humidity controls are not required for general office areas where information system components may be in use and are only required where there are concentrations of information systems such as server farms, mainframes, etc.
The organization being inspected/assessed must implement and maintain automatic temperature and humidity controls in the facility and provides an alarm or notification of changes to either of these environmental conditions that are potentially harmful to personnel or equipment. |
Temperature And Humidity Controls | Monitoring With Alarms / Notifications |
PE-14 (2) |
PE-14(2).1 |
|
The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment. |
| CCI-000977 |
The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible. |
The organization conducting the inspection/assessment will inspect the master shutoff valves to ensure they are installed and accessible. |
The organization being inspected/assessed must provide master shutoff valves that are accessible to protect the information system from damage resulting from water leakage. |
Water Damage Protection |
PE-15 |
PE-15.1 |
This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations. Related control: AT-3. |
The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and
known to key personnel. |
| CCI-000978 |
The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are working properly. |
The organization conducting the inspection/assessment will visually inspect master shutoff valve inspection documentation (e.g., inspection form, tag attached to valve). |
The organization being inspected/assessed will ensure that master shutoff valves are working properly and have been inspected by the appropriate organization (e.g., fire marshal, department of public works). |
Water Damage Protection |
PE-15 |
PE-15.2 |
This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations. Related control: AT-3. |
The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and
known to key personnel. |
| CCI-000979 |
Key personnel have knowledge of the master water shutoff or isolation valves. |
The organization conducting the inspection/assessment obtains and examines list of key personnel with knowledge of location and activation procedures for master shutoff valves and any other relevant documents or records. Interview key personnel from the list to determine if identified key personnel within the organization have knowledge of the master shutoff valves. |
The organization being inspected/assessed will identify and document key personnel and will provide training on the location and procedures for use of master shutoff valves. |
Water Damage Protection |
PE-15 |
PE-15.3 |
This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations. Related control: AT-3. |
The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and
known to key personnel. |
| CCI-000980 |
The organization employs mechanisms that, without the need for manual intervention, protect the information system from water damage in the event of a water leak. |
|
|
|
|
|
|
|
| CCI-001182 |
The information systems that collectively provide name/address resolution service for an organization are fault-tolerant. |
The organization conducting the inspection/assessment reviews the sites implementation documentation of the name resolution servers and verifies primary and alternate services are available.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1182. |
The organization being inspected/assessed implements a name service resolution architecture consisting of primary and secondary servers.
The organization must document the architecture in the site security plan.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1182. |
Architecture And Provisioning For Name / Address Resolution Service |
SC-22 |
SC-22.1 |
Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. To eliminate single points of failure and to enhance redundancy, organizations employ at least two authoritative domain name system servers, one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in particular roles (e.g., by address ranges, explicit lists). Related controls: SC-2, SC-20, SC-21, SC-24. |
The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation. |
| CCI-001183 |
The information systems that collectively provide name/address resolution service for an organization implement internal/external role separation. |
The organization conducting the inspection/assessment reviews the sites implementation documentation of the name resolution servers and verifies authoritative and recursive services are not hosted on the same information system.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1183. |
The organization being inspected/assessed implements a name service resolution architecture where recursive and authoritative server software is not installed on the same information system.
The organization must document the architecture in the site security plan.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1183. |
Architecture And Provisioning For Name / Address Resolution Service |
SC-22 |
SC-22.2 |
Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. To eliminate single points of failure and to enhance redundancy, organizations employ at least two authoritative domain name system servers, one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in particular roles (e.g., by address ranges, explicit lists). Related controls: SC-2, SC-20, SC-21, SC-24. |
The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation. |
| CCI-001173 |
The organization establishes usage restrictions for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously. |
The organization conducting the inspection/assessment obtains and examines the documented usage restrictions to ensure the organization being inspected/assessed establishes usage restrictions for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously. |
The organization being inspected/assessed establishes and documents usage restrictions for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously. |
Voice Over Internet Protocol |
SC-19 |
SC-19.1 |
Related controls: CM-6, SC-7, SC-15. |
The organization:
a. Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and
b. Authorizes, monitors, and controls the use of VoIP within the information system. |
| CCI-001174 |
The organization establishes implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously. |
The V-VoIP STIG meets the DoD requirement for establishing implementation guidance for Voice over Internet Protocol (VoIP) technologies.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, V-VoIP STIG. |
The Voice and Video over Internet Protocol (V-VoIP) STIG meets the DoD requirement for establishing implementation guidance for Voice over Internet Protocol (VoIP) technologies.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, V-VoIP STIG. |
Voice Over Internet Protocol |
SC-19 |
SC-19.2 |
Related controls: CM-6, SC-7, SC-15. |
The organization:
a. Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and
b. Authorizes, monitors, and controls the use of VoIP within the information system. |
| CCI-001175 |
The organization authorizes the use of VoIP within the information system. |
The organization conducting the inspection/assessment obtains and examines the documented authorizations and *insert language* to ensure the organization being inspected/assessed authorizes any appropriate usage of VoIP within the information system and documents those authorizations. |
The organization being inspected/assessed authorizes any appropriate usage of VoIP within the information system and documents those authorizations. |
Voice Over Internet Protocol |
SC-19 |
SC-19.3 |
Related controls: CM-6, SC-7, SC-15. |
The organization:
a. Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and
b. Authorizes, monitors, and controls the use of VoIP within the information system. |
| CCI-001176 |
The organization monitors the use of VoIP within the information system. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trial of monitoring to ensure the organization being inspected/assessed monitors the use of VoIP within the information system. |
The organization being inspected/assessed documents and implements a process to monitor the use of VoIP within the information system.
The organization must maintain an audit trail of monitoring. |
Voice Over Internet Protocol |
SC-19 |
SC-19.4 |
Related controls: CM-6, SC-7, SC-15. |
The organization:
a. Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and
b. Authorizes, monitors, and controls the use of VoIP within the information system. |
| CCI-001177 |
The organization controls the use of VoIP within the information system. |
The organization conducting the inspection/assessment obtains and examines network topology diagrams, architecture documentation, or any other documentation identifying the use of VoIP to ensure the organization being inspected/assessed controls the use of VoIP within the information system. |
The organization being inspected/assessed designs the information system to control the use of VoIP within the information system |
Voice Over Internet Protocol |
SC-19 |
SC-19.5 |
Related controls: CM-6, SC-7, SC-15. |
The organization:
a. Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and
b. Authorizes, monitors, and controls the use of VoIP within the information system. |
| CCI-000550 |
The organization provides for the recovery and reconstitution of the information system to a known state after a disruption. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it identifies the recovery and reconstitution method for its information system to a known state after a disruption. |
The organization being inspected/assessed provides automated mechanisms or manual procedures, or a combination of the two, for the recovery and reconstitution of its information system to a known state after a disruption.
The organization must identify the selected method in the contingency plan. |
Information System Recovery And Reconstitution |
CP-10 |
CP-10.1 |
Recovery is executing information system contingency plan activities to restore organizational missions/business functions. Reconstitution takes place following recovery and includes activities for returning organizational information systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point/time and reconstitution objectives, and established organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of any interim information system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored information system capabilities, reestablishment of continuous monitoring activities, potential information system reauthorizations, and activities to prepare the systems against future disruptions, compromises, or failures. Recovery/reconstitution capabilities employed by organizations can include both automated mechanisms and manual procedures. Related controls: CA-2, CA-6, CA-7, CP-2, CP-6, CP-7, CP-9, SC-24. |
The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. |
| CCI-000551 |
The organization provides for the recovery and reconstitution of the information system to a known state after a compromise. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it identifies the recovery and reconstitution method for its information system to a known state after a compromise. |
The organization being inspected/assessed provides automated mechanisms or manual procedures, or a combination of the two, for the recovery and reconstitution of its information system to a known state after a compromise.
The organization must identify the selected method in the contingency plan. |
Information System Recovery And Reconstitution |
CP-10 |
CP-10.2 |
Recovery is executing information system contingency plan activities to restore organizational missions/business functions. Reconstitution takes place following recovery and includes activities for returning organizational information systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point/time and reconstitution objectives, and established organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of any interim information system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored information system capabilities, reestablishment of continuous monitoring activities, potential information system reauthorizations, and activities to prepare the systems against future disruptions, compromises, or failures. Recovery/reconstitution capabilities employed by organizations can include both automated mechanisms and manual procedures. Related controls: CA-2, CA-6, CA-7, CP-2, CP-6, CP-7, CP-9, SC-24. |
The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. |
| CCI-000552 |
The organization provides for the recovery and reconstitution of the information system to a known state after a failure. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it identifies the recovery and reconstitution method for its information system to a known state after a failure. |
The organization being inspected/assessed provides automated mechanisms or manual procedures, or a combination of the two, for the recovery and reconstitution of its information system to a known state after a failure.
The organization must identify the selected method in the contingency plan. |
Information System Recovery And Reconstitution |
CP-10 |
CP-10.3 |
Recovery is executing information system contingency plan activities to restore organizational missions/business functions. Reconstitution takes place following recovery and includes activities for returning organizational information systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point/time and reconstitution objectives, and established organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of any interim information system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored information system capabilities, reestablishment of continuous monitoring activities, potential information system reauthorizations, and activities to prepare the systems against future disruptions, compromises, or failures. Recovery/reconstitution capabilities employed by organizations can include both automated mechanisms and manual procedures. Related controls: CA-2, CA-6, CA-7, CP-2, CP-6, CP-7, CP-9, SC-24. |
The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. |
| CCI-000553 |
The information system implements transaction recovery for systems that are transaction-based. |
The organization conducting the inspection/assessment obtains and examines the contingency plan test results to verify transaction recovery. |
The organization being inspected/assessed identifies, documents, and implements transaction recovery capability for systems that are transaction-based.
The organization must document transaction recovery results as part of contingency plan testing. |
Information System Recovery And Reconstitution | Transaction Recovery |
CP-10 (2) |
CP-10(2).1 |
Transaction-based information systems include, for example, database management systems and transaction processing systems. Mechanisms supporting transaction recovery include, for example, transaction rollback and transaction journaling. |
The information system implements transaction recovery for systems that are transaction-based. |
| CCI-000554 |
The organization defines in the security plan, explicitly or by reference, the circumstances that can inhibit recovery and reconstitution of the information system to a known state. |
|
|
|
|
|
|
|
| CCI-000555 |
The organization provides compensating security controls for organization-defined circumstances that can inhibit recovery and reconstitution of the information system to a known state. |
|
|
|
|
|
|
|
| CCI-000556 |
The organization defines restoration time periods within which to restore information system components from configuration-controlled and integrity-protected information representing a known, operational state for the components. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as
1 hour (Availability High )
24 hours (Availability Moderate)
1 - 5 days (Availability Low)
as defined in the contingency plan. |
DoD has defined the time period as
1 hour (Availability High )
24 hours (Availability Moderate)
1 - 5 days (Availability Low)
as defined in the contingency plan. |
Information System Recovery And Reconstitution | Restore Within Time Period |
CP-10 (4) |
CP-10(4).1 |
Restoration of information system components includes, for example, reimaging which restores components to known, operational states. Related control: CM-2. |
The organization provides the capability to restore information system components within [Assignment: organization-defined restoration time-periods] from configuration-controlled and integrity-protected information representing a known, operational state for the components. |
| CCI-000557 |
The organization provides the capability to restore information system components within organization-defined restoration time periods from configuration-controlled and integrity-protected information representing a known, operational state for the components. |
The organization conducting the inspection/assessment obtains and examines contingency plan test results to verify the organization exercises the capability to restore information system components from configuration-controlled and integrity-protected information representing a secure, operational state for the components, and that restoration occurred within the defined time period:
1 hour (Availability High )
24 hours (Availability Moderate)
1 - 5 days (Availability Low)
as defined in the contingency plan. |
The organization being inspected/assessed exercises the capability to restore information system components from configuration-controlled and integrity-protected information representing a secure, operational state for the components within the defined time period during contingency plan testing:
1 hour (Availability High )
24 hours (Availability Moderate)
1 - 5 days (Availability Low)
as defined in the contingency plan. |
Information System Recovery And Reconstitution | Restore Within Time Period |
CP-10 (4) |
CP-10(4).2 |
Restoration of information system components includes, for example, reimaging which restores components to known, operational states. Related control: CM-2. |
The organization provides the capability to restore information system components within [Assignment: organization-defined restoration time-periods] from configuration-controlled and integrity-protected information representing a known, operational state for the components. |
| CCI-000558 |
The organization defines the real-time or near-real-time failover capability to be provided for the information system. |
The organization conducting the inspection/assessment obtains and examines the documented failover capability to ensure the organization being inspected/assessed defines the real-time or near-real-time failover capability to be provided for the information system.
DoD has determined the failover capability is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the real-time or near-real-time failover capability to be provided for the information system.
DoD has determined the failover capability is not appropriate to define at the Enterprise level. |
Predictable Failure Prevention | Failover Capability |
SI-13 (5) |
SI-13(5).1 |
Failover refers to the automatic switchover to an alternate information system upon the failure of the primary information system. Failover capability includes, for example, incorporating mirrored information system operations at alternate processing sites or periodic data mirroring at regular intervals defined by recovery time periods of organizations. |
The organization provides [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the information system. |
| CCI-000559 |
The organization provides real-time or near-real-time organization-defined failover capability for the information system. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed provides real-time or near-real-time failover capability defined in SI-13 (5), CCI 558 for the information system. |
The organization being inspected/assessed designs the information system to provide real-time or near-real-time failover capability defined in SI-13 (5), CCI 558 for the information system. |
Predictable Failure Prevention | Failover Capability |
SI-13 (5) |
SI-13(5).2 |
Failover refers to the automatic switchover to an alternate information system upon the failure of the primary information system. Failover capability includes, for example, incorporating mirrored information system operations at alternate processing sites or periodic data mirroring at regular intervals defined by recovery time periods of organizations. |
The organization provides [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the information system. |
| CCI-000560 |
The organization protects backup and restoration hardware. |
The organization conducting the inspection/assessment obtains and examines documentation of protection measures to ensure the organization is actively protecting backup and restoration hardware. |
The organization being inspected/assessed implements and documents policies and back up procedures designed to protect its backup and restoration hardware. |
Information System Recovery And Reconstitution | Component Protection |
CP-10 (6) |
CP-10(6).1 |
Protection of backup and restoration hardware, firmware, and software components includes both physical and technical safeguards. Backup and restoration software includes, for example, router tables, compilers, and other security-relevant system software. Related controls: AC-3, AC-6, PE-3. |
The organization protects backup and restoration hardware, firmware, and software. |
| CCI-000561 |
The organization protects backup and restoration firmware. |
The organization conducting the inspection/assessment obtains and examines documentation of protection measures to ensure the organization is actively protecting backup and restoration firmware. |
The organization being inspected/assessed implements and documents policies and back up procedures designed to protect its backup and restoration firmware. |
Information System Recovery And Reconstitution | Component Protection |
CP-10 (6) |
CP-10(6).2 |
Protection of backup and restoration hardware, firmware, and software components includes both physical and technical safeguards. Backup and restoration software includes, for example, router tables, compilers, and other security-relevant system software. Related controls: AC-3, AC-6, PE-3. |
The organization protects backup and restoration hardware, firmware, and software. |
| CCI-000562 |
The organization protects backup and restoration software. |
The organization conducting the inspection/assessment obtains and examines documentation of protection measures to ensure the organization is actively protecting backup and restoration software. |
The organization being inspected/assessed implements and documents policies and back up procedures designed to protect its backup and restoration software. |
Information System Recovery And Reconstitution | Component Protection |
CP-10 (6) |
CP-10(6).3 |
Protection of backup and restoration hardware, firmware, and software components includes both physical and technical safeguards. Backup and restoration software includes, for example, router tables, compilers, and other security-relevant system software. Related controls: AC-3, AC-6, PE-3. |
The organization protects backup and restoration hardware, firmware, and software. |
| CCI-000570 |
The organization develops a security plan for the information system that is consistent with the organization^s enterprise architecture; explicitly defines the authorization boundary for the system; describes the operational context of the information system in terms of mission and business processes; provides the security category and impact level of the information system, including supporting rationale; describes the operational environment for the information system; describes relationships with, or connections to, other information systems; provides an overview of the security requirements for the system; and describes the security controls in place or planned for meeting those requirements, including a rationale for the tailoring and supplemental decisions. |
|
|
|
|
|
|
|
| CCI-000571 |
The organization^s security plan for the information system is reviewed and approved by the authorizing official or designated representative prior to plan implementation. |
The organization conducting the inspection/assessment obtains and examines the security plan approval to ensure the organization being inspected/assessed obtains security plan approval by the authorizing official or designated representative prior to plan implementation. |
The organization being inspected/assessed obtains security plan approval by the authorizing official or designated representative prior to plan implementation. |
System Security Plan |
PL-2 |
PL-2.10 |
Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays.
Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. Related controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17. |
The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization's enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable
8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification. |
| CCI-000572 |
The organization defines the frequency for reviewing the security plan for the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
System Security Plan |
PL-2 |
PL-2.15 |
Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays.
Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. Related controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17. |
The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization's enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable
8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification. |
| CCI-000573 |
The organization reviews the security plan for the information system in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit records of security plan reviews to verify the security plan has been reviewed annually.
DoD has defined the frequency as annually. |
The information system owner as part of the annual security control review will also review the security plan annually.
Documentation of security plan reviews is required as an audit trail.
DoD has defined the frequency as annually. |
System Security Plan |
PL-2 |
PL-2.16 |
Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays.
Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. Related controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17. |
The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization's enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable
8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification. |
| CCI-000574 |
The organization updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments. |
The organization conducting the inspection/assessment obtains and examines the audit records of security plan updates to verify the security plan is current.
The purpose of the reviews is to validate the organization is updating the Information System (IS) security plan to address changes to the IS, its environment of operation, or problems identified during plan implementation or security control assessments. |
The information system owner will update the security plan as necessary to address changes to information system/environment of operation or problems identified during plan implementation or security control assessments.
Documentation of security plan updates are required as an audit trail. |
System Security Plan |
PL-2 |
PL-2.17 |
Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays.
Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. Related controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17. |
The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization's enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable
8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification. |
| CCI-000576 |
The organization develops a security Concept of Operations (CONOPS) for the information system containing, at a minimum: the purpose of the system; a description of the system architecture; the security authorization schedule; and the security categorization and associated factors considered in determining the categorization. |
|
|
|
|
|
|
|
| CCI-000577 |
The organization defines the frequency with which to review and update the security CONOPS. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Security Concept Of Operations |
PL-7 |
PL-7.2 |
The security CONOPS may be included in the security plan for the information system or in other system development life cycle-related documents, as appropriate. Changes to the CONOPS are reflected in ongoing updates to the security plan, the information security architecture, and other appropriate organizational documents (e.g., security specifications for procurements/acquisitions, system development life cycle documents, and systems/security engineering documents). Related control: PL-2. |
The organization:
a. Develops a security Concept of Operations (CONOPS) for the information system containing at a minimum, how the organization intends to operate the system from the perspective of information security; and
b. Reviews and updates the CONOPS [Assignment: organization - defined frequency]. |
| CCI-000578 |
The organization reviews and updates the security CONOPS in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit trail of reviews and updates to ensure the organization being inspected/assessed reviews and updates the security CONOPS annually.
DoD has defined the frequency as annually. |
The organization being inspected/assessed reviews and updates the security CONOPS annually.
The organization must maintain an audit trail of reviews and updates.
DoD has defined the frequency as annually. |
Security Concept Of Operations |
PL-7 |
PL-7.3 |
The security CONOPS may be included in the security plan for the information system or in other system development life cycle-related documents, as appropriate. Changes to the CONOPS are reflected in ongoing updates to the security plan, the information security architecture, and other appropriate organizational documents (e.g., security specifications for procurements/acquisitions, system development life cycle documents, and systems/security engineering documents). Related control: PL-2. |
The organization:
a. Develops a security Concept of Operations (CONOPS) for the information system containing at a minimum, how the organization intends to operate the system from the perspective of information security; and
b. Reviews and updates the CONOPS [Assignment: organization - defined frequency]. |
| CCI-000580 |
The organization develops a functional architecture for the information system that identifies and maintains external interfaces. |
|
|
|
|
|
|
|
| CCI-000581 |
The organization develops a functional architecture for the information system that identifies and maintains the information being exchanged across the interfaces. |
|
|
|
|
|
|
|
| CCI-000582 |
The organization develops a functional architecture for the information system that identifies and maintains the protection mechanisms associated with each interface. |
|
|
|
|
|
|
|
| CCI-000583 |
The organization develops a functional architecture for the information system that identifies and maintains user roles. |
|
|
|
|
|
|
|
| CCI-000584 |
The organization develops a functional architecture for the information system that identifies and maintains the access privileges assigned to each role. |
|
|
|
|
|
|
|
| CCI-000585 |
The organization develops a functional architecture for the information system that identifies and maintains unique security requirements. |
|
|
|
|
|
|
|
| CCI-000586 |
The organization develops a functional architecture for the information system that identifies and maintains types of information processed by the information system. |
|
|
|
|
|
|
|
| CCI-000587 |
The organization develops a functional architecture for the information system that identifies and maintains types of information stored by the information system. |
|
|
|
|
|
|
|
| CCI-000588 |
The organization develops a functional architecture for the information system that identifies and maintains types of information transmitted by the information system. |
|
|
|
|
|
|
|
| CCI-000589 |
The organization develops a functional architecture for the information system that identifies and maintains any specific protection needs in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. |
|
|
|
|
|
|
|
| CCI-000590 |
The organization develops a functional architecture for the information system that identifies and maintains restoration priority of information. |
|
|
|
|
|
|
|
| CCI-000591 |
The organization develops a functional architecture for the information system that identifies and maintains restoration priority of information system services. |
|
|
|
|
|
|
|
| CCI-000597 |
The organization conducts a privacy impact assessment on the information system in accordance with OMB policy. |
|
|
|
|
|
|
|
| CCI-000598 |
The organization plans and coordinates security-related activities affecting the information system before conducting such activities in order to reduce the impact on organizational operations (i.e., mission, functions, image, and reputation). |
|
|
|
|
|
|
|
| CCI-000599 |
The organization plans and coordinates security-related activities affecting the information system before conducting such activities in order to reduce the impact on organizational assets. |
|
|
|
|
|
|
|
| CCI-000600 |
The organization plans and coordinates security-related activities affecting the information system before conducting such activities in order to reduce the impact on organizational individuals. |
|
|
|
|
|
|
|
| CCI-001646 |
The organization defines the frequency with which to review and update the current system and services acquisition procedures. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
System And Services Acquisition Policy And Procedures |
SA-1 |
SA-1.10 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and
b. Reviews and updates the current:
1. System and services acquisition policy [Assignment: organization-defined frequency]; and
2. System and services acquisition procedures [Assignment: organization-defined frequency]. |
| CCI-000601 |
The organization defines the frequency with which to review and update the current system and services acquisition policy. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 5 years. |
DoD has defined the frequency as every 5 years. |
System And Services Acquisition Policy And Procedures |
SA-1 |
SA-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and
b. Reviews and updates the current:
1. System and services acquisition policy [Assignment: organization-defined frequency]; and
2. System and services acquisition procedures [Assignment: organization-defined frequency]. |
| CCI-000602 |
The organization develops and documents a system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1 meet the DoD requirements for system and services acquisition policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1. |
DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1 meet the DoD requirements for system and services acquisition policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1. |
System And Services Acquisition Policy And Procedures |
SA-1 |
SA-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and
b. Reviews and updates the current:
1. System and services acquisition policy [Assignment: organization-defined frequency]; and
2. System and services acquisition procedures [Assignment: organization-defined frequency]. |
| CCI-000603 |
The organization disseminates to organization-defined personnel or roles a system and services acquisition policy. |
DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1 meet the DoD requirements for system and services acquisition policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1. |
DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1 meet the DoD requirements for system and services acquisition policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1. |
System And Services Acquisition Policy And Procedures |
SA-1 |
SA-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and
b. Reviews and updates the current:
1. System and services acquisition policy [Assignment: organization-defined frequency]; and
2. System and services acquisition procedures [Assignment: organization-defined frequency]. |
| CCI-000604 |
The organization reviews and updates the current system and services acquisition policy in accordance with organization-defined frequency. |
DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1 meet the DoD requirements for system and services acquisition policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1. |
DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1 meet the DoD requirements for system and services acquisition policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1. |
System And Services Acquisition Policy And Procedures |
SA-1 |
SA-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and
b. Reviews and updates the current:
1. System and services acquisition policy [Assignment: organization-defined frequency]; and
2. System and services acquisition procedures [Assignment: organization-defined frequency]. |
| CCI-000605 |
The organization develops and documents procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls. |
DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1 meet the DoD requirements for system and services acquisition policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1. |
DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1 meet the DoD requirements for system and services acquisition policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1. |
System And Services Acquisition Policy And Procedures |
SA-1 |
SA-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and
b. Reviews and updates the current:
1. System and services acquisition policy [Assignment: organization-defined frequency]; and
2. System and services acquisition procedures [Assignment: organization-defined frequency]. |
| CCI-000606 |
The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls. |
DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1 meet the DoD requirements for system and services acquisition policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1. |
DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1 meet the DoD requirements for system and services acquisition policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1. |
System And Services Acquisition Policy And Procedures |
SA-1 |
SA-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and
b. Reviews and updates the current:
1. System and services acquisition policy [Assignment: organization-defined frequency]; and
2. System and services acquisition procedures [Assignment: organization-defined frequency]. |
| CCI-000607 |
The organization reviews and updates the current system and services acquisition procedures in accordance with organization-defined frequency. |
DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1 meet the DoD requirements for system and services acquisition policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1. |
DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1 meet the DoD requirements for system and services acquisition policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1. |
System And Services Acquisition Policy And Procedures |
SA-1 |
SA-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and
b. Reviews and updates the current:
1. System and services acquisition policy [Assignment: organization-defined frequency]; and
2. System and services acquisition procedures [Assignment: organization-defined frequency]. |
| CCI-000615 |
The organization manages the information system using an organization-defined system development life cycle that incorporates information security considerations. |
The organization conducting the inspection/assessment obtains and examines the documented process and artifacts of the system development life cycle process to ensure the organization being inspected/assessed manages the information system using the system development life cycle defined in SA-3, CCI 3092 that incorporates information security considerations IAW DoDI 8580.1. |
The organization being inspected/assessed documents and implements a process to manage the information system using the system development life cycle defined in SA-3, CCI 3092 that incorporates information security considerations IAW DoDI 8580.1. |
System Development Life Cycle |
SA-3 |
SA-3.1 |
A well-defined system development life cycle provides the foundation for the successful development, implementation, and operation of organizational information systems. To apply the required security controls within the system development life cycle requires a basic understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions/business functions. The security engineering principles in SA-8 cannot be properly applied if individuals that design, code, and test information systems and system components (including information technology products) do not understand security. Therefore, organizations include qualified personnel, for example, chief information security officers, security architects, security engineers, and information system security officers in system development life cycle activities to ensure that security requirements are incorporated into organizational information systems. It is equally important that developers include individuals on the development team that possess the requisite security expertise and skills to ensure that needed security capabilities are effectively integrated into the information system. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the organizational mission/business processes. This process also facilitates the integration of the information security architecture into the enterprise architecture, consistent with organizational risk management and information security strategies. Related controls: AT-3, PM-7, SA-8. |
The organization:
a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations;
b. Defines and documents information security roles and responsibilities throughout the system development life cycle;
c. Identifies individuals having information security roles and responsibilities; and
d. Integrates the organizational information security risk management process into system development life cycle activities. |
| CCI-000616 |
The organization defines and documents information system security roles and responsibilities throughout the system development life cycle. |
The organization conducting the inspection/assessment obtains and examines the information system security roles and responsibilities to ensure the organization being inspected/assessed defines and documents information system security roles and responsibilities throughout the system development life cycle IAW DoDI 8580.1. |
The organization being inspected/assessed defines and documents information system security roles and responsibilities throughout the system development life cycle IAW DoDI 8580.1. |
System Development Life Cycle |
SA-3 |
SA-3.3 |
A well-defined system development life cycle provides the foundation for the successful development, implementation, and operation of organizational information systems. To apply the required security controls within the system development life cycle requires a basic understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions/business functions. The security engineering principles in SA-8 cannot be properly applied if individuals that design, code, and test information systems and system components (including information technology products) do not understand security. Therefore, organizations include qualified personnel, for example, chief information security officers, security architects, security engineers, and information system security officers in system development life cycle activities to ensure that security requirements are incorporated into organizational information systems. It is equally important that developers include individuals on the development team that possess the requisite security expertise and skills to ensure that needed security capabilities are effectively integrated into the information system. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the organizational mission/business processes. This process also facilitates the integration of the information security architecture into the enterprise architecture, consistent with organizational risk management and information security strategies. Related controls: AT-3, PM-7, SA-8. |
The organization:
a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations;
b. Defines and documents information security roles and responsibilities throughout the system development life cycle;
c. Identifies individuals having information security roles and responsibilities; and
d. Integrates the organizational information security risk management process into system development life cycle activities. |
| CCI-000617 |
The organization documents information system security roles and responsibilities throughout the system development life cycle. |
|
|
|
|
|
|
|
| CCI-000618 |
The organization identifies individuals having information system security roles and responsibilities. |
The organization conducting the inspection/assessment obtains and examines the documented individuals having information system security roles and responsibilities to ensure the organization being inspected/assessed identifies individuals having information system security roles and responsibilities. |
The organization being inspected/assessed identifies and documents individuals having information system security roles and responsibilities. |
System Development Life Cycle |
SA-3 |
SA-3.4 |
A well-defined system development life cycle provides the foundation for the successful development, implementation, and operation of organizational information systems. To apply the required security controls within the system development life cycle requires a basic understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions/business functions. The security engineering principles in SA-8 cannot be properly applied if individuals that design, code, and test information systems and system components (including information technology products) do not understand security. Therefore, organizations include qualified personnel, for example, chief information security officers, security architects, security engineers, and information system security officers in system development life cycle activities to ensure that security requirements are incorporated into organizational information systems. It is equally important that developers include individuals on the development team that possess the requisite security expertise and skills to ensure that needed security capabilities are effectively integrated into the information system. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the organizational mission/business processes. This process also facilitates the integration of the information security architecture into the enterprise architecture, consistent with organizational risk management and information security strategies. Related controls: AT-3, PM-7, SA-8. |
The organization:
a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations;
b. Defines and documents information security roles and responsibilities throughout the system development life cycle;
c. Identifies individuals having information security roles and responsibilities; and
d. Integrates the organizational information security risk management process into system development life cycle activities. |
| CCI-000655 |
The organization uses software and associated documentation in accordance with contract agreements and copyright laws. |
|
|
|
|
|
|
|
| CCI-000656 |
The organization employs tracking systems for software and associated documentation protected by quantity licenses to control copying and distribution. |
|
|
|
|
|
|
|
| CCI-000657 |
The organization controls the use of peer-to-peer file sharing technology to ensure this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
|
|
|
|
|
|
|
| CCI-000658 |
The organization documents the use of peer-to-peer file sharing technology to ensure this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
|
|
|
|
|
|
|
| CCI-000659 |
The organization prohibits the use of binary executable code from sources with limited or no warranty without accompanying source code. |
|
|
|
|
|
|
|
| CCI-000660 |
The organization prohibits the use of machine executable code from sources with limited or no warranty without accompanying source code. |
|
|
|
|
|
|
|
| CCI-000661 |
The organization provides exceptions to the source code requirement only when no alternative solutions are available to support compelling mission/operational requirements. |
|
|
|
|
|
|
|
| CCI-000662 |
The organization obtains express written consent of the authorizing official for exceptions to the source code requirement. |
|
|
|
|
|
|
|
| CCI-000664 |
The organization applies information system security engineering principles in the specification of the information system. |
The organization conducting the inspection/assessment obtains and examines the system requirements documents to ensure that the organization being inspected/assessed applies information system security engineering principles in the specification of the information system. |
The organization managing the acquisition/development of the information system (e.g. PM) applies and documents system security engineering (SSE) principles as part of the overall systems engineering process IAW DoDD 5000.01 and DoDI 5000.02. The primary source of general and DoD-specific guidance on SSE can be found in the NIST SP 800-160 - Systems Security Engineering, currently in draft form, and can be found here: http://csrc.nist.gov/publications/PubsSPs.html. Additional guidance can be found in the Defense Acquisition Guidebook (DAG) Chapters 4 and 13, found here: https://dag.dau.mil/.
This CCI does not apply to COTS products.
The organization managing the acquisition/development of the information system must ensure that the system requirements documents reflect the system security engineering principles that can be applied to information systems in development, systems undergoing major upgrades and to the extent feasible systems in sustainment. Security engineering principles include:
1. Developing layered protections;
2. Establishing sound security policy, architecture, and controls as the foundation for design;
3. Incorporating security requirements into all phases of the system development life cycle;
4. Delineating physical and logical security boundaries;
5. Ensuring that system developers are trained on how to design and build secure software;
6. Tailoring security controls and protections to meet system-specific requirements and operational needs;
7. Performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk. |
Security Engineering Principles |
SA-8 |
SA-8.1 |
Organizations apply security engineering principles primarily to new development information systems or systems undergoing major upgrades. For legacy systems, organizations apply security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware within those systems. Security engineering principles include, for example: (i) developing layered protections; (ii) establishing sound security policy, architecture, and controls as the foundation for design; (iii) incorporating security requirements into the system development life cycle; (iv) delineating physical and logical security boundaries; (v) ensuring that system developers are trained on how to build secure software; (vi) tailoring security controls to meet organizational and operational needs; (vii) performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk; and (viii) reducing risk to acceptable levels, thus enabling informed risk management decisions. Related controls: PM-7, SA-3, SA-4, SA-17, SC-2, SC-3. |
The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system. |
| CCI-000665 |
The organization applies information system security engineering principles in the design of the information system. |
The organization conducting the inspection/assessment obtains and examines the design documents to ensure that the organization being inspected/assessed applies information system security engineering principles in the design of the information system. |
The organization managing the acquisition/development of the information system (e.g. PM) applies and documents system security engineering (SSE) principles as part of the overall systems engineering process IAW DoDD 5000.01 and DoDI 5000.02. The primary source of general and DoD-specific guidance on SSE can be found in the NIST SP 800-160 - Systems Security Engineering, currently in draft form, and can be found here: http://csrc.nist.gov/publications/PubsSPs.html. Additional guidance can be found in the Defense Acquisition Guidebook (DAG) Chapters 4 and 13, found here: https://dag.dau.mil/.
This CCI does not apply to COTS products.
The organization managing the acquisition/development of the information system must ensure that the design documents reflect the system security engineering principles that can be applied to information systems in development, systems undergoing major upgrades and to the extent feasible systems in sustainment. Security engineering principles include:
1. Developing layered protections;
2. Establishing sound security policy, architecture, and controls as the foundation for design;
3. Incorporating security requirements into all phases of the system development life cycle;
4. Delineating physical and logical security boundaries;
5. Ensuring that system developers are trained on how to design and build secure software;
6. Tailoring security controls and protections to meet system-specific requirements and operational needs;
7. Performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk. |
Security Engineering Principles |
SA-8 |
SA-8.2 |
Organizations apply security engineering principles primarily to new development information systems or systems undergoing major upgrades. For legacy systems, organizations apply security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware within those systems. Security engineering principles include, for example: (i) developing layered protections; (ii) establishing sound security policy, architecture, and controls as the foundation for design; (iii) incorporating security requirements into the system development life cycle; (iv) delineating physical and logical security boundaries; (v) ensuring that system developers are trained on how to build secure software; (vi) tailoring security controls to meet organizational and operational needs; (vii) performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk; and (viii) reducing risk to acceptable levels, thus enabling informed risk management decisions. Related controls: PM-7, SA-3, SA-4, SA-17, SC-2, SC-3. |
The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system. |
| CCI-000666 |
The organization applies information system security engineering principles in the development of the information system. |
The organization conducting the inspection/assessment obtains and examines the system development procedures (e.g. configuration management plans, code review procedures, and coding style guides) to ensure that the organization being inspected/assessed applies information system security engineering principles in the development of the information system. |
The organization managing the acquisition/development of the information system (e.g. PM) applies and documents system security engineering (SSE) principles as part of the overall systems engineering process IAW DoDD 5000.01 and DoDI 5000.02. The primary source of general and DoD-specific guidance on SSE can be found in the NIST SP 800-160 - Systems Security Engineering, currently in draft form, and can be found here: http://csrc.nist.gov/publications/PubsSPs.html. Additional guidance can be found in the Defense Acquisition Guidebook (DAG) Chapters 4 and 13, found here: https://dag.dau.mil/.
This CCI does not apply to COTS products.
The organization managing the acquisition/development of the information system must ensure that the development procedures reflect the system security engineering principles that can be applied to information systems in development, systems undergoing major upgrades and to the extent feasible systems in sustainment. Security engineering principles include:
1. Developing layered protections;
2. Establishing sound security policy, architecture, and controls as the foundation for design;
3. Incorporating security requirements into all phases of the system development life cycle;
4. Delineating physical and logical security boundaries;
5. Ensuring that system developers are trained on how to design and build secure software;
6. Tailoring security controls and protections to meet system-specific requirements and operational needs;
7. Performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk.
Examples of development procedures that should reflect SSE principles are configuration management plans, code review procedures, and coding style guides. Configuration management plans should be IAW CM-9, CCI 001790. |
Security Engineering Principles |
SA-8 |
SA-8.3 |
Organizations apply security engineering principles primarily to new development information systems or systems undergoing major upgrades. For legacy systems, organizations apply security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware within those systems. Security engineering principles include, for example: (i) developing layered protections; (ii) establishing sound security policy, architecture, and controls as the foundation for design; (iii) incorporating security requirements into the system development life cycle; (iv) delineating physical and logical security boundaries; (v) ensuring that system developers are trained on how to build secure software; (vi) tailoring security controls to meet organizational and operational needs; (vii) performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk; and (viii) reducing risk to acceptable levels, thus enabling informed risk management decisions. Related controls: PM-7, SA-3, SA-4, SA-17, SC-2, SC-3. |
The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system. |
| CCI-000667 |
The organization applies information system security engineering principles in the implementation of the information system. |
The organization conducting the inspection/assessment obtains and examines the audit trail artifacts that were created during the implementation of SA-8, CCI 000666
to ensure that the organization being inspected/assessed applies information system security engineering principles in the implementation of the information system and that changes are made IAW the configuration management plan (CM-9, CCI 001790). |
The organization managing the acquisition/development of the information system (e.g. PM) applies and documents system security engineering (SSE) principles as part of the overall systems engineering process IAW DoDD 5000.01 and DoDI 5000.02. The primary source of general and DoD-specific guidance on SSE can be found in the NIST SP 800-160 - Systems Security Engineering, currently in draft form, and can be found here: http://csrc.nist.gov/publications/PubsSPs.html. Additional guidance can be found in the Defense Acquisition Guidebook (DAG) Chapters 4 and 13, found here: https://dag.dau.mil/.
This CCI does not apply to COTS products.
The organization managing the acquisition/development of the information system must employ the procedures identified in SA-8, CCI, 000666 during the implementation of the information system. The system owner must maintain an audit trail of the activities conducted IAW SA-8, CCI 000666. An example of artifacts is CCB minutes, code review results, and source code analysis results. |
Security Engineering Principles |
SA-8 |
SA-8.4 |
Organizations apply security engineering principles primarily to new development information systems or systems undergoing major upgrades. For legacy systems, organizations apply security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware within those systems. Security engineering principles include, for example: (i) developing layered protections; (ii) establishing sound security policy, architecture, and controls as the foundation for design; (iii) incorporating security requirements into the system development life cycle; (iv) delineating physical and logical security boundaries; (v) ensuring that system developers are trained on how to build secure software; (vi) tailoring security controls to meet organizational and operational needs; (vii) performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk; and (viii) reducing risk to acceptable levels, thus enabling informed risk management decisions. Related controls: PM-7, SA-3, SA-4, SA-17, SC-2, SC-3. |
The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system. |
| CCI-000668 |
The organization applies information system security engineering principles in the modification of the information system. |
The organization conducting the inspection/assessment obtains and examines the audit trail artifacts that were created during the modification of SA-8, CCI 000666
to ensure that the organization being inspected/assessed applies information system security engineering principles in the modification of the information system and that changes are made IAW the configuration management plan (CM-9, CCI 001790). |
The organization managing the acquisition/development of the information system (e.g. PM) applies and documents system security engineering (SSE) principles as part of the overall systems engineering process IAW DoDD 5000.01 and DoDI 5000.02. The primary source of general and DoD-specific guidance on SSE can be found in the NIST SP 800-160 - Systems Security Engineering, currently in draft form, and can be found here: http://csrc.nist.gov/publications/PubsSPs.html. Additional guidance can be found in the Defense Acquisition Guidebook (DAG) Chapters 4 and 13, found here: https://dag.dau.mil/.
This CCI does not apply to COTS products.
The organization managing the acquisition/development of the information system must employ the procedures identified in SA-8, CCI, 000666 during the modification of the information system. The system owner must maintain an audit trail of the activities conducted IAW SA-8, CCI 000666. An example of artifacts is CCB minutes, code review results, and source code analysis results.
|
Security Engineering Principles |
SA-8 |
SA-8.5 |
Organizations apply security engineering principles primarily to new development information systems or systems undergoing major upgrades. For legacy systems, organizations apply security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware within those systems. Security engineering principles include, for example: (i) developing layered protections; (ii) establishing sound security policy, architecture, and controls as the foundation for design; (iii) incorporating security requirements into the system development life cycle; (iv) delineating physical and logical security boundaries; (v) ensuring that system developers are trained on how to build secure software; (vi) tailoring security controls to meet organizational and operational needs; (vii) performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk; and (viii) reducing risk to acceptable levels, thus enabling informed risk management decisions. Related controls: PM-7, SA-3, SA-4, SA-17, SC-2, SC-3. |
The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system. |
| CCI-000669 |
The organization requires that providers of external information system services comply with organizational information security requirements. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that providers of external information system services comply with any organization-specific information security requirements. |
The organization being inspected/assessed documents within contracts/agreements, requirements that providers of external information system services comply with any organization-specific information security requirements. |
External Information System Services |
SA-9 |
SA-9.1 |
External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance. Related controls: CA-3, IR-7, PS-7. |
The organization:
a. Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and
c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis. |
| CCI-000670 |
The organization requires that providers of external information system services employ organization-defined security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that providers of external information system services employ security controls defined in CNSSI 1253.
DoD has defined the security controls as security controls defined by CNSSI 1253. |
The organization being inspected/assessed documents within contracts/agreements, the
requirement that providers of external information system services employ security controls defined in CNSSI 1253.
DoD has defined the security controls as security controls defined by CNSSI 1253. |
External Information System Services |
SA-9 |
SA-9.2 |
External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance. Related controls: CA-3, IR-7, PS-7. |
The organization:
a. Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and
c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis. |
| CCI-000671 |
The organization defines government oversight with regard to external information system services. |
The organization conducting the inspection/assessment obtains and examines the official documentation governing the provision of the external IT services (e.g. contract, MOU, MOA, SLA, etc.) to confirm the organization has clearly defined the government oversight to be conducted on external information system services and service providers. |
The organization being inspected/assessed must define in the official documentation governing the provision of the external IT services (e.g. contract, MOU, MOA, SLA, etc.) the government oversight to be conducted on external information system services and service provider. |
External Information System Services |
SA-9 |
SA-9.4 |
External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance. Related controls: CA-3, IR-7, PS-7. |
The organization:
a. Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and
c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis. |
| CCI-000672 |
The organization documents government oversight with regard to external information system services. |
The organization conducting the inspection/assessment obtains and examines the official documentation governing the provision of the external IT services (e.g. contract, MOU, MOA, SLA, etc.) to confirm the organization has clearly established the government oversight to be conducted on external information system services and service providers. |
The organization being inspected/assessed must establish in the official documentation governing the provision of the external IT services (e.g. contract, MOU, MOA, SLA, etc.) the government oversight to be conducted on external information system services and service provider. |
External Information System Services |
SA-9 |
SA-9.5 |
External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance. Related controls: CA-3, IR-7, PS-7. |
The organization:
a. Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and
c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis. |
| CCI-000673 |
The organization defines user roles and responsibilities with regard to external information system services. |
The organization conducting the inspection/assessment obtains and examines the official documentation governing the provision of the external IT services (e.g. contract, MOU, MOA, SLA, etc.) to confirm the organization has clearly defined the roles and responsibilities of all types of users of the external information system services. |
The organization being inspected/assessed must define in the official documentation governing the provision of the external IT services (e.g. contract, MOU, MOA, SLA, etc.) the roles and responsibilities of all types of users of the external information system services. |
External Information System Services |
SA-9 |
SA-9.6 |
External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance. Related controls: CA-3, IR-7, PS-7. |
The organization:
a. Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and
c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis. |
| CCI-000674 |
The organization documents user roles and responsibilities with regard to external information system services. |
The organization conducting the inspection/assessment obtains and examines the official documentation governing the provision of the external IT services (e.g. contract, MOU, MOA, SLA, etc.) to confirm the organization has clearly established the roles and responsibilities of all types of users of the external information system services. |
The organization being inspected/assessed must establish in the official documentation governing the provision of the external IT services (e.g. contract, MOU, MOA, SLA, etc.) the roles and responsibilities of all types of users of the external information system services. |
External Information System Services |
SA-9 |
SA-9.7 |
External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance. Related controls: CA-3, IR-7, PS-7. |
The organization:
a. Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and
c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis. |
| CCI-000675 |
The organization monitors security control compliance by external service providers. |
|
|
|
|
|
|
|
| CCI-000676 |
The organization conducts an organizational assessment of risk prior to the acquisition of dedicated information security services. |
|
|
|
|
|
|
|
| CCI-000677 |
The organization conducts an organizational assessment of risk prior to the outsourcing of dedicated information security services. |
|
|
|
|
|
|
|
| CCI-000678 |
The organization defines the senior organizational official designated to approve acquisition of dedicated information security services. |
|
|
|
|
|
|
|
| CCI-000679 |
The organization defines the senior organizational official designated to approve outsourcing of dedicated information security services. |
|
|
|
|
|
|
|
| CCI-000680 |
The organization ensures the acquisition of dedicated information security services is approved by an organization-designated senior organizational official. |
|
|
|
|
|
|
|
| CCI-000681 |
The organization ensures the outsourcing of dedicated information security services is approved by an organization-designated senior organizational official. |
|
|
|
|
|
|
|
| CCI-000702 |
The organization requires information system developers, in consultation with associated security personnel (including security engineers), to create a security test and evaluation plan. |
|
|
|
|
|
|
|
| CCI-000703 |
The organization requires information system developers, in consultation with associated security personnel (including security engineers), to implement a security test and evaluation plan. |
|
|
|
|
|
|
|
| CCI-000704 |
The organization requires information system integrators, in consultation with associated security personnel (including security engineers), to create a security test and evaluation plan. |
|
|
|
|
|
|
|
| CCI-000705 |
The organization requires information system integrators, in consultation with associated security personnel (including security engineers), to implement a security test and evaluation plan. |
|
|
|
|
|
|
|
| CCI-000706 |
The organization requires information system developers, in consultation with associated security personnel (including security engineers), to implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the security testing and evaluation process. |
|
|
|
|
|
|
|
| CCI-000707 |
The organization requires information system integrators, in consultation with associated security personnel (including security engineers), to implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the security testing and evaluation process. |
|
|
|
|
|
|
|
| CCI-000708 |
The organization requires information system developers, in consultation with associated security personnel (including security engineers), to document the results of the security testing/evaluation processes. |
|
|
|
|
|
|
|
| CCI-000709 |
The organization requires information system developers, in consultation with associated security personnel (including security engineers), to document the results of the security flaw remediation processes. |
|
|
|
|
|
|
|
| CCI-000710 |
The organization requires information system integrators, in consultation with associated security personnel (including security engineers), to document the results of the security testing/evaluation processes. |
|
|
|
|
|
|
|
| CCI-000711 |
The organization requires information system integrators, in consultation with associated security personnel (including security engineers), to document the results of the security flaw remediation processes. |
|
|
|
|
|
|
|
| CCI-000712 |
The organization requires information system developers to employ code analysis tools to examine software for common flaws and document the results of the analysis. |
|
|
|
|
|
|
|
| CCI-000713 |
The organization requires information system integrators to employ code analysis tools to examine software for common flaws and document the results of the analysis. |
|
|
|
|
|
|
|
| CCI-000714 |
The organization requires information system developers to perform a vulnerability analysis to document vulnerabilities. |
|
|
|
|
|
|
|
| CCI-000715 |
The organization requires information system developers to perform a vulnerability analysis to document exploitation potential. |
|
|
|
|
|
|
|
| CCI-000716 |
The organization requires information system developers to perform a vulnerability analysis to document risk mitigations. |
|
|
|
|
|
|
|
| CCI-000717 |
The organization requires information system integrators to perform a vulnerability analysis to document vulnerabilities. |
|
|
|
|
|
|
|
| CCI-000718 |
The organization requires information system integrators to perform a vulnerability analysis to document exploitation potential. |
|
|
|
|
|
|
|
| CCI-000719 |
The organization requires information system integrators perform a vulnerability analysis to document risk mitigations. |
|
|
|
|
|
|
|
| CCI-000720 |
The organization requires information system developers implement the security test and evaluation plan under the witness of an independent verification and validation agent. |
|
|
|
|
|
|
|
| CCI-000721 |
The organization requires information system integrators to implement the security test and evaluation plan under the witness of an independent verification and validation agent. |
|
|
|
|
|
|
|
| CCI-000722 |
The organization defines the security safeguards to employ to protect against supply chain threats to the information system, system component, or information system service. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the requirements to protect against supply chain threats in DoDI 5200.44, "Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN)." |
DoD has defined the requirements to protect against supply chain threats in DoDI 5200.44, "Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN)." |
Supply Chain Protection |
SA-12 |
SA-12.1 |
Information systems (including system components that compose those systems) need to be protected throughout the system development life cycle (i.e., during design, development, manufacturing, packaging, assembly, distribution, system integration, operations, maintenance, and retirement). Protection of organizational information systems is accomplished through threat awareness, by the identification, management, and reduction of vulnerabilities at each phase of the life cycle and the use of complementary, mutually reinforcing strategies to respond to risk. Organizations consider implementing a standardized process to address supply chain risk with respect to information systems and system components, and to educate the acquisition workforce on threats, risk, and required security controls. Organizations use the acquisition/procurement processes to require supply chain entities to implement necessary security safeguards to: (i) reduce the likelihood of unauthorized modifications at each stage in the supply chain; and (ii) protect information systems and information system components, prior to taking delivery of such systems/components. This control enhancement also applies to information system services. Security safeguards include, for example: (i) security controls for development systems, development facilities, and external connections to development systems; (ii) vetting development personnel; and (iii) use of tamper-evident packaging during shipping/warehousing. Methods for reviewing and protecting development plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements. Related controls: AT-3, CM-8, IR-4, PE-16, PL-8, SA-3, SA-4, SA-8, SA-10, SA-14, SA-15, SA-18, SA-19, SC-29, SC-30, SC-38, SI-7. |
The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy. |
| CCI-000723 |
The organization protects against supply chain threats to the information system, system component, or information system service by employing organization-defined security safeguards as part of a comprehensive, defense-in-breadth information security strategy. |
The organization conducting the inspection/assessment obtains and examines the Security Plan for the system to determine whether the system is a “covered system” IAW DoDI 5200.44.
If it is a covered system, the organization conducting the inspection/assessment obtains and examines documentation of compliance with DoDI 5200.44, to ensure the organization being inspected/assessed has:
1. Conducted a criticality analysis to identify mission critical functions and critical components and reduced the vulnerability of such functions and components through secure system design;
2. Requested threat analysis of suppliers of critical components from the TSN focal point and managed access to and control of threat analysis products containing U.S. person information;
3. Engaged TSN focal points for guidance on managing identified risk using DoD Components and Enterprise risk management resources; and
4. Applied TSN best practices, processes, techniques, and procurement tools prior to the acquisition of critical components or their integration into applicable systems, at any point in the system lifecycle. Such tools and practices include contract requirements and the SCRM key practices Guide. |
The organization being inspected/assessed must identify and document in the Security Plan whether the system is a “covered system” IAW DoDI 5200.44. If it is a covered system, the organization must implement the requirements below:
1. Conduct a criticality analysis to identify mission critical functions and critical components and reduce the vulnerability of such functions and components through secure system design;
2. Request threat analysis of suppliers of critical components from the TSN focal point and manage access to and control of threat analysis products containing U.S. person information;
3. Engage TSN focal points for guidance on managing identified risk using DoD Components and Enterprise risk management resources; and
4. Apply TSN best practices, processes, techniques, and procurement tools prior to the acquisition of critical components or their integration into applicable systems, at any point in the system lifecycle. Such tools and practices include contract requirements and the SCRM key practices Guide.
|
Supply Chain Protection |
SA-12 |
SA-12.2 |
Information systems (including system components that compose those systems) need to be protected throughout the system development life cycle (i.e., during design, development, manufacturing, packaging, assembly, distribution, system integration, operations, maintenance, and retirement). Protection of organizational information systems is accomplished through threat awareness, by the identification, management, and reduction of vulnerabilities at each phase of the life cycle and the use of complementary, mutually reinforcing strategies to respond to risk. Organizations consider implementing a standardized process to address supply chain risk with respect to information systems and system components, and to educate the acquisition workforce on threats, risk, and required security controls. Organizations use the acquisition/procurement processes to require supply chain entities to implement necessary security safeguards to: (i) reduce the likelihood of unauthorized modifications at each stage in the supply chain; and (ii) protect information systems and information system components, prior to taking delivery of such systems/components. This control enhancement also applies to information system services. Security safeguards include, for example: (i) security controls for development systems, development facilities, and external connections to development systems; (ii) vetting development personnel; and (iii) use of tamper-evident packaging during shipping/warehousing. Methods for reviewing and protecting development plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements. Related controls: AT-3, CM-8, IR-4, PE-16, PL-8, SA-3, SA-4, SA-8, SA-10, SA-14, SA-15, SA-18, SA-19, SC-29, SC-30, SC-38, SI-7. |
The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy. |
| CCI-000724 |
The organization purchases all anticipated information system components and spares in the initial acquisition. |
|
|
|
|
|
|
|
| CCI-000725 |
The organization conducts a due diligence review of suppliers prior to entering into contractual agreements to acquire information system hardware. |
|
|
|
|
|
|
|
| CCI-000726 |
The organization conducts a due diligence review of suppliers prior to entering into contractual agreements to acquire information system software. |
|
|
|
|
|
|
|
| CCI-000727 |
The organization conducts a due diligence review of suppliers prior to entering into contractual agreements to acquire information system firmware. |
|
|
|
|
|
|
|
| CCI-000728 |
The organization conducts a due diligence review of suppliers prior to entering into contractual agreements to acquire information system services. |
|
|
|
|
|
|
|
| CCI-000729 |
The organization uses trusted shipping for information systems. |
|
|
|
|
|
|
|
| CCI-000730 |
The organization uses trusted shipping for information system components. |
|
|
|
|
|
|
|
| CCI-000731 |
The organization uses trusted shipping for information technology products. |
|
|
|
|
|
|
|
| CCI-000732 |
The organization uses trusted warehousing for information systems. |
|
|
|
|
|
|
|
| CCI-000733 |
The organization uses trusted warehousing for information system components. |
|
|
|
|
|
|
|
| CCI-000734 |
The organization uses trusted warehousing for information technology products. |
|
|
|
|
|
|
|
| CCI-000735 |
The organization employs a diverse set of suppliers for information systems. |
|
|
|
|
|
|
|
| CCI-000736 |
The organization employs a diverse set of suppliers for information system components. |
|
|
|
|
|
|
|
| CCI-000737 |
The organization employs a diverse set of suppliers for information technology products. |
|
|
|
|
|
|
|
| CCI-000738 |
The organization employs a diverse set of suppliers for information system services. |
|
|
|
|
|
|
|
| CCI-000739 |
The organization employs standard configurations for information systems. |
|
|
|
|
|
|
|
| CCI-000740 |
The organization employs standard configurations for information system components. |
|
|
|
|
|
|
|
| CCI-000741 |
The organization employs standard configurations for information technology products. |
|
|
|
|
|
|
|
| CCI-000742 |
The organization minimizes the time between purchase decisions and delivery of information systems. |
|
|
|
|
|
|
|
| CCI-000743 |
The organization minimizes the time between purchase decisions and delivery of information system components. |
|
|
|
|
|
|
|
| CCI-000744 |
The organization minimizes the time between purchase decisions and delivery of information technology products. |
|
|
|
|
|
|
|
| CCI-000745 |
The organization employs independent analysis and penetration testing against delivered information systems. |
|
|
|
|
|
|
|
| CCI-000746 |
The organization employs independent analysis and penetration testing against delivered information system components. |
|
|
|
|
|
|
|
| CCI-000747 |
The organization employs independent analysis and penetration testing against delivered information technology products. |
|
|
|
|
|
|
|
| CCI-000748 |
The organization defines level of trustworthiness for the information system. |
|
|
|
|
|
|
|
| CCI-000749 |
The organization requires that the information system meets the organization-defined level of trustworthiness. |
|
|
|
|
|
|
|
| CCI-000750 |
The organization defines the list of critical information system components that require re-implementation. |
|
|
|
|
|
|
|
| CCI-000751 |
The organization determines the organization-defined list of critical information system components that require re-implementation. |
|
|
|
|
|
|
|
| CCI-000752 |
The organization re-implements organization-defined critical information system components. |
|
|
|
|
|
|
|
| CCI-000753 |
The organization identifies information system components for which alternative sourcing is not viable. |
|
|
|
|
|
|
|
| CCI-000754 |
The organization defines measures to be employed to prevent critical security controls for information system components from being compromised. |
|
|
|
|
|
|
|
| CCI-000755 |
The organization employs organization-defined measures to ensure critical security controls for the information system components are not compromised. |
|
|
|
|
|
|
|
| CCI-000756 |
The organization develops an identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8520.02 and DoDI 8520.03. |
DoD developed DoDI 8520.02 and DoDI 8520.03 as the identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 8520.02 and DoDI 8520.03. |
Identification And Authentication Policy And Procedures |
IA-1 |
IA-1.2 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and
b. Reviews and updates the current:
1. Identification and authentication policy [Assignment: organization-defined frequency]; and
2. Identification and authentication procedures [Assignment: organization-defined frequency]. |
| CCI-000757 |
The organization disseminates to organization-defined personnel or roles an identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8520.02 and DoDI 8520.03.
DoD has defined the personnel or roles to be recipients of the identification and authentication policy and the procedures as the ISSO and ISSM and others as the local organization deems appropriate. |
DoD disseminates the DoDI 8520.02 and DoDI 8520.03 via the DoD Issuances website (http://www.dtic.mil/whs/directives/corres/dir.html) to the ISSO and ISSM and others as the local organization deems appropriate as an identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 8520.02 and DoDI 8520.03.
DoD has defined the personnel or roles to be recipients of the identification and authentication policy and the procedures as the ISSO and ISSM and others as the local organization deems appropriate. |
Identification And Authentication Policy And Procedures |
IA-1 |
IA-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and
b. Reviews and updates the current:
1. Identification and authentication policy [Assignment: organization-defined frequency]; and
2. Identification and authentication procedures [Assignment: organization-defined frequency]. |
| CCI-000758 |
The organization reviews and updates identification and authentication policy in accordance with the organization-defined frequency. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8520.02 and DoDI 8520.03.
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
DoD reviews and updates identification and authentication policy (DoDI 8520.02 and DoDI 8520.03) annually.
DoD Components are automatically compliant with this CCI because they are covered at the DoD level policies, DoDI 8520.02 and DoDI 8520.03.
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
Identification And Authentication Policy And Procedures |
IA-1 |
IA-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and
b. Reviews and updates the current:
1. Identification and authentication policy [Assignment: organization-defined frequency]; and
2. Identification and authentication procedures [Assignment: organization-defined frequency]. |
| CCI-000759 |
The organization defines a frequency for reviewing and updating the identification and authentication policy. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
Identification And Authentication Policy And Procedures |
IA-1 |
IA-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and
b. Reviews and updates the current:
1. Identification and authentication policy [Assignment: organization-defined frequency]; and
2. Identification and authentication procedures [Assignment: organization-defined frequency]. |
| CCI-000760 |
The organization develops procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8520.02 and DoDI 8520.03. |
DoD develops within DoDI 8520.02 and DoDI 8520.03, procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8520.02 and DoDI 8520.03. |
Identification And Authentication Policy And Procedures |
IA-1 |
IA-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and
b. Reviews and updates the current:
1. Identification and authentication policy [Assignment: organization-defined frequency]; and
2. Identification and authentication procedures [Assignment: organization-defined frequency]. |
| CCI-000761 |
The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8520.02 and DoDI 8520.03.
DoD has defined the personnel or roles to be recipients of the identification and authentication policy and the procedures as the ISSO and ISSM and others as the local organization deems appropriate. |
DoD disseminates the DoDI 8520.02 and DoDI 8520.03 to the ISSO and ISSM and others as the local organization deems appropriate via the DoD Issuances website (http://www.dtic.mil/whs/directives/corres/dir.html). DoDI 8520.02 and DoDI 8520.03 are procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 8520.02 and DoDI 8520.03. |
Identification And Authentication Policy And Procedures |
IA-1 |
IA-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and
b. Reviews and updates the current:
1. Identification and authentication policy [Assignment: organization-defined frequency]; and
2. Identification and authentication procedures [Assignment: organization-defined frequency]. |
| CCI-000762 |
The organization reviews and updates identification and authentication procedures in accordance with the organization-defined frequency. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 8520.02 and DoDI 8520.03.
DoD has defined the frequency as reviewed annually - updated as appropriate. |
DoD reviews and updates identification and authentication procedures (DoDI 8520.02 and DoDI 8520.03) annually.
The organization being inspected/assessed is automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 8520.02 and DoDI 8520.03.
DoD has defined the frequency as reviewed annually - updated as appropriate. |
Identification And Authentication Policy And Procedures |
IA-1 |
IA-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and
b. Reviews and updates the current:
1. Identification and authentication policy [Assignment: organization-defined frequency]; and
2. Identification and authentication procedures [Assignment: organization-defined frequency]. |
| CCI-000763 |
The organization defines a frequency for reviewing and updating the identification and authentication procedures. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as review annually - update as appropriate. |
DoD has defined the frequency as review annually - update as appropriate. |
Identification And Authentication Policy And Procedures |
IA-1 |
IA-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and
b. Reviews and updates the current:
1. Identification and authentication policy [Assignment: organization-defined frequency]; and
2. Identification and authentication procedures [Assignment: organization-defined frequency]. |
| CCI-000764 |
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 764. |
The organization being inspected/assessed configures the information system to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 764. |
Identification And Authentication (Organizational Users) |
IA-2 |
IA-2.1 |
Organizational users include employees or individuals that organizations deem to have equivalent status of employees (e.g., contractors, guest researchers). This control applies to all accesses other than: (i) accesses that are explicitly identified and documented in AC-14; and (ii) accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Organizations employ passwords, tokens, or biometrics to authenticate user identities, or in the case multifactor authentication, or some combination thereof. Access to organizational information systems is defined as either local access or network access. Local access is any access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks (e.g., the Internet). Internal networks include local area networks and wide area networks. In addition, the use of encrypted virtual private networks (VPNs) for network connections between organization-controlled endpoints and non-organization controlled endpoints may be treated as internal networks from the perspective of protecting the confidentiality and integrity of information traversing the network.
Organizations can satisfy the identification and authentication requirements in this control by complying with the requirements in Homeland Security Presidential Directive 12 consistent with the specific organizational implementation plans. Multifactor authentication requires the use of two or more different factors to achieve authentication. The factors are defined as: (i) something you know (e.g., password, personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. In addition to identifying and authenticating users at the information system level (i.e., at logon), organizations also employ identification and authentication mechanisms at the application level, when necessary, to provide increased information security. Identification and authentication requirements for other than organizational users are described in IA-8. Related controls: AC-2, AC-3, AC-14, AC-17, AC-18, IA-4, IA-5, IA-8. |
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
| CCI-000765 |
The information system implements multifactor authentication for network access to privileged accounts. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement multifactor authentication for network access to privileged accounts.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 765. |
The organization being inspected/assessed configures the information system to implement multifactor authentication for network access to privileged accounts.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 765. |
Identification And Authentication | Network Access To Privileged Accounts |
IA-2 (1) |
IA-2(1).1 |
Related control: AC-6. |
The information system implements multifactor authentication for network access to privileged accounts. |
| CCI-000766 |
The information system implements multifactor authentication for network access to non-privileged accounts. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement multifactor authentication for network access to non-privileged accounts.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 766. |
The organization being inspected/assessed configures the information system to implement multifactor authentication for network access to non-privileged accounts.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 766. |
Identification And Authentication | Network Access To Non-Privileged Accounts |
IA-2 (2) |
IA-2(2).1 |
|
The information system implements multifactor authentication for network access to non-privileged accounts. |
| CCI-000767 |
The information system implements multifactor authentication for local access to privileged accounts. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement multifactor authentication for local access to privileged accounts.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 767. |
The organization being inspected/assessed configures the information system to implement multifactor authentication for local access to privileged accounts.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 767. |
Identification And Authentication | Local Access To Privileged Accounts |
IA-2 (3) |
IA-2(3).1 |
|
The information system implements multifactor authentication for local access to privileged accounts. |
| CCI-000768 |
The information system implements multifactor authentication for local access to non-privileged accounts. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement multifactor authentication for local access to non-privileged accounts.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 768. |
The organization being inspected/assessed configures the information system to implement multifactor authentication for local access to non-privileged accounts.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 768. |
Identification And Authentication | Local Access To Non-Privileged Accounts |
IA-2 (4) |
IA-2(4).1 |
|
The information system implements multifactor authentication for local access to non-privileged accounts. |
| CCI-000769 |
The organization allows the use of group authenticators only when used in conjunction with an individual/unique authenticator. |
|
|
|
|
|
|
|
| CCI-000770 |
The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed. |
The organization conducting the inspection/assessment obtains and examines standard operating procedures or system documentation to ensure the organization being inspected/assessed requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 770. |
The organization being inspected/assessed requires individuals or configures the information system to require individuals to be authenticated with an individual authenticator when a group authenticator is employed.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 770. |
Identification And Authentication | Group Authentication |
IA-2 (5) |
IA-2(5).1 |
Requiring individuals to use individual authenticators as a second level of authentication helps organizations to mitigate the risk of using group authenticators. |
The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed. |
| CCI-000771 |
The information system uses multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the information system being accessed. |
|
|
|
|
|
|
|
| CCI-000772 |
The information system uses multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the information system being accessed. |
|
|
|
|
|
|
|
| CCI-000773 |
The organization defines replay-resistant authentication mechanisms to be used for network access to privileged accounts. |
|
|
|
|
|
|
|
| CCI-000774 |
The information system uses organization-defined replay-resistant authentication mechanisms for network access to privileged accounts. |
|
|
|
|
|
|
|
| CCI-000775 |
The organization defines replay-resistant authentication mechanisms to be used for network access to non-privileged accounts. |
|
|
|
|
|
|
|
| CCI-000776 |
The information system uses organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts. |
|
|
|
|
|
|
|
| CCI-000777 |
The organization defines a list of specific and/or types of devices for which identification and authentication is required before establishing a connection to the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the value as all mobile devices and network connected endpoint devices (including but not limited to: workstations, printers, servers (outside a datacenter), VoIP Phones, VTC CODECs). |
DoD has defined the value as all mobile devices and network connected endpoint devices (including but not limited to: workstations, printers, servers (outside a datacenter), VoIP Phones, VTC CODECs). |
Device Identification And Authentication |
IA-3 |
IA-3.1 |
Organizational devices requiring unique device-to-device identification and authentication may be defined by type, by device, or by a combination of type/device. Information systems typically use either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify/authenticate devices on local and/or wide area networks. Organizations determine the required strength of authentication mechanisms by the security categories of information systems. Because of the challenges of applying this control on large scale, organizations are encouraged to only apply the control to those limited number (and type) of devices that truly need to support this capability. Related controls: AC-17, AC-18, AC-19, CA-3, IA-4, IA-5. |
The information system uniquely identifies and authenticates [Assignment: organization defined specific and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection. |
| CCI-000778 |
The information system uniquely identifies an organization-defined list of specific and/or types of devices before establishing a local, remote, or network connection. |
The organization conducting the inspection/assessment examine a sampling of the network infrastructure device configurations to ensure devices connecting to the infrastructure are uniquely identified.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 778. |
The organization being inspected/assessed configures the network infrastructure to identify all mobile devices and network connected endpoint devices (including but not limited to: workstations, printers, servers (outside a datacenter), VoIP Phones, VTC CODECs) before establishing a local, remote, network connection.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 778.
DoD has defined the value as all mobile devices and network connected endpoint devices (including but not limited to: workstations, printers, servers (outside a datacenter), VoIP Phones, VTC CODECs). |
Device Identification And Authentication |
IA-3 |
IA-3.2 |
Organizational devices requiring unique device-to-device identification and authentication may be defined by type, by device, or by a combination of type/device. Information systems typically use either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify/authenticate devices on local and/or wide area networks. Organizations determine the required strength of authentication mechanisms by the security categories of information systems. Because of the challenges of applying this control on large scale, organizations are encouraged to only apply the control to those limited number (and type) of devices that truly need to support this capability. Related controls: AC-17, AC-18, AC-19, CA-3, IA-4, IA-5. |
The information system uniquely identifies and authenticates [Assignment: organization defined specific and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection. |
| CCI-000779 |
The information system authenticates devices before establishing remote network connections using bidirectional authentication between devices that is cryptographically based. |
|
|
|
|
|
|
|
| CCI-000780 |
The information system authenticates devices before establishing wireless network connections using bidirectional authentication between devices that is cryptographically based. |
|
|
|
|
|
|
|
| CCI-000781 |
The information system authenticates devices before establishing network connections using bidirectional authentication between devices that is cryptographically based. |
|
|
|
|
|
|
|
| CCI-000782 |
The organization standardizes, with regard to dynamic address allocation, Dynamic Host Control Protocol (DHCP) lease information and the time assigned to DHCP-enabled devices. |
|
|
|
|
|
|
|
| CCI-000783 |
The organization audits lease information when assigned to a device. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to record lease information in the audit log and examine the audit records to ensure the records have captured the appropriate information.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 783. |
The organization being inspected/assessed configures the information system to record lease information in the audit log.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 783. |
Device Identification And Authentication | Dynamic Address Allocation |
IA-3 (3) |
IA-3(3).5 |
DHCP-enabled clients obtaining leases for IP addresses from DHCP servers, is a typical example of dynamic address allocation for devices. Related controls: AU-2, AU-3, AU-6, AU-12. |
The organization:
(a) Standardizes dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and
(b) Audits lease information when assigned to a device. |
| CCI-000784 |
The organization manages information system identifiers for users and devices by receiving authorization from a designated organizational official to assign a user identifier. |
|
|
|
|
|
|
|
| CCI-000785 |
The organization manages information system identifiers for users and devices by receiving authorization from a designated organizational official to assign a device identifier. |
|
|
|
|
|
|
|
| CCI-000786 |
The organization manages information system identifiers for users and devices by selecting an identifier that uniquely identifies an individual. |
|
|
|
|
|
|
|
| CCI-000787 |
The organization manages information system identifiers for users and devices by selecting an identifier that uniquely identifies a device. |
|
|
|
|
|
|
|
| CCI-000788 |
The organization manages information system identifiers for users and devices by assigning the user identifier to the intended party. |
|
|
|
|
|
|
|
| CCI-000789 |
The organization manages information system identifiers for users and devices by assigning the device identifier to the intended device. |
|
|
|
|
|
|
|
| CCI-000790 |
The organization defines a time period for which the reuse of user identifiers is prohibited. |
|
|
|
|
|
|
|
| CCI-000791 |
The organization defines a time period for which the reuse of device identifiers is prohibited. |
|
|
|
|
|
|
|
| CCI-000792 |
The organization manages information system identifiers for users and devices by preventing reuse of user identifiers for an organization-defined time period. |
|
|
|
|
|
|
|
| CCI-000793 |
The organization manages information system identifiers for users and devices by preventing reuse of device identifiers for an organization-defined time period. |
|
|
|
|
|
|
|
| CCI-000794 |
The organization defines a time period of inactivity after which the identifier is disabled. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 35 days of inactivity. |
DoD has defined the time period as 35 days of inactivity. |
Identifier Management |
IA-4 |
IA-4.7 |
Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices. Related controls: AC-2, IA-2, IA-3, IA-5, IA-8, SC-37. |
The organization manages information system identifiers by:
a. Receiving authorization from [Assignment: organization-defined personnel] to assign an individual, group, role, or device identifier;
b. Selecting an identifier that identifies an individual, group, role, or device;
c. Assigning the identifier to the intended individual, group, role, or device;
d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and
e. Disabling the identifier after [Assignment: organization-defined time period of inactivity]. |
| CCI-000795 |
The organization manages information system identifiers by disabling the identifier after an organization-defined time period of inactivity. |
The organization conducting the inspection/assessment examines the information system configuration to ensure that identifiers are disabled after 35 days of inactivity.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 795.
DoD has defined the time period as 35 days of inactivity. |
The organization being inspected/assessed configures the information system to disable identifiers after 35 days of inactivity.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 795.
DoD has defined the time period as 35 days of inactivity. |
Identifier Management |
IA-4 |
IA-4.8 |
Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices. Related controls: AC-2, IA-2, IA-3, IA-5, IA-8, SC-37. |
The organization manages information system identifiers by:
a. Receiving authorization from [Assignment: organization-defined personnel] to assign an individual, group, role, or device identifier;
b. Selecting an identifier that identifies an individual, group, role, or device;
c. Assigning the identifier to the intended individual, group, role, or device;
d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and
e. Disabling the identifier after [Assignment: organization-defined time period of inactivity]. |
| CCI-000796 |
The organization prohibits the use of information system account identifiers that are the same as public identifiers for individual electronic mail accounts. |
The organization conducting the inspection/assessment obtains and examines documented process to ensure the organization being inspected/assessed prohibits the use of information system account identifiers that are the same as public identifiers for individual electronic mail accounts. |
The organization being inspected/assessed documents and implements a process to prohibit the use of information system account identifiers that are the same as public identifiers for individual electronic mail accounts. |
Identifier Management | Prohibit Account Identifiers As Public Identifiers |
IA-4 (1) |
IA-4(1).1 |
Prohibiting the use of information systems account identifiers that are the same as some public identifier such as the individual identifier section of an electronic mail address, makes it more difficult for adversaries to guess user identifiers on organizational information systems. Related control: AT-2. |
The organization prohibits the use of information system account identifiers that are the same as public identifiers for individual electronic mail accounts. |
| CCI-000797 |
The organization requires that registration to receive a user ID and password include authorization by a supervisor. |
|
|
|
|
|
|
|
| CCI-000798 |
The organization requires that registration to receive a user ID and password be done in person before a designated registration authority. |
|
|
|
|
|
|
|
| CCI-000799 |
The organization requires multiple forms of certification of individual identification, such as documentary evidence or a combination of documents and biometrics, be presented to the registration authority. |
The organization conducting the inspection/assessment obtains and examines the documented process and interviews personnel with identifier management responsibilities to ensure the organization being inspected/assessed requires multiple forms of certification of individual identification, such as documentary evidence or a combination of documents and biometrics be presented to the registration authority. |
The organization being inspected/assessed documents and implements a process to require multiple forms of certification of individual identification, such as documentary evidence or a combination of documents and biometrics be presented to the registration authority. |
Identifier Management | Multiple Forms Of Certification |
IA-4 (3) |
IA-4(3).1 |
Requiring multiple forms of identification reduces the likelihood of individuals using fraudulent identification to establish an identity, or at least increases the work factor of potential adversaries. |
The organization requires multiple forms of certification of individual identification such as documentary evidence or a combination of documents and biometrics be presented to the registration authority. |
| CCI-000800 |
The organization defines characteristics for identifying individual status. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the characteristics as contractor or government employee and by nationality. User identifiers will follow the same format as DoD user e-mail addresses (john.smith.ctr@army.mil or john.smith.uk@army.mil);
- DoD user e-mail display names (e.g., John Smith, Contractor <john.smith.ctr@army.mil> or John Smith, United Kingdom <john.smith.uk@army.mil>); and
- automated signature blocks (e.g., John Smith, Contractor, J-6K, Joint Staff or John Doe, Australia, LNO, Combatant Command).
Contractors who are also foreign nationals are identified as both, e.g., john.smith.ctr.uk@army.mil |
DoD has defined the characteristics as contractor or government employee and by nationality. User identifiers will follow the same format as DoD user e-mail addresses (john.smith.ctr@army.mil or john.smith.uk@army.mil);
- DoD user e-mail display names (e.g., John Smith, Contractor <john.smith.ctr@army.mil> or John Smith, United Kingdom <john.smith.uk@army.mil>); and
- automated signature blocks (e.g., John Smith, Contractor, J-6K, Joint Staff or John Doe, Australia, LNO, Combatant Command).
Contractors who are also foreign nationals are identified as both, e.g., john.smith.ctr.uk@army.mil |
Identifier Management | Identify User Status |
IA-4 (4) |
IA-4(4).1 |
Characteristics identifying the status of individuals include, for example, contractors and foreign nationals. Identifying the status of individuals by specific characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor. Related control: AT-2. |
The organization manages individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status]. |
| CCI-000801 |
The organization manages individual identifiers by uniquely identifying each individual by organization-defined characteristics identifying individual status. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed manages individual identifiers by uniquely identifying each individual as contractor or government employee and by nationality. User identifiers will follow the same format as DoD user e-mail addresses (john.smith.ctr@army.mil or john.smith.uk@army.mil);
- DoD user e-mail display names (e.g., John Smith, Contractor <john.smith.ctr@army.mil> or John Smith, United Kingdom <john.smith.uk@army.mil>); and
- automated signature blocks (e.g., John Smith, Contractor, J-6K, Joint Staff or John Doe, Australia, LNO, Combatant Command).
Contractors who are also foreign nationals are identified as both, e.g., john.smith.ctr.uk@army.mil.
DoD has defined the characteristics as contractor or government employee and by nationality. User identifiers will follow the same format as DoD user e-mail addresses (john.smith.ctr@army.mil or john.smith.uk@army.mil);
- DoD user e-mail display names (e.g., John Smith, Contractor <john.smith.ctr@army.mil> or John Smith, United Kingdom <john.smith.uk@army.mil>); and
- automated signature blocks (e.g., John Smith, Contractor, J-6K, Joint Staff or John Doe, Australia, LNO, Combatant Command).
Contractors who are also foreign nationals are identified as both, e.g., john.smith.ctr.uk@army.mil. |
The organization being inspected/assessed documents and implements a process to manage individual identifiers by uniquely identifying each individual as contractor or government employee and by nationality. User identifiers will follow the same format as DoD user e-mail addresses (john.smith.ctr@army.mil or john.smith.uk@army.mil);
- DoD user e-mail display names (e.g., John Smith, Contractor <john.smith.ctr@army.mil> or John Smith, United Kingdom <john.smith.uk@army.mil>); and
- automated signature blocks (e.g., John Smith, Contractor, J-6K, Joint Staff or John Doe, Australia, LNO, Combatant Command).
Contractors who are also foreign nationals are identified as both, e.g., john.smith.ctr.uk@army.mil.
DoD has defined the characteristics as contractor or government employee and by nationality. User identifiers will follow the same format as DoD user e-mail addresses (john.smith.ctr@army.mil or john.smith.uk@army.mil);
- DoD user e-mail display names (e.g., John Smith, Contractor <john.smith.ctr@army.mil> or John Smith, United Kingdom <john.smith.uk@army.mil>); and
- automated signature blocks (e.g., John Smith, Contractor, J-6K, Joint Staff or John Doe, Australia, LNO, Combatant Command).
Contractors who are also foreign nationals are identified as both, e.g., john.smith.ctr.uk@army.mil. |
Identifier Management | Identify User Status |
IA-4 (4) |
IA-4(4).2 |
Characteristics identifying the status of individuals include, for example, contractors and foreign nationals. Identifying the status of individuals by specific characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor. Related control: AT-2. |
The organization manages individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status]. |
| CCI-000802 |
The information system dynamically manages identifiers, attributes, and associated access authorizations. |
|
|
|
|
|
|
|
| CCI-000803 |
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 803. |
The organization being inspected/assessed configures the information system to implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 803. |
Cryptographic Module Authentication |
IA-7 |
IA-7.1 |
Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role. Related controls: SC-12, SC-13. |
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. |
| CCI-000804 |
The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users). |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 804. |
The organization being inspected/assessed configures the information system to uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 804. |
Identification And Authentication (Non-Organizational Users) |
IA-8 |
IA-8.1 |
Non-organizational users include information system users other than organizational users explicitly covered by IA-2. These individuals are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. In accordance with the E-Authentication E-Government initiative, authentication of non-organizational users accessing federal information systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations use risk assessments to determine authentication needs and consider scalability, practicality, and security in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk. IA-2 addresses identification and authentication requirements for access to information systems by organizational users. Related controls: AC-2, AC-14, AC-17, AC-18, IA-2, IA-4, IA-5, MA-4, RA-3, SA-12, SC-8. |
The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users). |
| CCI-000805 |
The organization develops and documents an incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
CJCSI 6510.01F "Information Assurance and Support to Computer Network Defense," CJCSM 6510.01B, "Cyber Incident Handling Program," DoDD O-8530.1, and DoDI O-8530.2 meet the DoD requirements for incident response policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level with the following policies: CJCSI 6510.01F, CJCSM 6510.01B, DoDD O-8530.1, and DoDI O-8530.2. |
CJCSI 6510.01F "Information Assurance and Support to Computer Network Defense," CJCSM 6510.01B, "Cyber Incident Handling Program," DoDD O-8530.1, and DoDI O-8530.2 meet the DoD requirements for incident response policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level with the following policies: CJCSI 6510.01F, CJCSM 6510.01B, DoDD O-8530.1, and DoDI O-8530.2. |
Incident Response Policy And Procedures |
IR-1 |
IR-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and
b. Reviews and updates the current:
1. Incident response policy [Assignment: organization-defined frequency]; and
2. Incident response procedures [Assignment: organization-defined frequency]. |
| CCI-000806 |
The organization disseminates an incident response policy to organization-defined personnel or roles. |
CJCSI 6510.01F "Information Assurance and Support to Computer Network Defense," CJCSM 6510.01B, "Cyber Incident Handling Program," DoDD O-8530.1, and DoDI O-8530.2 meet the DoD requirements for incident response policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level with the following policies: CJCSI 6510.01F, CJCSM 6510.01B, DoDD O-8530.1, and DoDI O-8530.2. |
DoD disseminates via http://www.dtic.mil/cjcs_directives/, CJCSI 6510.01F "Information Assurance and Support to Computer Network Defense," CJCSM 6510.01B, "Cyber Incident Handling Program," DoDD O-8530.1, and DoDI O-8530.2 to all personnel identified as stakeholders in the incident response process, as well as the ISSM and ISSO.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level with the following policies: CJCSI 6510.01F, CJCSM 6510.01B, DoDD O-8530.1, and DoDI O-8530.2. |
Incident Response Policy And Procedures |
IR-1 |
IR-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and
b. Reviews and updates the current:
1. Incident response policy [Assignment: organization-defined frequency]; and
2. Incident response procedures [Assignment: organization-defined frequency]. |
| CCI-000807 |
The organization reviews and updates the current incident response policy in accordance with organization-defined frequency. |
CJCSI 6510.01F "Information Assurance and Support to Computer Network Defense," CJCSM 6510.01B, "Cyber Incident Handling Program," DoDD O-8530.1, and DoDI O-8530.2 meet the DoD requirements for incident response policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level with the following policies: CJCSI 6510.01F, CJCSM 6510.01B, DoDD O-8530.1, and DoDI O-8530.2. |
CJCSI 6510.01F "Information Assurance and Support to Computer Network Defense," CJCSM 6510.01B, "Cyber Incident Handling Program," DoDD O-8530.1, and DoDI O-8530.2 meet the DoD requirements for incident response policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level with the following policies: CJCSI 6510.01F, CJCSM 6510.01B, DoDD O-8530.1, and DoDI O-8530.2. |
Incident Response Policy And Procedures |
IR-1 |
IR-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and
b. Reviews and updates the current:
1. Incident response policy [Assignment: organization-defined frequency]; and
2. Incident response procedures [Assignment: organization-defined frequency]. |
| CCI-000808 |
The organization defines the frequency with which to review and update the current incident response policy. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of issuance. |
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of issuance. |
Incident Response Policy And Procedures |
IR-1 |
IR-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and
b. Reviews and updates the current:
1. Incident response policy [Assignment: organization-defined frequency]; and
2. Incident response procedures [Assignment: organization-defined frequency]. |
| CCI-000809 |
The organization develops and documents procedures to facilitate the implementation of the incident response policy and associated incident response controls. |
CJCSI 6510.01F "Information Assurance and Support to Computer Network Defense," CJCSM 6510.01B, "Cyber Incident Handling Program," DoDD O-8530.1, and DoDI O-8530.2 meet the DoD requirements for incident response policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level with the following policies: CJCSI 6510.01F, CJCSM 6510.01B, DoDD O-8530.1, and DoDI O-8530.2. |
CJCSI 6510.01F "Information Assurance and Support to Computer Network Defense," CJCSM 6510.01B, "Cyber Incident Handling Program," DoDD O-8530.1, and DoDI O-8530.2 meets the DoD requirements for incident response policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level with the following policies: CJCSI 6510.01F, CJCSM 6510.01B, DoDD O-8530.1, and DoDI O-8530.2. |
Incident Response Policy And Procedures |
IR-1 |
IR-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and
b. Reviews and updates the current:
1. Incident response policy [Assignment: organization-defined frequency]; and
2. Incident response procedures [Assignment: organization-defined frequency]. |
| CCI-000810 |
The organization disseminates incident response procedures to organization-defined personnel or roles. |
CJCSI 6510.01F "Information Assurance and Support to Computer Network Defense," CJCSM 6510.01B, "Cyber Incident Handling Program," DoDD O-8530.1, and DoDI O-8530.2 meet the DoD requirements for incident response policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level with the following policies: CJCSI 6510.01F, CJCSM 6510.01B, DoDD O-8530.1, and DoDI O-8530.2.
DoD has defined the roles as all personnel identified as stakeholders in the incident response process, as well as the ISSM and ISSO. |
DoD disseminates via http://www.dtic.mil/cjcs_directives/, CJCSI 6510.01F "Information Assurance and Support to Computer Network Defense," CJCSM 6510.01B, "Cyber Incident Handling Program," DoDD O-8530.1, and DoDI O-8530.2 to all personnel identified as stakeholders in the incident response process, as well as the ISSM and ISSO.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level with the following policies: CJCSI 6510.01F, CJCSM 6510.01B, DoDD O-8530.1, and DoDI O-8530.2.
DoD has defined the roles as all personnel identified as stakeholders in the incident response process, as well as the ISSM and ISSO. |
Incident Response Policy And Procedures |
IR-1 |
IR-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and
b. Reviews and updates the current:
1. Incident response policy [Assignment: organization-defined frequency]; and
2. Incident response procedures [Assignment: organization-defined frequency]. |
| CCI-000811 |
The organization reviews and updates the current incident response procedures in accordance with organization-defined frequency. |
CJCSI 6510.01F "Information Assurance and Support to Computer Network Defense," CJCSM 6510.01B, "Cyber Incident Handling Program," DoDD O-8530.1, and DoDI O-8530.2 meet the DoD requirements for incident response policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered at the DoD level with the following policies: CJCSI 6510.01F, CJCSM 6510.01B, DoDD O-8530.1, and DoDI O-8530.2.
DoD has defined the frequency as reviewed annually - updated as appropriate. |
DoD (in conjunction with Joint Staff for CJCSIs) reviews and updates current incident response procedures (CJCSI 6510.01F, CJCSM 6510.01B, DoDD O-8530.1, and DoDI O-8530.2) annually.
DoD Components are automatically compliant with this CCI because they are covered at the DoD level with the following policies: CJCSI 6510.01F, CJCSM 6510.01B, DoDD O-8530.1, and DoDI O-8530.2.
DoD has defined the frequency as reviewed annually - updated as appropriate. |
Incident Response Policy And Procedures |
IR-1 |
IR-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and
b. Reviews and updates the current:
1. Incident response policy [Assignment: organization-defined frequency]; and
2. Incident response procedures [Assignment: organization-defined frequency]. |
| CCI-000812 |
The organization defines the frequency with which to review and update the current incident response procedures. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropriate. |
DoD has defined the frequency as reviewed annually - updated as appropriate. |
Incident Response Policy And Procedures |
IR-1 |
IR-1.10 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and
b. Reviews and updates the current:
1. Incident response policy [Assignment: organization-defined frequency]; and
2. Incident response procedures [Assignment: organization-defined frequency]. |
| CCI-000834 |
The organization defines a time period for personnel to report suspected security incidents to the organizational incident response capability. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as the timeframes specified by CJCSM 6510.01B (Table C-A-1) unless the data owner provides more restrictive guidance.
The organization conducting the inspection/assessment obtains and examines the incident response plan to determine if more stringent response time requirements have been identified. |
DoD has defined the time period as the timeframes specified by CJCSM 6510.01B (Table C-A-1) unless the data owner provides more restrictive guidance.
If organizations decide to be more restrictive than the guidance in the CJCSM, then they should address the more restrictive response time requirements in their incident response plan. |
Incident Reporting |
IR-6 |
IR-6.1 |
The intent of this control is to address both specific incident reporting requirements within an organization and the formal incident reporting requirements for federal agencies and their subordinate organizations. Suspected security incidents include, for example, the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Current federal policy requires that all federal agencies (unless specifically exempted from such requirements) report security incidents to the United States Computer Emergency Readiness Team (US-CERT) within specified time frames designated in the US-CERT Concept of Operations for Federal Cyber Security Incident Handling. Related controls: IR-4, IR-5, IR-8. |
The organization:
a. Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time-period]; and
b. Reports security incident information to [Assignment: organization-defined authorities]. |
| CCI-000835 |
The organization requires personnel to report suspected security incidents to the organizational incident response capability within the organization-defined time period. |
The organization conducting the inspection/assessment obtains and examines the user agreement to ensure users are required to report suspected security incidents to the organizational incident response capability within the timeframes specified by CJCSM 6510.01B (Table C-A-1) unless the data owner provides more restrictive guidance.
DoD has defined the time period as the timeframes specified by CJCSM 6510.01B (Table C-A-1) unless the data owner provides more restrictive guidance. |
The organization being inspected/assessed documents within the user agreement the requirement for all system users to report suspected security incidents to the organizational incident response capability within the timeframes specified by CJCSM 6510.01B (Table C-A-1) unless the data owner provides more restrictive guidance.
DoD has defined the time period as the timeframes specified by CJCSM 6510.01B (Table C-A-1) unless the data owner provides more restrictive guidance. |
Incident Reporting |
IR-6 |
IR-6.2 |
The intent of this control is to address both specific incident reporting requirements within an organization and the formal incident reporting requirements for federal agencies and their subordinate organizations. Suspected security incidents include, for example, the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Current federal policy requires that all federal agencies (unless specifically exempted from such requirements) report security incidents to the United States Computer Emergency Readiness Team (US-CERT) within specified time frames designated in the US-CERT Concept of Operations for Federal Cyber Security Incident Handling. Related controls: IR-4, IR-5, IR-8. |
The organization:
a. Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time-period]; and
b. Reports security incident information to [Assignment: organization-defined authorities]. |
| CCI-000836 |
The organization reports security incident information to organization-defined authorities. |
The organization conducting the inspection/assessment obtains and examines a sample of previous security incidents to ensure the incidents were reported to the appropriate CIRT/CERT (such as US-CERT, DoD CERT, IC CERT).
any security incidents IAW the incident response plan (IR-8). Reporting shall be conducted IAW CJCSM 6510.01B.
DoD has defined the authorities as the appropriate CIRT/CERT (such as US-CERT, DoD CERT, IC CERT).
|
The organization being inspected/assessed documents and implements a process to report to the appropriate CIRT/CERT (such as US-CERT, DoD CERT, IC CERT).any security incidents IAW the incident response plan (IR-8). Reporting shall be conducted IAW CJCSM 6510.01B.
DoD has defined the authorities as the appropriate CIRT/CERT (such as US-CERT, DoD CERT, IC CERT).
|
Incident Reporting |
IR-6 |
IR-6.3 |
The intent of this control is to address both specific incident reporting requirements within an organization and the formal incident reporting requirements for federal agencies and their subordinate organizations. Suspected security incidents include, for example, the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Current federal policy requires that all federal agencies (unless specifically exempted from such requirements) report security incidents to the United States Computer Emergency Readiness Team (US-CERT) within specified time frames designated in the US-CERT Concept of Operations for Federal Cyber Security Incident Handling. Related controls: IR-4, IR-5, IR-8. |
The organization:
a. Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time-period]; and
b. Reports security incident information to [Assignment: organization-defined authorities]. |
| CCI-000837 |
The organization employs automated mechanisms to assist in the reporting of security incidents. |
The organization conducting the inspection/assessment obtains and examines the incident handling plan to ensure that there are procedures identified to leverage the JIMS. |
The organization being inspected/assessed will document within their incident handling plan, procedures to leverage the Joint Incident Management System (JIMS).
For the DoD, JIMS is the automated mechanism. |
Incident Reporting | Automated Reporting |
IR-6 (1) |
IR-6(1).1 |
Related control: IR-7. |
The organization employs automated mechanisms to assist in the reporting of security incidents. |
| CCI-000838 |
The organization reports information system vulnerabilities associated with reported security incidents to organization-defined personnel or roles. |
The organization conducting the inspection/assessment obtains and examines a sample of previous security incidents to ensure the associated vulnerabilities were reported to personnel defined in IR-6 (2), CCI 2792 IAW the incident response plan (IR-8). Reporting shall be conducted IAW CJCSM 6510.01B. |
The organization being inspected/assessed documents and implements a process to report to personnel defined in IR-6 (2), CCI 2792 information system vulnerabilities associated with reported security incident IAW the incident response plan (IR-8). Reporting shall be conducted IAW CJCSM 6510.01B.
|
Incident Reporting | Vulnerabilities Related To Incidents |
IR-6 (2) |
IR-6(2).1 |
|
The organization reports information system vulnerabilities associated with reported security incidents to [Assignment: organization-defined personnel]. |
| CCI-000839 |
The organization provides an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the information system for the handling and reporting of security incidents. |
The organization conducting the inspection/assessment will interview organizational users to determine awareness of incident response support services and quality of assistance of those services when used. If interviewing organizational users is not feasible, then review users manuals/documentation to ensures it identifies an incident response support service to contact. |
The organization being inspected/assessed will establish an incident response support service, analogous to an IT help desk, to provide advice and assistance to users for handling and reporting of security incidents.
|
Incident Response Assistance |
IR-7 |
IR-7.1 |
Incident response support resources provided by organizations include, for example, help desks, assistance groups, and access to forensics services, when required. Related controls: AT-2, IR-4, IR-6, IR-8, SA-9. |
The organization provides an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the information system for the handling and reporting of security incidents. |
| CCI-000840 |
The organization employs automated mechanisms to increase the availability of incident response-related information and support. |
The organization conducting the inspection/assessment obtains and examines the incident response information sharing capability to validate the information sharing capability is available to organizational users. |
The organization being inspected/assessed will implement an automated intra-organization incident response information sharing capability to provide the following incident related information and support, for example:
1. SOP for incident reporting
2. Incident handling FAQ
3. Current incident activity awareness information
4. Incident response contact information
5. Incident report submission |
Incident Response Assistance | Automation Support For Availability Of Information / Support |
IR-7 (1) |
IR-7(1).1 |
Automated mechanisms can provide a push and/or pull capability for users to obtain incident response assistance. For example, individuals might have access to a website to query the assistance capability, or conversely, the assistance capability may have the ability to proactively send information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support. |
The organization employs automated mechanisms to increase the availability of incident response related information and support. |
| CCI-000841 |
The organization establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability. |
The organization conducting the inspection/assessment obtains and examines the formal agreement document between the organization and CNDSP to validate it is current and valid. |
The organization being inspected/assessed must establish a formal agreement with a computer network defense service provider (CNDSP). |
Incident Response Assistance | Coordination With External Providers |
IR-7 (2) |
IR-7(2).1 |
External providers of information system protection capability include, for example, the Computer Network Defense program within the U.S. Department of Defense. External providers help to protect, monitor, analyze, detect, and respond to unauthorized activity within organizational information systems and networks. |
The organization:
(a) Establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability; and
(b) Identifies organizational incident response team members to the external providers. |
| CCI-000842 |
The organization identifies organizational incident response team members to the external providers. |
The organization conducting the inspection/assessment obtains and examines the list of internal incident response team members to validate it is accurate and current. Interviews with CNDSP personnel and organizational incident response team members may also be conducted. |
The organization being inspected/assessed must provide and update the list of internal incident response team members as necessary throughout the lifecycle of the CNDSP agreement, in conjunction with the CNDSP agreement. |
Incident Response Assistance | Coordination With External Providers |
IR-7 (2) |
IR-7(2).2 |
External providers of information system protection capability include, for example, the Computer Network Defense program within the U.S. Department of Defense. External providers help to protect, monitor, analyze, detect, and respond to unauthorized activity within organizational information systems and networks. |
The organization:
(a) Establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability; and
(b) Identifies organizational incident response team members to the external providers. |
| CCI-000843 |
The organization develops an incident response plan that provides the organization with a roadmap for implementing its incident response capability; describes the structure and organization of the incident response capability; provides a high-level approach for how the incident response capability fits into the overall organization; meets the unique requirements of the organization, which relate to mission, size, structure, and functions; defines reportable incidents; provides metrics for measuring the incident response capability within the organization; and defines the resources and management support needed to effectively maintain and mature an incident response capability. |
|
|
|
|
|
|
|
| CCI-000844 |
The organization develops an incident response plan that is reviewed and approved by organization-defined personnel or roles. |
The organization conducting the inspection/assessment obtains and examines the incident response plan to validate it has been properly signed by at a minimum, the ISSM and ISSO.
DoD has defined the personnel or roles as at a minimum, the ISSM and ISSO. |
The organization being inspected/assessed will have an incident response plan signed and approved by at a minimum, the ISSM and ISSO.
DoD has defined the personnel or roles as at a minimum, the ISSM and ISSO. |
Incident Response Plan |
IR-8 |
IR-8.10 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-000845 |
The organization defines incident response personnel (identified by name and/or by role) and organizational elements to whom copies of the incident response plan are distributed. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the list as all stakeholders identified in the incident response plan. |
DoD has defined the list as all stakeholders identified in the incident response plan. |
Incident Response Plan |
IR-8 |
IR-8.11 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-000846 |
The organization distributes copies of the incident response plan to organization-defined incident response personnel (identified by name and/or by role) and organizational elements. |
The organization conducting the inspection/assessment obtains and examines organizationally approved information sharing mechanism to validate all stakeholders identified in the incident response plan have adequate access to the incident response plan.
DoD has defined the list as all stakeholders identified in the incident response plan. |
The organization being inspected/assessed makes available to all stakeholders identified in the incident response plan via organizationally approved information sharing mechanism.
DoD has defined the list as all stakeholders identified in the incident response plan. |
Incident Response Plan |
IR-8 |
IR-8.12 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-000847 |
The organization defines the frequency for reviewing the incident response plan. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at least annually (incorporating lessons learned from past incidents). |
DoD has defined the frequency as at least annually (incorporating lessons learned from past incidents). |
Incident Response Plan |
IR-8 |
IR-8.13 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-000848 |
The organization reviews the incident response plan on an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the incident response plan to validate it is current and has been reviewed within the last year.
DoD has defined the frequency as at least annually (incorporating lessons learned from past incidents).
|
The organization being inspected/assessed will conduct reviews of its incident response plan at least annually.
DoD has defined the frequency as at least annually (incorporating lessons learned from past incidents). |
Incident Response Plan |
IR-8 |
IR-8.14 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-000849 |
The organization updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing. |
The organization conducting the inspection/assessment obtains and examines documentation of the update actions for the incident response plan to ensure the organization is updating the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing and incorporating lessons learned from past incidents (IR-4a). |
The organization being inspected/assessed must update the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing and incorporate lessons learned from past incidents (IR-4a).
The organization must document the update actions as an audit trail. |
Incident Response Plan |
IR-8 |
IR-8.15 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-000850 |
The organization communicates incident response plan changes to organization-defined incident response personnel (identified by name and/or by role) and organizational elements. |
The organization conducting the inspection/assessment examines the incident response plan via the inspected organization's information sharing capability (e.g. portal, intranet, email, etc.) to ensure it has been communicated to all stakeholders identified in the incident response plan, not later than 30 days after the change is made.
DoD has defined the incident response personnel as all stakeholders identified in the incident response plan, not later than 30 days after the change is made. |
The organization being inspected/assessed communicates incident response plan changes to all stakeholders identified in the incident response plan, not later than 30 days after the change is made.
DoD has defined the incident response personnel as all stakeholders identified in the incident response plan, not later than 30 days after the change is made. |
Incident Response Plan |
IR-8 |
IR-8.16 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-000865 |
The organization approves information system maintenance tools. |
The organization conducting the inspection/assessment:
1. obtains and examines the Security Plan to ensure the list of approved maintenance tools is documented;
2. ensures only the approved maintenance tools are used within the system. |
The organization being inspected/assessed documents the approved maintenance tools within the Security Plan. |
Maintenance Tools |
MA-3 |
MA-3.1 |
This control addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational information systems. Maintenance tools can include, for example, hardware/software diagnostic test equipment and hardware/software packet sniffers. This control does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing “ping,” “ls,” “ipconfig,” or the hardware and software implementing the monitoring port of an Ethernet switch. Related controls: MA-2, MA-5, MP-6. |
The organization approves, controls, and monitors information system maintenance tools. |
| CCI-000866 |
The organization controls information system maintenance tools. |
The organization conducting the inspection/assessment:
1. obtains and examines the Security Plan to identify the list of approved maintenance tools;
2. ensures the organization being inspected/assessed controls the approved information system maintenance tools. |
The organization being inspected/assessed controls information system maintenance tools that are approved IAW MA-3, CCI 865. |
Maintenance Tools |
MA-3 |
MA-3.2 |
This control addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational information systems. Maintenance tools can include, for example, hardware/software diagnostic test equipment and hardware/software packet sniffers. This control does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing “ping,” “ls,” “ipconfig,” or the hardware and software implementing the monitoring port of an Ethernet switch. Related controls: MA-2, MA-5, MP-6. |
The organization approves, controls, and monitors information system maintenance tools. |
| CCI-000867 |
The organization monitors information system maintenance tools. |
The organization conducting the inspection/assessment obtains and examines:
1. the Security Plan to identify the list of approved maintenance tools; and
2. documented procedures to identify how the use of maintenance tools is monitored; and
3. reviews evidence that the monitoring is conducted IAW the documented procedures. |
The organization being inspected/assessed develops and implements procedures to monitor the use of the approved information system maintenance tools IAW MA-3, CCI 865.
Records of monitoring activity must be maintained. |
Maintenance Tools |
MA-3 |
MA-3.3 |
This control addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational information systems. Maintenance tools can include, for example, hardware/software diagnostic test equipment and hardware/software packet sniffers. This control does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing “ping,” “ls,” “ipconfig,” or the hardware and software implementing the monitoring port of an Ethernet switch. Related controls: MA-2, MA-5, MP-6. |
The organization approves, controls, and monitors information system maintenance tools. |
| CCI-000868 |
The organization maintains, on an ongoing basis, information system maintenance tools. |
|
|
|
|
|
|
|
| CCI-000869 |
The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications. |
The organization conducting the inspection/assessment obtains and examines procedures for, and records of inspection of the maintenance tools carried into a facility by maintenance personnel to ensure the tools are inspected for improper or unauthorized modifications. |
The organization being inspected/assessed documents the procedures for and implements inspections of the maintenances tools carried into a facility by maintenance personnel for improper or unauthorized modifications.
Records of inspection must be maintained. |
Maintenance Tools | Inspect Tools |
MA-3 (1) |
MA-3(1).1 |
If, upon inspection of maintenance tools, organizations determine that the tools have been modified in an improper/unauthorized manner or contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling. Related control: SI-7. |
The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications. |
| CCI-000870 |
The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system. |
The organization conducting the inspection/assessment obtains and examines the procedures for checking all diagnostic and test media for malicious code, and a sampling of configuration files and audit logs of the tool set used to check media. The purpose of the review is to ensure the organization being inspected/assessed checks all media containing diagnostic and test programs for malicious code before the media are used in the information system. |
The organization being inspected/assessed:
1. documents and implements procedures to check all media containing diagnostic and test programs for malicious code before the media are used in the information system; and
2. Runs an automated tool set to check all media containing diagnostic and test programs for malicious code before the media are used in the information system.
The organization must maintain configuration files for the automated tool set and audit logs of the tool set used to check media. |
Maintenance Tools | Inspect Media |
MA-3 (2) |
MA-3(2).1 |
If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures. Related control: SI-3. |
The organization checks all media containing diagnostic and test programs for malicious code before the media are used in the information system. |
| CCI-000871 |
The organization prevents the unauthorized removal of maintenance equipment containing organizational information by: (a) verifying that there is no organizational information contained on the equipment; (b) sanitizing or destroying the equipment; (c) retaining the equipment within the facility; or (d) obtaining an exemption from organization-defined personnel or roles explicitly authorizing removal of the equipment from the facility. |
The organization conducting the inspection/assessment obtains and examines the documented process and record of maintenance equipment removal to ensure the organization being inspected/assessed takes one of the four actions listed in the implementation guidance. |
The organization being inspected/assessed documents and implements a process to take one of the following actions before authorizing removal of information equipment from the facility:
1. verify there is no organizational information contained on maintenance equipment;
2. Sanitize or destroy the equipment;
3. Retain the equipment within the facility; or
4. Obtain an exemption from personnel or roles defined in MA-3 (3), CCI 2882 explicitly authorizing removal of the equipment from the facility.
The organization must maintain a record of maintenance equipment removal and actions taken. |
Maintenance Tools | Prevent Unauthorized Removal |
MA-3 (3) |
MA-3(3).1 |
Organizational information includes all information specifically owned by organizations and information provided to organizations in which organizations serve as information stewards |
The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:
(a) Verifying that there is no organizational information contained on the equipment;
(b) Sanitizing or destroying the equipment;
(c) Retaining the equipment within the facility; or
(d) Obtaining an exemption from [Assignment: organization-defined personnel] explicitly authorizing removal of the equipment from the facility. |
| CCI-000872 |
The organization employs automated mechanisms to restrict the use of maintenance tools to authorized personnel only. |
|
|
|
|
|
|
|
| CCI-000890 |
The organization establishes a process for maintenance personnel authorization. |
The organization conducting the inspection/assessment obtains and examines procedures addressing maintenance personnel to ensure that the organization being inspected/assessed has established processes for the authorization of maintenance personnel. |
The organization being inspected/assessed clearly defines, documents, and establishes a process for the authorization of maintenance personnel. |
Maintenance Personnel |
MA-5 |
MA-5.1 |
This control applies to individuals performing hardware or software maintenance on organizational information systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Technical competence of supervising individuals relates to the maintenance performed on the information systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational information systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods. Related controls: AC-2, IA-8, MP-2, PE-2, PE-3, PE-4, RA-3. |
The organization:
a. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;
b. Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and
c. Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations. |
| CCI-000891 |
The organization maintains a list of authorized maintenance organizations or personnel. |
The organization conducting the inspection/assessment obtains and examines the current list of authorized maintenance organizations or personnel to ensure the organization being inspected/assessed is maintaining the list. |
The organization being inspected/assessed maintains a current list of authorized maintenance organizations or personnel. |
Maintenance Personnel |
MA-5 |
MA-5.2 |
This control applies to individuals performing hardware or software maintenance on organizational information systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Technical competence of supervising individuals relates to the maintenance performed on the information systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational information systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods. Related controls: AC-2, IA-8, MP-2, PE-2, PE-3, PE-4, RA-3. |
The organization:
a. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;
b. Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and
c. Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations. |
| CCI-000892 |
The organization ensures that personnel performing maintenance on the information system have required access authorizations or designates organizational personnel with required access authorizations and technical competence deemed necessary to supervise information system maintenance. |
|
|
|
|
|
|
|
| CCI-000893 |
The organization implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens. |
The organization conducting the inspection/assessment obtains and examines the procedures identified in MA-5, CCI 890 to ensure it includes specific procedures for maintenance personnel that lack appropriate security clearances or are not U.S. citizens. |
The organization being inspected/assessed documents and implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. Citizens in the procedures documented IAW MA-5, CCI 890. |
Maintenance Personnel | Individuals Without Appropriate Access |
MA-5 (1) |
MA-5(1).1 |
This control enhancement denies individuals who lack appropriate security clearances (i.e., individuals who do not possess security clearances or possess security clearances at a lower level than required) or who are not U.S. citizens, visual and electronic access to any classified information, Controlled Unclassified Information (CUI), or any other sensitive information contained on organizational information systems. Procedures for the use of maintenance personnel can be documented in security plans for the information systems. Related controls: MP-6, PL-2. |
The organization:
(a) Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:
(1) Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified;
(2) Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and
(b) Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system. |
| CCI-000894 |
The organization requires maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals to be escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified. |
The organization conducting the inspection/assessment obtains and examines the records of maintenance personnel who access the system to ensure the organization being inspected/assessed requires maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals to be escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified. |
The organization being inspected/assessed requires maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals to be escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified.
The organization must maintain records of maintenance personnel who access the system including information on escorts. |
Maintenance Personnel | Individuals Without Appropriate Access |
MA-5 (1) |
MA-5(1).2 |
This control enhancement denies individuals who lack appropriate security clearances (i.e., individuals who do not possess security clearances or possess security clearances at a lower level than required) or who are not U.S. citizens, visual and electronic access to any classified information, Controlled Unclassified Information (CUI), or any other sensitive information contained on organizational information systems. Procedures for the use of maintenance personnel can be documented in security plans for the information systems. Related controls: MP-6, PL-2. |
The organization:
(a) Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:
(1) Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified;
(2) Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and
(b) Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system. |
| CCI-000895 |
The organization requires that, prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system be sanitized and all nonvolatile storage media be removed or physically disconnected from the system and secured. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed sanitizes, removes, or physically disconnects all nonvolatile storage media from the system prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals. |
The organization being inspected/assessed documents and implements a process to sanitize, remove, or physically disconnect all nonvolatile storage media from the system prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals. |
Maintenance Personnel | Individuals Without Appropriate Access |
MA-5 (1) |
MA-5(1).3 |
This control enhancement denies individuals who lack appropriate security clearances (i.e., individuals who do not possess security clearances or possess security clearances at a lower level than required) or who are not U.S. citizens, visual and electronic access to any classified information, Controlled Unclassified Information (CUI), or any other sensitive information contained on organizational information systems. Procedures for the use of maintenance personnel can be documented in security plans for the information systems. Related controls: MP-6, PL-2. |
The organization:
(a) Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:
(1) Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified;
(2) Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and
(b) Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system. |
| CCI-000896 |
The organization requires that in the event an information system component cannot be sanitized, the procedures contained in the security plan for the system be enforced. |
|
|
|
|
|
|
|
| CCI-000897 |
The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for all compartments of information on the system. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for all compartments of information on the system. |
The organization being inspected/assessed documents and implements a process to ensure that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for all compartments of information on the system. |
Maintenance Personnel | Security Clearances For Classified Systems |
MA-5 (2) |
MA-5(2).1 |
Related control: PS-3. |
The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for all compartments of information on the system. |
| CCI-000898 |
The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information are U.S. citizens. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information are U.S. citizens. |
The organization being inspected/assessed documents and implements a process to ensure that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information are U.S. citizens. |
Maintenance Personnel | Citizenship Requirements For Classified Systems |
MA-5 (3) |
MA-5(3).1 |
Related control: PS-3. |
The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information are U.S. citizens. |
| CCI-000899 |
The organization ensures that cleared foreign nationals (i.e., foreign nationals with appropriate security clearances) are used to conduct maintenance and diagnostic activities on classified information systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed ensures that cleared foreign nationals (i.e., foreign nationals with appropriate security clearances), are used to conduct maintenance and diagnostic activities on classified information systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments. |
The organization being inspected/assessed documents and implements a process to ensure that cleared foreign nationals (i.e., foreign nationals with appropriate security clearances), are used to conduct maintenance and diagnostic activities on classified information systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments. |
Maintenance Personnel | Foreign Nationals |
MA-5 (4) |
MA-5(4).1 |
Related control: PS-3. |
The organization ensures that:
(a) Cleared foreign nationals (i.e., foreign nationals with appropriate security clearances), are used to conduct maintenance and diagnostic activities on classified information systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments; and (b) Approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified information systems
are fully documented within Memoranda of Agreements. |
| CCI-000900 |
The organization ensures that approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified information systems are fully documented within Memoranda of Agreements. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed ensures that approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified information systems are fully documented within Memorandum of Agreements. |
The organization being inspected/assessed documents and implements a process to ensure that approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified information systems are fully documented within Memorandum of Agreements. |
Maintenance Personnel | Foreign Nationals |
MA-5 (4) |
MA-5(4).2 |
Related control: PS-3. |
The organization ensures that:
(a) Cleared foreign nationals (i.e., foreign nationals with appropriate security clearances), are used to conduct maintenance and diagnostic activities on classified information systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments; and (b) Approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified information systems
are fully documented within Memoranda of Agreements. |
| CCI-000901 |
The organization defines a list of security-critical information system components and/or key information technology components for which it will obtain maintenance support and/or spare parts. |
|
|
|
|
|
|
|
| CCI-000902 |
The organization defines a time period for obtaining maintenance support and/or spare parts for security-critical information system components and/or key information technology components. |
|
|
|
|
|
|
|
| CCI-000903 |
The organization obtains maintenance support and/or spare parts for organization-defined information system components within an organization-defined time period of failure. |
The organization conducting the inspection/assessment obtains evidence that maintenance support is available for information system components defined in MA-6, CCI 2896 and that the support will be provided within 24 hours (Low and Moderate Availability) or immediately upon failure for (High Availability).
Evidence can include maintenance support contracts, inventories of spare parts, etc.
DoD has defined the time period as within 24 hours (Low and Moderate Availability) or immediately upon failure for (High Availability). |
The organization being inspected/assessed obtains maintenance support and/or spare parts for information system components defined in MA-6, CCI 2896 within 24 hours (Low and Moderate Availability) or immediately upon failure for (High Availability).
DoD has defined the time period as within 24 hours (Low and Moderate Availability) or immediately upon failure for (High Availability). |
Timely Maintenance |
MA-6 |
MA-6.1 |
Organizations specify the information system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support typically include having appropriate contracts in place. Related controls: CM-8, CP-2, CP-7, SA-14, SA-15. |
The organization obtains maintenance support and/or spare parts for [Assignment: organization-defined information system components] within [Assignment: organization-defined time period] of failure. |
| CCI-000904 |
The organization develops and documents a physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
DoDI 5200.08 and DoD 5200.08-R meet the requirement for Physical and Environmental Policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.08 and DoD 5200.08-R. |
DoDI 5200.08 and DoD 5200.08-R meet the requirement for Physical and Environmental Policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.08 and DoD 5200.08-R. |
Physical And Environmental Protection Policy And Procedures |
PE-1 |
PE-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and
b. Reviews and updates the current:
1. Physical and environmental protection policy [Assignment: organization-defined frequency]; and
2. Physical and environmental protection procedures [Assignment: organization-defined frequency]. |
| CCI-000905 |
The organization disseminates a physical and environmental protection policy to organization-defined personnel or roles. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 5200.08 and DoD 5200.08-R
DoD has defined the personnel or roles as organizational personnel with physical and environmental protection responsibilities. |
DoD disseminates DoDI 5200.08 and DoD 5200.08-R organization-wide via the DoD Issuances website.
http://www.dtic.mil/whs/directives/corres/dir.html
DoD has defined the personnel or roles as organizational personnel with physical and environmental protection responsibilities. |
Physical And Environmental Protection Policy And Procedures |
PE-1 |
PE-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and
b. Reviews and updates the current:
1. Physical and environmental protection policy [Assignment: organization-defined frequency]; and
2. Physical and environmental protection procedures [Assignment: organization-defined frequency]. |
| CCI-000906 |
The organization reviews and updates the current physical and environmental protection policy in accordance with organization-defined frequency. |
DoDI 5200.08 and DoD 5200.08-R meet the requirement for Physical and Environmental Policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.08 and DoD 5200.08-R.
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
DoDI 5200.08 and DoD 5200.08-R meet the requirement for Physical and Environmental Policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.08 and DoD 5200.08-R.
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
Physical And Environmental Protection Policy And Procedures |
PE-1 |
PE-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and
b. Reviews and updates the current:
1. Physical and environmental protection policy [Assignment: organization-defined frequency]; and
2. Physical and environmental protection procedures [Assignment: organization-defined frequency]. |
| CCI-000907 |
The organization defines the frequency with which to review and update the physical and environmental protection policy. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
Physical And Environmental Protection Policy And Procedures |
PE-1 |
PE-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and
b. Reviews and updates the current:
1. Physical and environmental protection policy [Assignment: organization-defined frequency]; and
2. Physical and environmental protection procedures [Assignment: organization-defined frequency]. |
| CCI-000908 |
The organization develops and documents procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.08 and DoD 5200.08-R. |
DoDI 5200.08 and DoD 5200.08-R meet the requirement for Physical and Environmental Policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.08 and DoD 5200.08-R. |
Physical And Environmental Protection Policy And Procedures |
PE-1 |
PE-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and
b. Reviews and updates the current:
1. Physical and environmental protection policy [Assignment: organization-defined frequency]; and
2. Physical and environmental protection procedures [Assignment: organization-defined frequency]. |
| CCI-000909 |
The organization disseminates physical and environmental protection procedures to organization-defined personnel or roles. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 5200.08 and DoD 5200.08-R
DoD has defined the personnel or roles as organizational personnel with physical and environmental protection responsibilities. |
DoD disseminates DoDI 5200.08 and DoD 5200.08-R organization-wide via the DoD Issuances website.
http://www.dtic.mil/whs/directives/corres/dir.html
DoD has defined the personnel or roles as organizational personnel with physical and environmental protection responsibilities. |
Physical And Environmental Protection Policy And Procedures |
PE-1 |
PE-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and
b. Reviews and updates the current:
1. Physical and environmental protection policy [Assignment: organization-defined frequency]; and
2. Physical and environmental protection procedures [Assignment: organization-defined frequency]. |
| CCI-000910 |
The organization reviews and updates the current physical and environmental protection procedures in accordance with organization-defined frequency. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.08 and DoD 5200.08-R.
DoD has defined the frequency as reviewed annually - updated as appropriate. |
DoDI 5200.08 and DoD 5200.08-R meet the requirement for Physical and Environmental Policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.08 and DoD 5200.08-R.
DoD has defined the frequency as reviewed annually - updated as appropriate. |
Physical And Environmental Protection Policy And Procedures |
PE-1 |
PE-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and
b. Reviews and updates the current:
1. Physical and environmental protection policy [Assignment: organization-defined frequency]; and
2. Physical and environmental protection procedures [Assignment: organization-defined frequency]. |
| CCI-000911 |
The organization defines the frequency with which to review and update the physical and environmental protection procedures. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropriate. |
DoD has defined the frequency as reviewed annually - updated as appropriate. |
Physical And Environmental Protection Policy And Procedures |
PE-1 |
PE-1.10 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and
b. Reviews and updates the current:
1. Physical and environmental protection policy [Assignment: organization-defined frequency]; and
2. Physical and environmental protection procedures [Assignment: organization-defined frequency]. |
| CCI-000919 |
The organization enforces physical access authorizations at organization-defined entry/exit points to the facility where the information system resides. |
The organization conducting the inspection/assessment performs a physical inspection of facility entry/exit points defined in PE-3, CCI 2915 to ensure that either physical access authorization controls are in place for those access points considered normal access points or are properly secured.
Physical access points that are not documented or are not secured would be a failure of this control. |
The organization being inspected/assessed will implement physical access authorizations at entry/exit points defined in PE-3, CCI 2915 and secure those physical access points (i.e. doors and/or windows) that are not intended for normal access. |
Physical Access Control |
PE-3 |
PE-3.1 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. |
| CCI-000920 |
The organization verifies individual access authorizations before granting access to the facility. |
The organization conducting the inspection/assessment obtains and examines the access authorization list of personnel that have access to the facility (per access list implemented through PE-2, CCI 000912) where the information system resides. Inspect selected facilities to confirm the inspected organization is granting access at all physical access points to only authorized personnel. |
The organization being inspected/assessed verifies and grants access to facilities based upon individual access authorizations. |
Physical Access Control |
PE-3 |
PE-3.3 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. |
| CCI-000921 |
The organization controls ingress/egress to the facility where the information system resides using one or more organization-defined physical access control systems/devices or guards. |
The organization conducting the inspection/assessment obtains and examines the list of physical access control devices and/or guards in use defined in PE-3, CCI 2916 and conducts random inspections of entry points. The purpose is to determine whether the organization is using those physical access devices and/or guards to control entry of personnel into the facility hosting the information system. |
The organization being inspected/assessed will control ingress/egress to the facility using the physical access control devices and/or guards defined in PE-3, CCI 2916. |
Physical Access Control |
PE-3 |
PE-3.4 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. |
| CCI-000922 |
The organization controls access to areas officially designated as publicly accessible in accordance with the organization^s assessment of risk. |
|
|
|
|
|
|
|
| CCI-000923 |
The organization secures keys, combinations, and other physical access devices. |
The organization conducting the inspection/assessment conducts physical inspections and interviews physical security/safety personnel to validate the organization has taken the proper precautions, and established the proper procedures to ensure it has adequately secured its keys, combinations, and other physical devices. |
The organization being inspected/assessed will secure as appropriate (in safes or secure containers) items used for physical access control such as keys, combinations, portable locks, etc. Fixed access control devices such as card readers, installed locks, key pads, etc. should be protected from tampering. |
Physical Access Control |
PE-3 |
PE-3.14 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. |
| CCI-000924 |
The organization inventories organization-defined physical access devices on an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the records of inventory of minimally keys or any other physical token used to gain access to ensure the inventory is being conducted annually.
DoD has defined the frequency as annually.
DoD has defined the physical access devices as minimally keys or any other physical token used to gain access. |
The organization being inspected/assessed conducts and documents an inventory of minimally keys or any other physical token used to gain access annually.
Inventory documents must be retained for at least one year beyond the completion of the next inventory.
DoD has defined the frequency as annually.
DoD has defined the physical access devices as minimally keys or any other physical token used to gain access. |
Physical Access Control |
PE-3 |
PE-3.15 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. |
| CCI-000925 |
The organization defines the frequency for conducting inventories of organization-defined physical access devices. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Physical Access Control |
PE-3 |
PE-3.16 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. |
| CCI-000926 |
The organization changes combinations and keys in accordance with organization-defined frequency and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. |
The organization conducting the inspection/assessment obtains and examines documentation of these change actions to validate the organization is changing its keys and combinations upon occurrence of security relevant events and when keys are lost, combinations are compromised, or individuals are transferred or terminated.
DoD has defined the frequency as required by security relevant events. |
The organization being inspected/assessed will document each occurrence of these change actions, with the reason for the action, as an audit trail for future reference.
DoD has defined the frequency as required by security relevant events. |
Physical Access Control |
PE-3 |
PE-3.18 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. |
| CCI-000927 |
The organization defines a frequency for changing combinations and keys. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as required by security relevant event. |
DoD has defined the frequency as required by security relevant event. |
Physical Access Control |
PE-3 |
PE-3.19 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. |
| CCI-000928 |
The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility where the information system resides at organization-defined physical spaces containing one or more components of the information system. |
The organization conducting the inspection/assessment obtains and examines the documented list of additional physical access authorizations for the facility/facilities at physical spaces containing one or more components of the information system.
The objective of the examination is to determine if the organization is enforcing additional physical access authorizations to areas of the facility at physical spaces containing one or more components of the information system defined in PE-3 (1), CCI 2926. These controls are independent of the physical access controls established for the facility. |
The organization being inspected/assessed will
provide documentation of additional physical access authorizations for the facility/facilities at physical spaces containing one or more components of the information system defined in PE-3 (1), CCI 2926.
The organization will ensure that these controls are separate from, and independent of, the physical access controls established for the facility. |
Physical Access Control | Information System Access |
PE-3 (1) |
PE-3(1).1 |
This control enhancement provides additional physical security for those areas within facilities where there is a concentration of information system components (e.g., server rooms, media storage areas, data and communications centers). Related control: PS-2. |
The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the information system]. |
| CCI-000929 |
The organization performs security checks in accordance with organization-defined frequency at the physical boundary of the facility or information system for unauthorized exfiltration of information or removal of information system components. |
The organization conducting the inspection/assessment obtains and examines the documented procedures as well as the audit trail of security checks at the physical boundary to ensure the organization being inspected/assessed performs security checks at the physical boundary of the facility or information system at a minimum, annually.
DoD has defined the frequency as at a minimum, annually. |
The organization being inspected/assessed documents and implements procedures to perform security checks at the physical boundary of the facility or information system at a minimum, annually.
The organization must maintain an audit trail of security checks at the physical boundary.
DoD has defined the frequency as at a minimum, annually. |
Physical Access Control | Facility / Information System Boundaries |
PE-3 (2) |
PE-3(2).1 |
Organizations determine the extent, frequency, and/or randomness of security checks to adequately mitigate risk associated with exfiltration. Related controls: AC-4, SC-7. |
The organization performs security checks [Assignment: organization-defined frequency] at the physical boundary of the facility or information system for unauthorized exfiltration of information or removal of information system components. |
| CCI-000930 |
The organization employs guards and/or alarms to monitor every physical access point to the facility where the information system resides 24 hours per day, 7 days per week. |
The organization conducting the inspection/assessment obtains the list of guards or alarms for every physical access point to the facility where the information system resides and visually verifies a sampling of access points to ensure the appropriate guard or alarm to monitor is in place 24 hours per day, 7 days per week. |
The organization being inspected/assessed employs guards and/or alarms to monitor every physical access point to the facility where the information system resides 24 hours per day, 7 days per week.
The organization must create and maintain a list of guards or alarms for every physical access point to the facility where the information system resides 24 hours per day, 7 days per week. |
Physical Access Control | Continuous Guards / Alarms / Monitoring |
PE-3 (3) |
PE-3(3).1 |
Related controls: CP-6, CP-7. |
The organization employs guards and/or alarms to monitor every physical access point to the facility where the information system resides 24 hours per day, 7 days per week. |
| CCI-000931 |
The organization uses lockable physical casings to protect organization-defined information system components from unauthorized physical access. |
The organization conducting the inspection/assessment performs a sample inspection of the lockable physical casings. The objective of the reviews is to validate the organization is using lockable physical casings to protect organization-defined information system components from unauthorized physical access. |
The organization being inspected/assessed will deploy and install lockable physical casings designed to protect organization-defined information system components from unauthorized physical access. |
Physical Access Control | Lockable Casings |
PE-3 (4) |
PE-3(4).1 |
|
The organization uses lockable physical casings to protect [Assignment: organization-defined information system components] from unauthorized physical access. |
| CCI-000932 |
The organization defines information system components to be protected from unauthorized physical access using lockable physical casings. |
The organization conducting the inspection/assessment obtains and examines the documented information system components to ensure the organization being inspected/assessed defines information system components to be protected from unauthorized physical access using lockable physical casings.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents information system components to be protected from unauthorized physical access using lockable physical casings.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
Physical Access Control | Lockable Casings |
PE-3 (4) |
PE-3(4).2 |
|
The organization uses lockable physical casings to protect [Assignment: organization-defined information system components] from unauthorized physical access. |
| CCI-000933 |
The organization employs organization-defined security safeguards to deter and/or prevent physical tampering or alteration of organization-defined hardware components within the information system. |
The organization conducting the inspection/assessment inspects the information system to ensure the organization being inspected/assessed employs security safeguards defined in PE-3 (5), CCI 2928 to deter and or prevent physical tampering or alteration of hardware components defined in PE-3 (5), CCI 2929 within the information system. |
The organization being inspected/assessed employs security safeguards defined in PE-3 (5), CCI 2928 to deter and or prevent physical tampering or alteration of hardware components defined in PE-3 (5), CCI 2929 within the information system. |
Physical Access Control | Tamper Protection |
PE-3 (5) |
PE-3(5).1 |
Organizations may implement tamper detection/prevention at selected hardware components or tamper detection at some components and tamper prevention at other components. Tamper detection/prevention activities can employ many types of anti-tamper technologies including, for example, tamper-detection seals and anti-tamper coatings. Anti-tamper programs help to detect hardware alterations through counterfeiting and other supply chain-related risks. Related control: SA-12. |
The organization employs [Assignment: organization-defined security safeguards] to [Selection (one or more): detect; prevent] physical tampering or alteration of [Assignment: organization defined hardware components] within the information system. |
| CCI-000934 |
The organization employs a penetration testing process that includes unannounced attempts to bypass or circumvent security controls associated with physical access points to the facility on an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the inspected organization's physical security assessment plan and reviews documented results to ensure annual penetration testing of physical access points occurred.
DoD has defined the frequency as annually. |
The organization being inspected/assessed executes a penetration testing process annually, that includes unannounced attempts, as defined in its physical security assessment plan for testing effectiveness of security controls in place for physical access points to the facility. Results of all penetration testing will be documented as an audit trail.
DoD has defined the frequency as annually. |
Physical Access Control | Facility Penetration Testing |
PE-3 (6) |
PE-3(6).1 |
Related controls: CA-2, CA-7. |
The organization employs a penetration testing process that includes [Assignment: organization defined frequency], unannounced attempts to bypass or circumvent security controls associated with physical access points to the facility. |
| CCI-000935 |
The organization defines the frequency of unannounced attempts to be included in a penetration testing process to bypass or circumvent security controls associated with physical access points to the facility. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Physical Access Control | Facility Penetration Testing |
PE-3 (6) |
PE-3(6).2 |
Related controls: CA-2, CA-7. |
The organization employs a penetration testing process that includes [Assignment: organization defined frequency], unannounced attempts to bypass or circumvent security controls associated with physical access points to the facility. |
| CCI-000936 |
The organization controls physical access to organization-defined information system distribution and transmission lines within organizational facilities using organization-defined security safeguards. |
The organization conducting the inspection/assessment inspects the information system distribution and transmission lines defined in PE-4, CCI 2930 to ensure the security safeguards defined in PE-4, CCI 2931 are in place. |
The organization being inspected/assessed controls physical access to information system distribution and transmission lines defined in PE-4, CCI 2930 within organizational facilities using security safeguards defined in PE-4, CCI 2931. |
Access Control For Transmission Medium |
PE-4 |
PE-4.1 |
Physical security safeguards applied to information system distribution and transmission lines help to prevent accidental damage, disruption, and physical tampering. In addition, physical safeguards may be necessary to help prevent eavesdropping or in transit modification of unencrypted transmissions. Security safeguards to control physical access to system distribution and transmission lines include, for example: (i) locked wiring closets; (ii) disconnected or locked spare jacks; and/or (iii) protection of cabling by conduit or cable trays. Related controls: MP-2, MP-4, PE-2, PE-3, PE-5, SC-7, SC-8. |
The organization controls physical access to [Assignment: organization-defined information system distribution and transmission lines] within organizational facilities using
[Assignment: organization-defined security safeguards]. |
| CCI-000937 |
The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. |
The organization conducting the inspection/assessment obtains and examines the list of additional access controls for output devices. Physical inspection is required to ensure these access controls are properly implemented. |
The organization being inspected/assessed will identify, document, and execute any additional access controls required for output devices above and beyond physical access controls already in place for the facility IAW DoD 5200.08-R and DoD 5200.01-M (Volumes 1-4). |
Access Control For Output Devices |
PE-5 |
PE-5.1 |
Controlling physical access to output devices includes, for example, placing output devices in locked rooms or other secured areas and allowing access to authorized individuals only, and placing output devices in locations that can be monitored by organizational personnel. Monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of information system output devices. Related controls: PE-2, PE-3, PE-4, PE-18. |
The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. |
| CCI-000938 |
The organization monitors physical access to the information system to detect and respond to physical security incidents. |
|
|
|
|
|
|
|
| CCI-000939 |
The organization reviews physical access logs in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the inspected organization's physical access logs or records; physical access incident reports; and any other relevant documents or records. The purpose of the reviews is to determine if the organization is conducting reviews of the physical access logs every 30 days.
DoD has defined the frequency as every 30 days. |
The organization being inspected/assessed will review physical access logs every 30 days.
The organization must document each occurrence the physical access log review, with results of any necessary incident analysis and action taken, as an audit trail for future reference.
DoD has defined the frequency as every 30 days. |
Monitoring Physical Access |
PE-6 |
PE-6.4 |
Organizational incident response capabilities include investigations of and responses to detected physical security incidents. Security incidents include, for example, apparent security violations or suspicious physical access activities. Suspicious physical access activities include, for example: (i) accesses outside of normal work hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for unusual lengths of time; and (iv) out-of-sequence accesses. Related controls: CA-7, IR-4, IR-8. |
The organization:
a. Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;
b. Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and
c. Coordinates results of reviews and investigations with the organizational incident response capability. |
| CCI-000940 |
The organization defines a frequency for reviewing physical access logs. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 30 days. |
DoD has defined the frequency as every 30 days. |
Monitoring Physical Access |
PE-6 |
PE-6.5 |
Organizational incident response capabilities include investigations of and responses to detected physical security incidents. Security incidents include, for example, apparent security violations or suspicious physical access activities. Suspicious physical access activities include, for example: (i) accesses outside of normal work hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for unusual lengths of time; and (iv) out-of-sequence accesses. Related controls: CA-7, IR-4, IR-8. |
The organization:
a. Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;
b. Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and
c. Coordinates results of reviews and investigations with the organizational incident response capability. |
| CCI-000941 |
The organization coordinates results of reviews and investigations with the organization^s incident response capability. |
The organization conducting the inspection/assessment obtains and examines documentation of physical security incidents to ensure coordination with the inspected organization's incident response capability occurred. |
The organization being inspected/assessed will coordinate the results of reviews and investigations of physical security incidents with the organization's incident response capability (for physical security incidents). |
Monitoring Physical Access |
PE-6 |
PE-6.6 |
Organizational incident response capabilities include investigations of and responses to detected physical security incidents. Security incidents include, for example, apparent security violations or suspicious physical access activities. Suspicious physical access activities include, for example: (i) accesses outside of normal work hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for unusual lengths of time; and (iv) out-of-sequence accesses. Related controls: CA-7, IR-4, IR-8. |
The organization:
a. Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;
b. Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and
c. Coordinates results of reviews and investigations with the organizational incident response capability. |
| CCI-000942 |
The organization monitors physical intrusion alarms and surveillance equipment. |
The organization conducting the inspection/assessment will observe and interview security personnel conducting monitoring activities to validate the organization is actively monitoring all physical intrusion alarms and surveillance equipment. |
The organization being inspected/assessed will actively monitor physical intrusion alarms and surveillance equipment. |
Monitoring Physical Access | Intrusion Alarms / Surveillance Equipment |
PE-6 (1) |
PE-6(1).1 |
|
The organization monitors physical intrusion alarms and surveillance equipment. |
| CCI-000943 |
The organization employs automated mechanisms to recognize potential intrusions and initiate designated response actions. |
|
|
|
|
|
|
|
| CCI-000944 |
The organization controls physical access to the information system by authenticating visitors before authorizing access to the facility where the information system resides other than areas designated as publicly accessible. |
|
|
|
|
|
|
|
| CCI-000945 |
The organization escorts visitors and monitors visitor activity, when required. |
|
|
|
|
|
|
|
| CCI-000946 |
The organization requires two forms of identification for visitor access to the facility. |
|
|
|
|
|
|
|
| CCI-000947 |
The organization maintains visitor access records to the facility where the information system resides for an organization-defined time period. |
The organization conducting the inspection/assessment obtains and examines visitor access records to determine if the organization is maintaining visitor access records to the facility where the information system resides for at least one year.
DoD has defined the time period as at least one year. |
The organization being inspected/assessed must maintain visitor access records for their facilities for at least one year.
DoD has defined the time period as at least one year. |
Visitor Access Records |
PE-8 |
PE-8.1 |
Visitor access records include, for example, names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitor access records are not required for publicly accessible areas. |
The organization:
a. Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and
b. Reviews visitor access records [Assignment: organization-defined frequency]. |
| CCI-000948 |
The organization reviews visitor access records in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit documentation of visitor access record review to ensure the inspected organization is conducting reviews every 30 days.
DoD has defined the frequency as every 30 days. |
The organization being inspected/assessed conducts reviews of visitor access records every 30 days and must establish and maintain a documented audit trail within the authorization lifecycle.
DoD has defined the frequency as every 30 days. |
Visitor Access Records |
PE-8 |
PE-8.3 |
Visitor access records include, for example, names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitor access records are not required for publicly accessible areas. |
The organization:
a. Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and
b. Reviews visitor access records [Assignment: organization-defined frequency]. |
| CCI-000949 |
The organization defines the frequency with which to review the visitor access records for the facility where the information system resides. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 30 days. |
DoD has defined the frequency as every 30 days. |
Visitor Access Records |
PE-8 |
PE-8.4 |
Visitor access records include, for example, names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitor access records are not required for publicly accessible areas. |
The organization:
a. Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and
b. Reviews visitor access records [Assignment: organization-defined frequency]. |
| CCI-000950 |
The organization employs automated mechanisms to facilitate the maintenance and review of access records. |
The organization conducting the inspection/assessment:
1. obtains documentation identifying the automated mechanism in use by the inspected organization to facilitate the maintenance and review of access records
2. Observes the use of the automated mechanism by the inspected organization |
The organization being inspected/assessed will identify, document, and employ automated mechanisms to facilitate the maintenance and review of access records. |
Visitor Access Records | Automated Records Maintenance / Review |
PE-8 (1) |
PE-8(1).1 |
|
The organization employs automated mechanisms to facilitate the maintenance and review of visitor access records. |
| CCI-000951 |
The organization maintains a record of all physical access, both visitor and authorized individuals. |
|
|
|
|
|
|
|
| CCI-000952 |
The organization protects power equipment and power cabling for the information system from damage and destruction. |
The organization conducting the inspection/assessment obtains and examines the list of protective measures. Physical inspection of power equipment and power cabling will be done to ensure identified protective measures are in place. |
The organization being inspected/assessed provides a list of protective measures in place to prevent damage and/or destruction of power equipment and power cabling for their information system environment, IAW CP-2 (1), CCI 469. |
Power Equipment And Cabling |
PE-9 |
PE-9.1 |
Organizations determine the types of protection necessary for power equipment and cabling employed at different locations both internal and external to organizational facilities and environments of operation. This includes, for example, generators and power cabling outside of buildings, internal cabling and uninterruptable power sources within an office or data center, and power sources for self-contained entities such as vehicles and satellites. Related control: PE-4. |
The organization protects power equipment and power cabling for the information system from damage and destruction. |
| CCI-000953 |
The organization employs redundant and parallel power cabling paths. |
|
|
|
|
|
|
|
| CCI-000954 |
The organization employs automatic voltage controls for organization-defined critical information system components. |
The organization conducting the inspection/assessment obtains the documentation of the all mission critical IT Components required to have automatic voltage controls mechanisms devices in place (IAW PE-9 (2), CCI 955) and does a visual inspection of at least a sample of the above list to ensure automatic voltage control mechanisms are in place.
DoD has defined the list of critical information system components as all IT Components Critical to Execution of Missions. |
The organization being inspected/assessed
employs automatic voltage controls for all IT Components Critical to Execution of Missions.
Automatic voltage controls are devices intended to eliminate voltage fluctuations (e.g., spikes). This controls apply to voltage controls for mission critical IT Components and not for facilities.
DoD has defined the list of critical information system components as all IT Components Critical to Execution of Missions. |
Power Equipment And Cabling | Automatic Voltage Controls |
PE-9 (2) |
PE-9(2).1 |
|
The organization employs automatic voltage controls for [Assignment: organization-defined critical information system components]. |
| CCI-000955 |
The organization defines critical information system components that require automatic voltage controls. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the list of critical information system components as all IT Components Critical to Execution of Missions. |
The organization being inspected/assessed must document all IT Components Critical to Execution of Missions.
DoD has defined the list of critical information system components as all IT Components Critical to Execution of Missions. |
Power Equipment And Cabling | Automatic Voltage Controls |
PE-9 (2) |
PE-9(2).2 |
|
The organization employs automatic voltage controls for [Assignment: organization-defined critical information system components]. |
| CCI-000956 |
The organization provides the capability of shutting off power to the information system or individual system components in emergency situations. |
The organization conducting the inspection/assessment obtains and examines documentation of the capability to shut off the power to facilities or areas within facilities containing concentrations of information system resources (e.g., datacenters, server rooms, mainframe computer rooms) in emergency situations.
The purpose is to validate the organization has provided the capability of shutting off power in emergency situations. |
This control does not apply to individual workstations, laptops, printers, etc. This control only applies to facilities containing concentrations of information system resources (e.g., datacenters, server rooms, mainframe computer rooms).
The organization being inspected/assessed will establish and document the capability to shut off the power to facilities or areas within facilities containing concentrations of information system resources (e.g., datacenters, server rooms, mainframe computer rooms) in emergency situations. |
Emergency Shutoff |
PE-10 |
PE-10.1 |
This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Related control: PE-15. |
The organization:
a. Provides the capability of shutting off power to the information system or individual system components in emergency situations;
b. Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel; and
c. Protects emergency power shutoff capability from unauthorized activation. |
| CCI-000957 |
The organization places emergency shutoff switches or devices in an organization-defined location by information system or system component to facilitate safe and easy access for personnel. |
The organization conducting the inspection/assessment will physically inspect emergency shutoff switches or devices for placement to validate the organization has installed the emergency shutoff switches or devices near more than one egress point of the IT area and ensure it is labeled and protected by a cover to prevent accidental shut-off to facilitate safe and easy access for personnel.
DoD has defined the location as near more than one egress point of the IT area and ensure it is labeled and protected by a cover to prevent accidental shut-off. |
This control does not apply to individual workstations, laptops, printers, etc. This control only applies to facilities containing concentrations of information system resources (e.g., datacenters, server rooms, mainframe computer rooms).
The organization being inspected/assessed places emergency shutoff switches or devices near more than one egress point of the IT area and ensure it is labeled and protected by a cover to prevent accidental shut-off to facilitate safe and easy access for personnel.
DoD has defined the location as near more than one egress point of the IT area and ensure it is labeled and protected by a cover to prevent accidental shut-off. |
Emergency Shutoff |
PE-10 |
PE-10.2 |
This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Related control: PE-15. |
The organization:
a. Provides the capability of shutting off power to the information system or individual system components in emergency situations;
b. Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel; and
c. Protects emergency power shutoff capability from unauthorized activation. |
| CCI-000958 |
The organization defines a location for emergency shutoff switches or devices by information system or system component. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the location as near more than one egress point of the IT area and ensures it is labeled and protected by a cover to prevent accidental shut-off. |
DoD has defined the location as near more than one egress point of the IT area and ensures it is labeled and protected by a cover to prevent accidental shut-off. |
Emergency Shutoff |
PE-10 |
PE-10.3 |
This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Related control: PE-15. |
The organization:
a. Provides the capability of shutting off power to the information system or individual system components in emergency situations;
b. Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel; and
c. Protects emergency power shutoff capability from unauthorized activation. |
| CCI-000959 |
The organization protects emergency power shutoff capability from unauthorized activation. |
The organization conducting the inspection/assessment will ensure that the inspected organization has protected emergency power shutoff capability.
DoD has defined the location as near more than one egress point of the IT area and ensures it is labeled and protected by a cover to prevent accidental shut-off. |
The organization being inspected/assessed will protect emergency power shutoff capability.
DoD has defined the location as near more than one egress point of the IT area and ensures it is labeled and protected by a cover to prevent accidental shut-off. |
Emergency Shutoff |
PE-10 |
PE-10.4 |
This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Related control: PE-15. |
The organization:
a. Provides the capability of shutting off power to the information system or individual system components in emergency situations;
b. Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel; and
c. Protects emergency power shutoff capability from unauthorized activation. |
| CCI-000960 |
The organization provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system in the event of a primary power source loss. |
|
|
|
|
|
|
|
| CCI-000961 |
The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source. |
The organization conducting the inspection/assessment obtains and examines the list of physical IT assets within the boundary of the information system that require a long term alternate power supply. Physically inspect a sample from the list to ensure that long term power supply capability supporting minimal operational capability has been provided. |
The organization being inspected/assessed will:
1. implement alternate power supply capable of supporting minimal operational capability over the long term.
2. Provide a list of physical IT assets within the boundary of the information system that require a long term alternate power supply. This list may come from the inspected organization's security plan, continuity plan, or other documentation. |
Emergency Power | Long-Term Alternate Power Supply - Minimal Operational Capability |
PE-11 (1) |
PE-11(1).1 |
This control enhancement can be satisfied, for example, by the use of a secondary commercial power supply or other external power supply. Long-term alternate power supplies for the information system can be either manually or automatically activated. |
The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source. |
| CCI-000962 |
The organization provides a long-term alternate power supply for the information system that is self-contained and not reliant on external power generation. |
|
|
|
|
|
|
|
| CCI-000963 |
The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility. |
The organization conducting the inspection/assessment conducts visual inspections and interviews physical security personnel to validate the organization is in compliance with established OSHA requirements by employing and maintaining emergency lighting for the information system, the emergency lighting activates in the event of a power outage or disruption, and it covers emergency exits and evacuation routes within the facility |
The organization being inspected/assessed must install and maintain automatic emergency lighting for the information system that activates in the event of a power outage or disruption and covers emergency exits and evacuation routes within the facility in compliance with established OSHA requirements. |
Emergency Lighting |
PE-12 |
PE-12.1 |
This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Related controls: CP-2, CP-7. |
The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility. |
| CCI-000964 |
The organization provides emergency lighting for all areas within the facility supporting essential missions and business functions. |
|
|
|
|
|
|
|
| CCI-000981 |
The organization authorizes organization-defined types of information system components entering and exiting the facility. |
The organization conducting the inspection/assessment obtains and examines records authorizing all system components entering and exiting the facility.
DoD has defined the types of information system components as all system components. |
The organization being inspected/assessed authorizes and maintains authorization records of all system components entering and exiting the facility.
DoD has defined the types of information system components as all system components. |
Delivery And Removal |
PE-16 |
PE-16.1 |
Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries. Related controls: CM-3, MA-2, MA-3, MP-5, SA-12. |
The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. |
| CCI-000982 |
The organization monitors organization-defined types of information system components entering and exiting the facility. |
The organization conducting the inspection/assessment obtains and examines records monitoring all system components entering and exiting the facility.
DoD has defined the types of information system components as all system components. |
The organization being inspected/assessed monitors all system components entering and exiting the facility.
DoD has defined the types of information system components as all system components. |
Delivery And Removal |
PE-16 |
PE-16.2 |
Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries. Related controls: CM-3, MA-2, MA-3, MP-5, SA-12. |
The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. |
| CCI-000983 |
The organization controls organization-defined types of information system components entering and exiting the facility. |
The organization conducting the inspection/assessment obtains and examines the physical and environmental protection plan to determine if controls have been documented for all system components entering and exiting the facility and visually inspects the controls (e.g., logs, scans, etc.) to ensure implementation.
DoD has defined the types of information system components as all system components. |
The organization being inspected/assessed:
1. Documents in their physical and environmental protection plan (PE-1) controls for all system components entering and exiting the facility.
2. Implements documented controls for system components entering and exiting the facility.
DoD has defined the types of information system components as all system components. |
Delivery And Removal |
PE-16 |
PE-16.3 |
Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries. Related controls: CM-3, MA-2, MA-3, MP-5, SA-12. |
The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. |
| CCI-000984 |
The organization maintains records of information system components entering and exiting the facility. |
The organization conducting the inspection/assessment obtains and examines records of physical entry and exit events to the facility. The purpose of the reviews is to ensure the organization is maintaining detailed and accurate records of information system components that enter and exit the facility.
If the organization is following GRS 18, Section 12 they are automatically compliant. |
The organization being inspected/assessed will maintain records of all information system components entering and exiting the facility.
If the organization is following General Records Schedule (GRS) 18, Section 12 they are automatically compliant. |
Delivery And Removal |
PE-16 |
PE-16.4 |
Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries. Related controls: CM-3, MA-2, MA-3, MP-5, SA-12. |
The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. |
| CCI-000985 |
The organization employs organization-defined security controls at alternate work sites. |
The organization conducting the inspection/assessment obtains and examines the alternate work site policy of the organization being inspected/assessed to ensure the organization implements security controls defined in PE-17, CCI 2975 at alternate work sites. |
The organization being inspected/assessed implements security controls defined in PE-17, CCI 2975 at alternate work sites.
Alternate work sites are further defined in the definitions associated with this implementation guide.
Organizational telework policies should be used to address alternate work sites that are private residences.
Comment:
For classified information see DoD 5200.01 Vol 3 Manual |
Alternate Work Site |
PE-17 |
PE-17.1 |
Alternate work sites may include, for example, government facilities or private residences of employees. While commonly distinct from alternative processing sites, alternate work sites may provide readily available alternate locations as part of contingency operations. Organizations may define different sets of security controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations and the federal telework initiative. Related controls: AC-17, CP-7. |
The organization:
a. Employs [Assignment: organization-defined security controls] at alternate work sites;
b. Assesses as feasible, the effectiveness of security controls at alternate work sites; and
c. Provides a means for employees to communicate with information security personnel in case of security incidents or problems. |
| CCI-000986 |
The organization defines management, operational, and technical information system security controls to be employed at alternate work sites. |
|
|
|
|
|
|
|
| CCI-000987 |
The organization assesses as feasible, the effectiveness of security controls at alternate work sites. |
The organization conducting the inspection/assessment obtains and examines:
1. The procedures for assessing the effectiveness of alternate work site security controls.
2. The audit records of assessments they have conducted of security controls effectiveness for alternate work sites. |
The organization being inspected/assessed must implement procedures to assess, when feasible, the effectiveness of the documented alternate work site security controls.
The organization must document results of conducted assessments as part of an audit trail.
Alternate work sites are further defined in the definitions associated with this implementation guide. |
Alternate Work Site |
PE-17 |
PE-17.3 |
Alternate work sites may include, for example, government facilities or private residences of employees. While commonly distinct from alternative processing sites, alternate work sites may provide readily available alternate locations as part of contingency operations. Organizations may define different sets of security controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations and the federal telework initiative. Related controls: AC-17, CP-7. |
The organization:
a. Employs [Assignment: organization-defined security controls] at alternate work sites;
b. Assesses as feasible, the effectiveness of security controls at alternate work sites; and
c. Provides a means for employees to communicate with information security personnel in case of security incidents or problems. |
| CCI-000988 |
The organization provides a means for employees to communicate with information security personnel in case of security incidents or problems. |
The organization conducting the inspection/assessment obtains and examines contact information for appropriate security personnel to ensure its accuracy and dissemination. |
The organization being inspected/assessed must disseminate current contact information for appropriate security personnel to all employees; for example, telephone or e-mail. |
Alternate Work Site |
PE-17 |
PE-17.4 |
Alternate work sites may include, for example, government facilities or private residences of employees. While commonly distinct from alternative processing sites, alternate work sites may provide readily available alternate locations as part of contingency operations. Organizations may define different sets of security controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations and the federal telework initiative. Related controls: AC-17, CP-7. |
The organization:
a. Employs [Assignment: organization-defined security controls] at alternate work sites;
b. Assesses as feasible, the effectiveness of security controls at alternate work sites; and
c. Provides a means for employees to communicate with information security personnel in case of security incidents or problems. |
| CCI-000989 |
The organization positions information system components within the facility to minimize potential damage from organization-defined physical and environmental hazards. |
The organization conducting the inspection/assessment reviews the physical and environmental protection policy developed in PE-1, CCI 000904 to validate that the systems have been positioned according to the environmental policy. |
The organization being inspected/assessed positions information system components within the facility to minimize potential damage from physical and environmental hazards defined in PE-18, CCI 2976 specific to the location of the information system as documented in PE-1, CCI 000904. |
Location Of Information System Components |
PE-18 |
PE-18.1 |
Physical and environmental hazards include, for example, flooding, fire, tornados, earthquakes, hurricanes, acts of terrorism, vandalism, electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. In addition, organizations consider the location of physical entry points where unauthorized individuals, while not being granted access, might nonetheless be in close proximity to information systems and therefore increase the potential for unauthorized access to organizational communications (e.g., through the use of wireless sniffers or microphones). Related controls: CP-2, PE-19, RA-3. |
The organization positions information system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access. |
| CCI-000990 |
The organization positions information system components within the facility to minimize potential damage from environmental hazards. |
|
|
|
|
|
|
|
| CCI-000991 |
The organization positions information system components within the facility to minimize the opportunity for unauthorized access. |
The organization conducting the inspection/assessment reviews the physical and environmental protection policy developed in PE-1, CCI 000904 to validate that the systems have been positioned according to the environmental policy. |
The organization being inspected/assessed positions information system components within the facility to minimize the opportunity for unauthorized access specific to the location of the information system as documented in PE-1, CCI 00904. |
Location Of Information System Components |
PE-18 |
PE-18.2 |
Physical and environmental hazards include, for example, flooding, fire, tornados, earthquakes, hurricanes, acts of terrorism, vandalism, electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. In addition, organizations consider the location of physical entry points where unauthorized individuals, while not being granted access, might nonetheless be in close proximity to information systems and therefore increase the potential for unauthorized access to organizational communications (e.g., through the use of wireless sniffers or microphones). Related controls: CP-2, PE-19, RA-3. |
The organization positions information system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access. |
| CCI-000992 |
The organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards, and for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy. |
|
|
|
|
|
|
|
| CCI-000993 |
The organization protects the information system from information leakage due to electromagnetic signals emanations. |
The organization conducting the inspection/assessment obtains and examines the TEMPEST countermeasures review and inspects the information system to ensure those countermeasures have been implemented. |
The organization being inspected/assessed will obtain a TEMPEST countermeasure review and implement the required countermeasures in order to protect the information system from information leakage due to electromagnetic signals emanations. |
Information Leakage |
PE-19 |
PE-19.1 |
Information leakage is the intentional or unintentional release of information to an untrusted environment from electromagnetic signals emanations. Security categories or classifications of information systems (with respect to confidentiality) and organizational security policies guide the selection of security controls employed to protect systems against information leakage due to electromagnetic signals emanations. |
The organization protects the information system from information leakage due to electromagnetic signals emanations. |
| CCI-000994 |
The organization ensures that information system components, associated data communications, and networks are protected in accordance with national emissions and TEMPEST policies and procedures based on the security category or classification of the information. |
The organization conducting the inspection/assessment obtains and examines the TEMPEST countermeasures review and inspects the information system to ensure those countermeasures have been implemented. |
The organization being inspected/assessed will obtain a TEMPEST countermeasure review and implement the required countermeasures in order to protect the information system from information leakage due to electromagnetic signals emanations. |
Information Leakage | National Emissions / Tempest Policies And Procedures |
PE-19 (1) |
PE-19(1).1 |
|
The organization ensures that information system components, associated data communications, and networks are protected in accordance with national emissions and TEMPEST policies and procedures based on the security category or classification of the information. |
| CCI-000995 |
The organization develops and documents a media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
DoDI 5200.01 and DoDM 5200.01 Vol. 1-4 meet the DoD requirements for media protection policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.01 and DoDM 5200.01 Vol. 1-4. |
DoDI 5200.01 and DoDM 5200.01 Vol. 1-4 meet the DoD requirements for media protection policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.01 and DoDM 5200.01 Vol. 1-4. |
Media Protection Policy And Procedures |
MP-1 |
MP-1.1 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and
b. Reviews and updates the current:
1. Media protection policy [Assignment: organization-defined frequency]; and
2. Media protection procedures [Assignment: organization-defined frequency]. |
| CCI-000996 |
The organization disseminates to organization-defined personnel or roles a media protection policy. |
DoDI 5200.01 and DoDM 5200.01 Vol. 1-4 meet the DoD requirements for media protection policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.01 and DoDM 5200.01 Vol. 1-4. |
DoDI 5200.01 and DoDM 5200.01 Vol. 1-4 meet the DoD requirements for media protection policy and procedures and is disseminated to all users via http://www.dtic.mil/whs/directives/corres/ins1.html.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.01 and DoDM 5200.01 Vol. 1-4. |
Media Protection Policy And Procedures |
MP-1 |
MP-1.2 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and
b. Reviews and updates the current:
1. Media protection policy [Assignment: organization-defined frequency]; and
2. Media protection procedures [Assignment: organization-defined frequency]. |
| CCI-000997 |
The organization reviews and updates the current media protection policy in accordance with organization-defined frequency. |
DoDI 5200.01 and DoDM 5200.01 Vol. 1-4 meet the DoD requirements for media protection policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.01 and DoDM 5200.01 Vol. 1-4. |
DoDI 5200.01 and DoDM 5200.01 Vol. 1-4 meet the DoD requirements for media protection policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.01 and DoDM 5200.01 Vol. 1-4. |
Media Protection Policy And Procedures |
MP-1 |
MP-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and
b. Reviews and updates the current:
1. Media protection policy [Assignment: organization-defined frequency]; and
2. Media protection procedures [Assignment: organization-defined frequency]. |
| CCI-000998 |
The organization defines a frequency for reviewing and updating the current media protection policy. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
Media Protection Policy And Procedures |
MP-1 |
MP-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and
b. Reviews and updates the current:
1. Media protection policy [Assignment: organization-defined frequency]; and
2. Media protection procedures [Assignment: organization-defined frequency]. |
| CCI-000999 |
The organization develops and documents procedures to facilitate the implementation of the media protection policy and associated media protection controls. |
DoDI 5200.01 and DoDM 5200.01 Vol. 1-4 meet the DoD requirements for media protection policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.01 and DoDM 5200.01 Vol. 1-4. |
DoDI 5200.01 and DoDM 5200.01 Vol. 1-4 meet the DoD requirements for media protection policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.01 and DoDM 5200.01 Vol. 1-4. |
Media Protection Policy And Procedures |
MP-1 |
MP-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and
b. Reviews and updates the current:
1. Media protection policy [Assignment: organization-defined frequency]; and
2. Media protection procedures [Assignment: organization-defined frequency]. |
| CCI-001000 |
The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the media protection policy and associated media protection controls. |
DoDI 5200.01 and DoDM 5200.01 Vol. 1-4 meet the DoD requirements for media protection policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.01 and DoDM 5200.01 Vol. 1-4. |
DoDI 5200.01 and DoDM 5200.01 Vol. 1-4 meet the DoD requirements for media protection policy and procedures and is disseminated to all users via http://www.dtic.mil/whs/directives/corres/ins1.html.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.01 and DoDM 5200.01 Vol. 1-4. |
Media Protection Policy And Procedures |
MP-1 |
MP-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and
b. Reviews and updates the current:
1. Media protection policy [Assignment: organization-defined frequency]; and
2. Media protection procedures [Assignment: organization-defined frequency]. |
| CCI-001001 |
The organization reviews and updates the current media protection procedures in accordance with organization-defined frequency. |
DoDI 5200.01 and DoDM 5200.01 Vol. 1-4 meet the DoD requirements for media protection policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.01 and DoDM 5200.01 Vol. 1-4. |
DoDI 5200.01 and DoDM 5200.01 Vol. 1-4 meet the DoD requirements for media protection policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.01 and DoDM 5200.01 Vol. 1-4. |
Media Protection Policy And Procedures |
MP-1 |
MP-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and
b. Reviews and updates the current:
1. Media protection policy [Assignment: organization-defined frequency]; and
2. Media protection procedures [Assignment: organization-defined frequency]. |
| CCI-001002 |
The organization defines a frequency for reviewing and updating the current media protection procedures. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually as appropriate. |
DoD has defined the frequency as reviewed annually as appropriate. |
Media Protection Policy And Procedures |
MP-1 |
MP-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and
b. Reviews and updates the current:
1. Media protection policy [Assignment: organization-defined frequency]; and
2. Media protection procedures [Assignment: organization-defined frequency]. |
| CCI-001003 |
The organization restricts access to organization-defined types of digital and/or non-digital media to organization-defined personnel or roles. |
The organization conducting the inspection/assessment interviews organizational personnel with information system media protection responsibilities to ensure the organization being inspected/assessed restricts access to all types of digital and/or non-digital media containing information not cleared for public release to the personnel or roles defined in MP-2, CCI 1005.
DoD has defined the types of digital and non-digital media as all types of digital and/or non-digital media containing information not cleared for public release.
|
The organization being inspected/assessed restricts access to all types of digital and/or non-digital media containing information not cleared for public release to the personnel or roles defined in MP-2, CCI 1005.
DoD has defined the types of digital and non-digital media as all types of digital and/or non-digital media containing information not cleared for public release. |
Media Access |
MP-2 |
MP-2.1 |
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Restricting non-digital media access includes, for example, denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers. Restricting access to digital media includes, for example, limiting access to design specifications stored on compact disks in the media library to the project leader and the individuals on the development team. Related controls: AC-3, IA-2, MP-4, PE-2, PE-3, PL-2. |
The organization restricts access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles]. |
| CCI-001004 |
The organization defines types of digital and/or non-digital media for which the organization restricts access. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the types of digital and non-digital media as all types of digital and/or non-digital media containing information not cleared for public release.
|
DoD has defined the types of digital and non-digital media as all types of digital and/or non-digital media containing information not cleared for public release.
|
Media Access |
MP-2 |
MP-2.2 |
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Restricting non-digital media access includes, for example, denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers. Restricting access to digital media includes, for example, limiting access to design specifications stored on compact disks in the media library to the project leader and the individuals on the development team. Related controls: AC-3, IA-2, MP-4, PE-2, PE-3, PL-2. |
The organization restricts access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles]. |
| CCI-001005 |
The organization defines personnel or roles from which to restrict access to organization-defined types of digital and/or non-digital media. |
The organization conducting the inspection/assessment obtains and examines the documented personnel or roles to restrict access to media to ensure the access is granted IAW DoD 5200.01-M, CTO 10-133, and CTO 08-001.
DoD has determined the personnel or roles are not appropriate to define at the Enterprise level, but personnel must be identified
IAW DoD 5200.01-M, CTO 10-133, and CTO 08-001. |
The organization being inspected/assessed will define and document personnel or roles to restrict access to media IAW DoD 5200.01-M, CTO 10-133, and CTO 08-001.
DoD has determined the personnel or roles are not appropriate to define at the Enterprise level, but personnel must be identified
IAW DoD 5200.01-M, CTO 10-133, and CTO 08-001. |
Media Access |
MP-2 |
MP-2.3 |
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Restricting non-digital media access includes, for example, denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers. Restricting access to digital media includes, for example, limiting access to design specifications stored on compact disks in the media library to the project leader and the individuals on the development team. Related controls: AC-3, IA-2, MP-4, PE-2, PE-3, PL-2. |
The organization restricts access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles]. |
| CCI-001006 |
The organization defines security measures for restricting access to media. |
|
|
|
|
|
|
|
| CCI-001007 |
The organization employs automated mechanisms to restrict access to media storage areas. |
The organization conducting the inspection/assessment examines the information system's environment to ensure the organization being inspected/assessed implements automated mechanisms to restrict access to media storage areas. |
The organization being inspected/assessed implements automated mechanisms to restrict access to media storage areas. |
Media Storage | Automated Restricted Access |
MP-4 (2) |
MP-4(2).1 |
Automated mechanisms can include, for example, keypads on the external entries to media storage areas. Related controls: AU-2, AU-9, AU-6, AU-12. |
The organization employs automated mechanisms to restrict access to media storage areas and to audit access attempts and access granted. |
| CCI-001008 |
The organization employs automated mechanisms to audit access attempts and access granted to media storage areas. |
The organization conducting the inspection/assessment examines the information system's environment to ensure the organization being inspected/assessed implements automated mechanisms to audit access attempts and access granted to media storage areas. |
The organization being inspected/assessed implements automated mechanisms to audit access attempts and access granted to media storage areas. |
Media Storage | Automated Restricted Access |
MP-4 (2) |
MP-4(2).2 |
Automated mechanisms can include, for example, keypads on the external entries to media storage areas. Related controls: AU-2, AU-9, AU-6, AU-12. |
The organization employs automated mechanisms to restrict access to media storage areas and to audit access attempts and access granted. |
| CCI-001009 |
The information system uses cryptographic mechanisms to protect and restrict access to information on portable digital media. |
|
|
|
|
|
|
|
| CCI-001014 |
The organization physically controls and securely stores organization-defined types of digital and/or non-digital media within organization-defined controlled areas. |
The organization conducting the inspection/assessment obtains and examines the list of all digital and non-digital media containing sensitive, controlled, and/or classified information within areas approved for processing or storing data IAW the sensitivity and/or classification level of the information contained on/within the media to ensure that physical controls are in place and that it is securely stored as defined in PE-3.
DoD has defined the digital and non-digital media types as all digital and non-digital media containing sensitive, controlled, and/or classified information.
DoD has defined the controlled areas as areas approved for processing or storing data IAW the sensitivity and/or classification level of the information contained on/within the media. |
The organization being inspected/assessed physically controls and securely stores all digital and non-digital media containing sensitive, controlled, and/or classified information within areas approved for processing or storing data IAW the sensitivity and/or classification level of the information contained on/within the media.
DoD has defined the digital and non-digital media types as all digital and non-digital media containing sensitive, controlled, and/or classified information.
DoD has defined the controlled areas as areas approved for processing or storing data IAW the sensitivity and/or classification level of the information contained on/within the media. |
Media Storage |
MP-4 |
MP-4.1 |
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Physically controlling information system media includes, for example, conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. Secure storage includes, for example, a locked drawer, desk, or cabinet, or a controlled media library. The type of media storage is commensurate with the security category and/or classification of the information residing on the media. Controlled areas are areas for which organizations provide sufficient physical and procedural safeguards to meet the requirements established for protecting information and/or information systems. For media containing information determined by organizations to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on organizations or individuals if accessed by other than authorized personnel, fewer safeguards may be needed. In these situations, physical access controls provide adequate protection. Related controls: CP-6, CP-9, MP-2, MP-7, PE-3. |
The organization:
a. Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and
b. Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures. |
| CCI-001015 |
The organization defines types of digital and/or non-digital media to physically control and securely store within organization-defined controlled areas. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the digital and non-digital media types as all digital and non-digital media containing sensitive, controlled, and/or classified information. |
DoD has defined the digital and non-digital media types as all digital and non-digital media containing sensitive, controlled, and/or classified information. |
Media Storage |
MP-4 |
MP-4.2 |
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Physically controlling information system media includes, for example, conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. Secure storage includes, for example, a locked drawer, desk, or cabinet, or a controlled media library. The type of media storage is commensurate with the security category and/or classification of the information residing on the media. Controlled areas are areas for which organizations provide sufficient physical and procedural safeguards to meet the requirements established for protecting information and/or information systems. For media containing information determined by organizations to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on organizations or individuals if accessed by other than authorized personnel, fewer safeguards may be needed. In these situations, physical access controls provide adequate protection. Related controls: CP-6, CP-9, MP-2, MP-7, PE-3. |
The organization:
a. Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and
b. Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures. |
| CCI-001016 |
The organization defines controlled areas where organization-defined types of digital and/or non-digital media are physically controlled and securely stored. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the controlled areas as areas approved for processing or storing data IAW the sensitivity and/or classification level of the information contained on/within the media. |
DoD has defined the controlled areas as areas approved for processing or storing data IAW the sensitivity and/or classification level of the information contained on/within the media. |
Media Storage |
MP-4 |
MP-4.3 |
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Physically controlling information system media includes, for example, conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. Secure storage includes, for example, a locked drawer, desk, or cabinet, or a controlled media library. The type of media storage is commensurate with the security category and/or classification of the information residing on the media. Controlled areas are areas for which organizations provide sufficient physical and procedural safeguards to meet the requirements established for protecting information and/or information systems. For media containing information determined by organizations to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on organizations or individuals if accessed by other than authorized personnel, fewer safeguards may be needed. In these situations, physical access controls provide adequate protection. Related controls: CP-6, CP-9, MP-2, MP-7, PE-3. |
The organization:
a. Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and
b. Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures. |
| CCI-001017 |
The organization defines security measures for securing media storage. |
|
|
|
|
|
|
|
| CCI-001018 |
The organization protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures. |
The organization conducting the inspection/assessment obtains and examines the list of media and verifies it is being stored and protected IAW DoDM 5200.01 M Vol. 1-4. |
The organization being inspected/assessed protects information system media IAW DoDM 5200.01 M Vol. 1-4. |
Media Storage |
MP-4 |
MP-4.4 |
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Physically controlling information system media includes, for example, conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. Secure storage includes, for example, a locked drawer, desk, or cabinet, or a controlled media library. The type of media storage is commensurate with the security category and/or classification of the information residing on the media. Controlled areas are areas for which organizations provide sufficient physical and procedural safeguards to meet the requirements established for protecting information and/or information systems. For media containing information determined by organizations to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on organizations or individuals if accessed by other than authorized personnel, fewer safeguards may be needed. In these situations, physical access controls provide adequate protection. Related controls: CP-6, CP-9, MP-2, MP-7, PE-3. |
The organization:
a. Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and
b. Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures. |
| CCI-001019 |
The organization employs cryptographic mechanisms to protect information in storage. |
|
|
|
|
|
|
|
| CCI-001020 |
The organization protects and controls organization-defined types of information system media during transport outside of controlled areas using organization-defined security safeguards. |
The organization conducting the inspection/assessment obtains and examines the organization's records management policy or process to ensure appropriate protection of information according to its classification or designation during transport outside of controlled areas, IAW security measures defined in DoDM 5200.01 M Vol. 1-4 and DoDD 5015.2. |
The organization being inspected/assessed protects and controls information system media during transport outside of controlled areas using security measures defined in DoDM 5200.01 M Vol. 1-4 and DoDD 5015.2. |
Media Transport |
MP-5 |
MP-5.1 |
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers), that are transported outside of controlled areas. Controlled areas are areas or spaces for which organizations provide sufficient physical and/or procedural safeguards to meet the requirements established for protecting information and/or information systems.
Physical and technical safeguards for media are commensurate with the security category or classification of the information residing on the media. Safeguards to protect media during transport include, for example, locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking and/or obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with organizational assessments of risk to include the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records. Related controls: AC-19, CP-9, MP-3, MP-4, RA-3, SC-8, SC-13, SC-28. |
The organization:
a. Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards];
b. Maintains accountability for information system media during transport outside of controlled areas;
c. Documents activities associated with the transport of information system media; and
d. Restricts the activities associated with the transport of information system media to authorized personnel. |
| CCI-001021 |
The organization defines types of information system media protected and controlled during transport outside of controlled areas. |
DoD has defined the types of information system media as all digital and non-digital media containing sensitive, controlled, and/or classified information.
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. |
DoD has defined the types of information system media as all digital and non-digital media containing sensitive, controlled, and/or classified information. |
Media Transport |
MP-5 |
MP-5.2 |
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers), that are transported outside of controlled areas. Controlled areas are areas or spaces for which organizations provide sufficient physical and/or procedural safeguards to meet the requirements established for protecting information and/or information systems.
Physical and technical safeguards for media are commensurate with the security category or classification of the information residing on the media. Safeguards to protect media during transport include, for example, locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking and/or obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with organizational assessments of risk to include the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records. Related controls: AC-19, CP-9, MP-3, MP-4, RA-3, SC-8, SC-13, SC-28. |
The organization:
a. Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards];
b. Maintains accountability for information system media during transport outside of controlled areas;
c. Documents activities associated with the transport of information system media; and
d. Restricts the activities associated with the transport of information system media to authorized personnel. |
| CCI-001022 |
The organization defines security safeguards to be used to protect and control organization-defined types of information system media during transport outside of controlled areas. |
DoD has defined the security safeguards as DoDI 5200.1R and other organizationally defined security safeguards.
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. |
DoD has defined the security safeguards as DoDI 5200.1R and other organizationally defined security safeguards. |
Media Transport |
MP-5 |
MP-5.3 |
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers), that are transported outside of controlled areas. Controlled areas are areas or spaces for which organizations provide sufficient physical and/or procedural safeguards to meet the requirements established for protecting information and/or information systems.
Physical and technical safeguards for media are commensurate with the security category or classification of the information residing on the media. Safeguards to protect media during transport include, for example, locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking and/or obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with organizational assessments of risk to include the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records. Related controls: AC-19, CP-9, MP-3, MP-4, RA-3, SC-8, SC-13, SC-28. |
The organization:
a. Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards];
b. Maintains accountability for information system media during transport outside of controlled areas;
c. Documents activities associated with the transport of information system media; and
d. Restricts the activities associated with the transport of information system media to authorized personnel. |
| CCI-001023 |
The organization maintains accountability for information system media during transport outside of controlled areas. |
The organization conducting the inspection/assessment obtains and examines the list of organization defined security measures (MP-2) to ensure method of accountability for information system media during transport outside of controlled areas has been identified. |
The organization being inspected/assessed ensures the organization defined security measures (MP-2) includes method of accountability for information system media during transport outside of controlled areas, IAW DoDM 5200.01 M Vol. 1-4 and DoDD 5015.2. |
Media Transport |
MP-5 |
MP-5.4 |
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers), that are transported outside of controlled areas. Controlled areas are areas or spaces for which organizations provide sufficient physical and/or procedural safeguards to meet the requirements established for protecting information and/or information systems.
Physical and technical safeguards for media are commensurate with the security category or classification of the information residing on the media. Safeguards to protect media during transport include, for example, locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking and/or obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with organizational assessments of risk to include the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records. Related controls: AC-19, CP-9, MP-3, MP-4, RA-3, SC-8, SC-13, SC-28. |
The organization:
a. Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards];
b. Maintains accountability for information system media during transport outside of controlled areas;
c. Documents activities associated with the transport of information system media; and
d. Restricts the activities associated with the transport of information system media to authorized personnel. |
| CCI-001024 |
The organization restricts the activities associated with the transport of information system media to authorized personnel. |
The organization conducting the inspection/assessment obtains and examines the list of personnel authorized to transport information system media outside of controlled areas.
Organizational personnel with information system media transport responsibilities and security management personnel are to be interviewed. The purpose of the reviews and reviews is to determine if the organization has established restrictions associated with the transport of information system media to authorized personnel only. |
The organization being inspected/assessed ensures the organization defined security measures (MP-2) includes a requirement to develop and maintain a list of personnel authorized to transport information system media outside of controlled areas, IAW DoDM 5200.01 M Vol. 1-4 and DoDD 5015.2.
Develop and maintain the list of personnel authorized to transport information system media outside of controlled areas. |
Media Transport |
MP-5 |
MP-5.6 |
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers), that are transported outside of controlled areas. Controlled areas are areas or spaces for which organizations provide sufficient physical and/or procedural safeguards to meet the requirements established for protecting information and/or information systems.
Physical and technical safeguards for media are commensurate with the security category or classification of the information residing on the media. Safeguards to protect media during transport include, for example, locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking and/or obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with organizational assessments of risk to include the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records. Related controls: AC-19, CP-9, MP-3, MP-4, RA-3, SC-8, SC-13, SC-28. |
The organization:
a. Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards];
b. Maintains accountability for information system media during transport outside of controlled areas;
c. Documents activities associated with the transport of information system media; and
d. Restricts the activities associated with the transport of information system media to authorized personnel. |
| CCI-001025 |
The organization documents activities associated with the transport of information system media. |
The organization conducting the inspection/assessment obtains and examines the documented activities to ensure the organization being inspected/assessed documents activities associated with the transport of information system media. |
The organization being inspected/assessed documents activities associated with the transport of information system media. |
Media Transport |
MP-5 |
MP-5.5 |
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers), that are transported outside of controlled areas. Controlled areas are areas or spaces for which organizations provide sufficient physical and/or procedural safeguards to meet the requirements established for protecting information and/or information systems.
Physical and technical safeguards for media are commensurate with the security category or classification of the information residing on the media. Safeguards to protect media during transport include, for example, locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking and/or obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with organizational assessments of risk to include the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records. Related controls: AC-19, CP-9, MP-3, MP-4, RA-3, SC-8, SC-13, SC-28. |
The organization:
a. Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards];
b. Maintains accountability for information system media during transport outside of controlled areas;
c. Documents activities associated with the transport of information system media; and
d. Restricts the activities associated with the transport of information system media to authorized personnel. |
| CCI-001026 |
The organization employs an identified custodian during transport of information system media outside of controlled areas. |
The organization conducting the inspection/assessment obtains and examines documentation identifying the custodian that is at all times responsible for the transport of the all information system media, from pick-up to final delivery and receipt acknowledgement. |
The organization being inspected/assessed identifies and documents a custodian that is at all times responsible for the transport of the all information system media, from pick-up to final delivery and receipt acknowledgement. |
Media Transport | Custodians |
MP-5 (3) |
MP-5(3).1 |
Identified custodians provide organizations with specific points of contact during the media transport process and facilitate individual accountability. Custodial responsibilities can be transferred from one individual to another as long as an unambiguous custodian is identified at all times. |
The organization employs an identified custodian during transport of information system media outside of controlled areas. |
| CCI-001027 |
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. |
The organization conducting the inspection/assessment obtains and examines the Security Plan to ensure the organization being inspected has identified FIPS 140-2 or other NSA approved cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. |
The organization being inspected/assessed shall document within their Security Plan, and implement, FIPS 140-2 or other NSA approved cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. |
Media Transport | Cryptographic Protection |
MP-5 (4) |
MP-5(4).1 |
This control enhancement applies to both portable storage devices (e.g., USB memory sticks, compact disks, digital video disks, external/removable hard disk drives) and mobile devices with storage capability (e.g., smart phones, tablets, E-readers). Related control: MP-2. |
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. |
| CCI-001028 |
The organization sanitizes organization-defined information system media prior to disposal, release out of organizational control, or release for reuse using organization-defined sanitization techniques and procedures in accordance with applicable federal and organizational standards and policies. |
The organization conducting the inspection/assessment obtains and examines media sanitization records, audit records, any other relevant documents or records, and sanitization tools to ensure sanitization is in compliance with DoDM 5200.01 Vol. 1-4 and uses techniques and procedures IAW NIST SP 800-88.
The objective of the review is to verify the organization is sanitizing its digital and non-digital information system media prior to disposal, release for reuse, or release out of the organizational control.
DoD has defined the sanitization techniques as techniques and procedures IAW NIST SP 800-88.
DoD has defined the information system media as all media. |
The organization being inspected/assessed sanitizes all media prior to disposal, release out of organizational control, or release for reuse IAW DoDM 5200.01 Vol. 1-4 using techniques and procedures IAW NIST SP 800-88.
DoD has defined the sanitization techniques as techniques and procedures IAW NIST SP 800-88.
DoD has defined the information system media as all media. |
Media Sanitization |
MP-6 |
MP-6.1 |
This control applies to all information system media, both digital and non-digital, subject to disposal or reuse, whether or not the media is considered removable. Examples include media found in scanners, copiers, printers, notebook computers, workstations, network components, and mobile devices. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable, or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal.
Sanitization of non-digital media includes, for example, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections/words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media containing classified information. Related controls: MA-2, MA-4, RA-3, SC-4. |
The organization:
a. Sanitizes [Assignment: organization-defined information system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures] in accordance with applicable federal and organizational standards and policies; and
b. Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information. |
| CCI-001029 |
The organization tracks, documents, and verifies media sanitization and disposal actions. |
|
|
|
|
|
|
|
| CCI-001030 |
The organization tests sanitization equipment and procedures in accordance with the organization-defined frequency to verify that the intended sanitization is being achieved. |
The organization conducting the inspection/assessment obtains and examines documented test plans and evidence of past tests to ensure that tests are conducted every 180 days to verify correct performance of sanitization equipment and procedures.
DoD has defined the frequency as every 180 days. |
The organization being inspected/assessed shall document plans to implement their sanitization equipment and procedures every 180 days to verify correct performance.
DoD has defined the frequency as every 180 days. |
Media Sanitization | Equipment Testing |
MP-6 (2) |
MP-6(2).1 |
Testing of sanitization equipment and procedures may be conducted by qualified and authorized external entities (e.g., other federal agencies or external service providers). |
The organization tests sanitization equipment and procedures [Assignment: organization-defined frequency] to verify that the intended sanitization is being achieved. |
| CCI-001031 |
The organization defines a frequency for testing sanitization equipment and procedures to verify that the intended sanitization is being achieved. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 180 days. |
DoD has defined the frequency as every 180 days. |
Media Sanitization | Equipment Testing |
MP-6 (2) |
MP-6(2).2 |
Testing of sanitization equipment and procedures may be conducted by qualified and authorized external entities (e.g., other federal agencies or external service providers). |
The organization tests sanitization equipment and procedures [Assignment: organization-defined frequency] to verify that the intended sanitization is being achieved. |
| CCI-001032 |
The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system in accordance with organization-defined circumstances requiring sanitization of portable storage devices. |
The organization conducting the inspection/assessment obtains and examines media sanitization records, audit records, and any other relevant documents or records.
The objective of the reviews is to confirm the organization is in compliance with the list of defined circumstances requiring the sanitization of portable storage devices prior to connecting such devices to the information system. |
The organization being inspected/assessed documents and implements plans to apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system when such devices are first purchased from the manufacturer or vendor prior to initial use, when being considered for reuse, or when the organization loses a positive chain of custody for the device. Media obtained from unknown sources shall not be sanitized and reused.
Portable storage devices include but are not limited to thumb drives, flash drives, and external storage devices.
DoD has defined the circumstances as when such devices are first purchased from the manufacturer or vendor prior to initial use, when being considered for reuse, or when the organization loses a positive chain of custody for the device. Media obtained from unknown sources shall not be sanitized and reused. |
Media Sanitization | Nondestructive Techniques |
MP-6 (3) |
MP-6(3).1 |
This control enhancement applies to digital media containing classified information and Controlled Unclassified Information (CUI). Portable storage devices can be the source of malicious code insertions into organizational information systems. Many of these devices are obtained from unknown and potentially untrustworthy sources and may contain malicious code that can be readily transferred to information systems through USB ports or other entry portals. While scanning such storage devices is always recommended, sanitization provides additional assurance that the devices are free of malicious code to include code capable of initiating zero-day attacks. Organizations consider nondestructive sanitization of portable storage devices when such devices are first purchased from the manufacturer or vendor prior to initial use or when organizations lose a positive chain of custody for the devices. Related control: SI-3. |
The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under the following circumstances: [Assignment: organization-defined circumstances requiring sanitization of portable storage devices]. |
| CCI-001033 |
The organization defines circumstances requiring sanitization of portable storage devices prior to connecting such devices to the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the circumstances as when such devices are first purchased from the manufacturer or vendor prior to initial use, when being considered for reuse, or when the organization loses a positive chain of custody for the device. Media obtained from unknown sources shall not be sanitized and reused. |
DoD has defined the list circumstances as when such devices are first purchased from the manufacturer or vendor prior to initial use, when being considered for reuse, or when the organization loses a positive chain of custody for the device. Media obtained from unknown sources shall not be sanitized and reused. |
Media Sanitization | Nondestructive Techniques |
MP-6 (3) |
MP-6(3).2 |
This control enhancement applies to digital media containing classified information and Controlled Unclassified Information (CUI). Portable storage devices can be the source of malicious code insertions into organizational information systems. Many of these devices are obtained from unknown and potentially untrustworthy sources and may contain malicious code that can be readily transferred to information systems through USB ports or other entry portals. While scanning such storage devices is always recommended, sanitization provides additional assurance that the devices are free of malicious code to include code capable of initiating zero-day attacks. Organizations consider nondestructive sanitization of portable storage devices when such devices are first purchased from the manufacturer or vendor prior to initial use or when organizations lose a positive chain of custody for the devices. Related control: SI-3. |
The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under the following circumstances: [Assignment: organization-defined circumstances requiring sanitization of portable storage devices]. |
| CCI-001034 |
The organization sanitizes information system media containing Controlled Unclassified Information (CUI) or other sensitive information in accordance with applicable organizational and/or federal standards and policies. |
|
|
|
|
|
|
|
| CCI-001035 |
The organization sanitizes information system media containing classified information in accordance with NSA standards and policies. |
|
|
|
|
|
|
|
| CCI-001036 |
The organization destroys information system media that cannot be sanitized. |
|
|
|
|
|
|
|
| CCI-001037 |
The organization develops and documents a risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
NIST SP 800-30 meets the DoD requirements for risk assessment policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoDi 8510.01 which adopts NIST SP 800-30 as the DoD risk assessment policy. |
NIST SP 800-30 meets the DoD requirements for risk assessment policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoDi 8510.01 which adopts NIST SP 800-30 as the DoD risk assessment policy. |
Risk Assessment Policy And Procedures |
RA-1 |
RA-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and
b. Reviews and updates the current:
1. Risk assessment policy [Assignment: organization-defined frequency]; and
2. Risk assessment procedures [Assignment: organization-defined frequency]. |
| CCI-001038 |
The organization disseminates a risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance to organization-defined personnel or roles. |
NIST SP 800-30 meets the DoD requirements for risk assessment policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoDi 8510.01 which adopts NIST SP 800-30 as the DoD risk assessment policy. |
NIST SP 800-30 meets the DoD requirements for risk assessment policy and procedures and is disseminated via the NIST publications site: http://csrc.nist.gov/publications/PubsSPs.html
DoD Components are automatically compliant with this CCI because they are covered by the DoDi 8510.01 which adopts NIST SP 800-30 as the DoD risk assessment policy. |
Risk Assessment Policy And Procedures |
RA-1 |
RA-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and
b. Reviews and updates the current:
1. Risk assessment policy [Assignment: organization-defined frequency]; and
2. Risk assessment procedures [Assignment: organization-defined frequency]. |
| CCI-001039 |
The organization reviews and updates the current risk assessment policy in accordance with organization-defined frequency. |
NIST SP 800-30 meets the DoD requirements for risk assessment policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoDi 8510.01 which adopts NIST SP 800-30 as the DoD risk assessment policy. |
NIST SP 800-30 meets the DoD requirements for risk assessment policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoDi 8510.01 which adopts NIST SP 800-30 as the DoD risk assessment policy. |
Risk Assessment Policy And Procedures |
RA-1 |
RA-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and
b. Reviews and updates the current:
1. Risk assessment policy [Assignment: organization-defined frequency]; and
2. Risk assessment procedures [Assignment: organization-defined frequency]. |
| CCI-001040 |
The organization defines the frequency with which to review and update the current risk assessment policy. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
Risk Assessment Policy And Procedures |
RA-1 |
RA-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and
b. Reviews and updates the current:
1. Risk assessment policy [Assignment: organization-defined frequency]; and
2. Risk assessment procedures [Assignment: organization-defined frequency]. |
| CCI-001041 |
The organization develops and documents procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls. |
NIST SP 800-30 meets the DoD requirements for risk assessment policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoDi 8510.01 which adopts NIST SP 800-30 as the DoD risk assessment policy. |
NIST SP 800-30 meets the DoD requirements for risk assessment policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoDi 8510.01 which adopts NIST SP 800-30 as the DoD risk assessment policy. |
Risk Assessment Policy And Procedures |
RA-1 |
RA-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and
b. Reviews and updates the current:
1. Risk assessment policy [Assignment: organization-defined frequency]; and
2. Risk assessment procedures [Assignment: organization-defined frequency]. |
| CCI-001042 |
The organization disseminates risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls to organization-defined personnel or roles. |
NIST SP 800-30 meets the DoD requirements for risk assessment policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoDi 8510.01 which adopts NIST SP 800-30 as the DoD risk assessment policy. |
NIST SP 800-30 meets the DoD requirements for risk assessment policy and procedures and is disseminated via the NIST publications site: http://csrc.nist.gov/publications/PubsSPs.html
DoD Components are automatically compliant with this CCI because they are covered by the DoDi 8510.01 which adopts NIST SP 800-30 as the DoD risk assessment policy. |
Risk Assessment Policy And Procedures |
RA-1 |
RA-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and
b. Reviews and updates the current:
1. Risk assessment policy [Assignment: organization-defined frequency]; and
2. Risk assessment procedures [Assignment: organization-defined frequency]. |
| CCI-001043 |
The organization reviews and updates the current risk assessment procedures in accordance with organization-defined frequency. |
NIST SP 800-30 meets the DoD requirements for risk assessment policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoDi 8510.01 which adopts NIST SP 800-30 as the DoD risk assessment policy. |
NIST SP 800-30 meets the DoD requirements for risk assessment policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoDi 8510.01 which adopts NIST SP 800-30 as the DoD risk assessment policy. |
Risk Assessment Policy And Procedures |
RA-1 |
RA-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and
b. Reviews and updates the current:
1. Risk assessment policy [Assignment: organization-defined frequency]; and
2. Risk assessment procedures [Assignment: organization-defined frequency]. |
| CCI-001044 |
The organization defines the frequency with which to review and update the current risk assessment procedures. |
DoD Components are automatically compliant with this CCI because they are covered by the DoDi 8510.01 which adopts NIST SP 800-30 as the DoD risk assessment policy.
DoD has defined the frequency as annually - updated as appropriate. |
DoD Components are automatically compliant with this CCI because they are covered by the DoDi 8510.01 which adopts NIST SP 800-30 as the DoD risk assessment policy. |
Risk Assessment Policy And Procedures |
RA-1 |
RA-1.10 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and
b. Reviews and updates the current:
1. Risk assessment policy [Assignment: organization-defined frequency]; and
2. Risk assessment procedures [Assignment: organization-defined frequency]. |
| CCI-001045 |
The organization categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed categorizes information and the information system in accordance with CNSSI 1253 and applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
|
The organization being inspected/assessed documents and implements a process to categorize information and the information system in accordance with CNSSI 1253 and applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
|
Security Categorization |
RA-2 |
RA-2.1 |
Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted. Related controls: CM-8, MP-4, RA-3, SC-7. |
The organization:
a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and
c. Ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative. |
| CCI-001046 |
The organization documents the security categorization results (including supporting rationale) in the security plan for the information system. |
The organization conducting the inspection/assessment obtains and examines the documented security categorization results to ensure the organization being inspected/assessed documents the security categorization results (including supporting rationale) in the security plan for the information system IAW CNSSI 1253. |
The organization being inspected/assessed documents the security categorization results (including supporting rationale) in the security plan for the information system IAW CNSSI 1253.
|
Security Categorization |
RA-2 |
RA-2.2 |
Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted. Related controls: CM-8, MP-4, RA-3, SC-7. |
The organization:
a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and
c. Ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative. |
| CCI-001047 |
The organization ensures the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed ensures the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative. |
The organization being inspected/assessed documents and implements a process IAW CNSSI 1253 to ensure the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative. |
Security Categorization |
RA-2 |
RA-2.3 |
Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted. Related controls: CM-8, MP-4, RA-3, SC-7. |
The organization:
a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and
c. Ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative. |
| CCI-001074 |
The organization develops a system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
DoDI 8523.01 "Communications Security (COMSEC)"meets the DoD requirement for developing a system and communications protection policy.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8523.01. |
DoDI 8523.01 "Communications Security (COMSEC)"meets the DoD requirement for developing a system and communications protection policy.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8523.01. |
System And Communications Protection Policy And Procedures |
SC-1 |
SC-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and
b. Reviews and updates the current:
1. System and communications protection policy [Assignment: organization-defined frequency]; and
2. System and communications protection procedures [Assignment: organization-defined frequency]. |
| CCI-001075 |
The organization disseminates to organization-defined personnel or roles the system and communications protection policy. |
DoDI 8523.01 "Communications Security (COMSEC)"meets the DoD requirement for disseminating the system and communications protection policy.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8523.01. |
DoDI 8523.01 "Communications Security (COMSEC)"meets the DoD requirement for disseminating the system and communications protection policy.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8523.01. |
System And Communications Protection Policy And Procedures |
SC-1 |
SC-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and
b. Reviews and updates the current:
1. System and communications protection policy [Assignment: organization-defined frequency]; and
2. System and communications protection procedures [Assignment: organization-defined frequency]. |
| CCI-001076 |
The organization reviews and updates the system and communications protection policy in accordance with organization-defined frequency. |
DoDI 8523.01 "Communications Security (COMSEC)"meets the DoD requirement for reviewing and updating the system and communications protection policy.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8523.01. |
DoDI 8523.01 "Communications Security (COMSEC)"meets the DoD requirement for reviewing and updating the system and communications protection policy.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8523.01. |
System And Communications Protection Policy And Procedures |
SC-1 |
SC-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and
b. Reviews and updates the current:
1. System and communications protection policy [Assignment: organization-defined frequency]; and
2. System and communications protection procedures [Assignment: organization-defined frequency]. |
| CCI-001077 |
The organization defines the frequency for reviewing and updating the system and communications protection policy. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 5 years. |
DoD has defined the frequency as every 5 years. |
System And Communications Protection Policy And Procedures |
SC-1 |
SC-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and
b. Reviews and updates the current:
1. System and communications protection policy [Assignment: organization-defined frequency]; and
2. System and communications protection procedures [Assignment: organization-defined frequency]. |
| CCI-001078 |
The organization develops system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls. |
DoDI 8523.01 "Communications Security (COMSEC)"meets the DoD requirement for developing system and communications protection procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8523.01. |
DoDI 8523.01 "Communications Security (COMSEC)"meets the DoD requirement for developing system and communications protection procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8523.01. |
System And Communications Protection Policy And Procedures |
SC-1 |
SC-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and
b. Reviews and updates the current:
1. System and communications protection policy [Assignment: organization-defined frequency]; and
2. System and communications protection procedures [Assignment: organization-defined frequency]. |
| CCI-001079 |
The organization disseminates to organization-defined personnel or roles the procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls. |
DoDI 8523.01 "Communications Security (COMSEC)"meets the DoD requirement for disseminating the procedures to facilitate the implementation of the system and communications protection policy.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8523.01. |
DoDI 8523.01 "Communications Security (COMSEC)"meets the DoD requirement for disseminating the procedures to facilitate the implementation of the system and communications protection policy.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8523.01. |
System And Communications Protection Policy And Procedures |
SC-1 |
SC-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and
b. Reviews and updates the current:
1. System and communications protection policy [Assignment: organization-defined frequency]; and
2. System and communications protection procedures [Assignment: organization-defined frequency]. |
| CCI-001080 |
The organization reviews and updates the system and communications protection procedures in accordance with organization-defined frequency. |
DoDI 8523.01 "Communications Security (COMSEC)"meets the DoD requirement for reviewing and updating the system and communications protection procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8523.01. |
DoDI 8523.01 "Communications Security (COMSEC)"meets the DoD requirement for reviewing and updating the system and communications protection procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8523.01. |
System And Communications Protection Policy And Procedures |
SC-1 |
SC-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and
b. Reviews and updates the current:
1. System and communications protection policy [Assignment: organization-defined frequency]; and
2. System and communications protection procedures [Assignment: organization-defined frequency]. |
| CCI-001081 |
The organization defines the frequency of system and communications protection procedure reviews and updates. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
System And Communications Protection Policy And Procedures |
SC-1 |
SC-1.10 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and
b. Reviews and updates the current:
1. System and communications protection policy [Assignment: organization-defined frequency]; and
2. System and communications protection procedures [Assignment: organization-defined frequency]. |
| CCI-001082 |
The information system separates user functionality (including user interface services) from information system management functionality. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to separate user functionality (including user interface services) from information system management functionality.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1082. |
The organization being inspected/assessed configures the information system to separate user functionality (including user interface services) from information system management functionality.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1082. |
Application Partitioning |
SC-2 |
SC-2.1 |
Information system management functionality includes, for example, functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from information system management functionality is either physical or logical. Organizations implement separation of system management-related functionality from user functionality by using different computers, different central processing units, different instances of operating systems, different network addresses, virtualization techniques, or combinations of these or other methods, as appropriate. This type of separation includes, for example, web administrative interfaces that use separate authentication methods for users of any other information system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls. Related controls: SA-4, SA-8, SC-3. |
The information system separates user functionality (including user interface services)from information system management functionality. |
| CCI-001083 |
The information system prevents the presentation of information system management-related functionality at an interface for non-privileged users. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prevent the presentation of information system management-related functionality at an interface for non-privileged users.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1083. |
The organization being inspected/assessed configures the information system to prevent the presentation of information system management-related functionality at an interface for non-privileged users.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1083. |
Application Partitioning | Interfaces For Non-Privileged Users |
SC-2 (1) |
SC-2(1).1 |
This control enhancement ensures that administration options (e.g., administrator privileges) are not available to general users (including prohibiting the use of the grey-out option commonly used to eliminate accessibility to such information). Such restrictions include, for example, not presenting administration options until users establish sessions with administrator privileges. Related control: AC-3. |
The information system prevents the presentation of information system management-related functionality at an interface for non-privileged users. |
| CCI-001090 |
The information system prevents unauthorized and unintended information transfer via shared system resources. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prevent unauthorized and unintended information transfer via shared system resources.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1090. |
The organization being inspected/assessed configures the information system to prevent unauthorized and unintended information transfer via shared system resources.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1090. |
Information In Shared Resources |
SC-4 |
SC-4.1 |
This control prevents information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This control does not address: (i) information remanence which refers to residual representation of data that has been nominally erased or removed; (ii) covert channels (including storage and/or timing channels) where shared resources are manipulated to violate information flow restrictions; or (iii) components within information systems for which there are only single users/roles. Related controls: AC-3, AC-4, MP-6. |
The information system prevents unauthorized and unintended information transfer via shared system resources. |
| CCI-001091 |
The information system does not share resources that are used to interface with systems operating at different security levels. |
|
|
|
|
|
|
|
| CCI-001092 |
The information system protects against or limits the effects of the organization-defined or referenced types of denial of service attacks. |
|
|
|
|
|
|
|
| CCI-001093 |
The organization defines the types of denial of service attacks (or provides references to sources of current denial of service attacks) that can be addressed by the information system. |
The organization conducting the inspection/assessment obtains and examines the documented types of denial of service attacks to ensure the organization being inspected/assessed defines the types of denial of service attacks (or provides references to sources of current denial of service attacks) that can be addressed by the information system.
DoD has determined the types of denial of service attacks are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the types of denial of service attacks (or provides references to sources of current denial of service attacks) that can be addressed by the information system.
DoD has determined the types of denial of service attacks are not appropriate to define at the Enterprise level. |
Denial Of Service Protection |
SC-5 |
SC-5.1 |
A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks. Related controls: SC-6, SC-7. |
The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards]. |
| CCI-001094 |
The information system restricts the ability of individuals to launch organization-defined denial of service attacks against other information systems. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to restrict the ability of individuals to launch denial of service attacks defined in SC-5 (1), CCI 2387 against other information systems.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1094. |
The organization being inspected/assessed configures the information system to restrict the ability of individuals to launch denial of service attacks defined in SC-5 (1), CCI 2387 against other information systems.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1094. |
Denial Of Service Protection | Restrict Internal Users |
SC-5 (1) |
SC-5(1).1 |
Restricting the ability of individuals to launch denial of service attacks requires that the mechanisms used for such attacks are unavailable. Individuals of concern can include, for example, hostile insiders or external adversaries that have successfully breached the information system and are using the system as a platform to launch cyber attacks on third parties. Organizations can restrict the ability of individuals to connect and transmit arbitrary information on the transport medium (i.e., network, wireless spectrum). Organizations can also limit the ability of individuals to use excessive information system resources. Protection against individuals having the ability to launch denial of service attacks may be implemented on specific information systems or on boundary devices prohibiting egress to potential target systems. |
The information system restricts the ability of individuals to launch [Assignment: organization-defined denial of service attacks] against other information systems. |
| CCI-001095 |
The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1095. |
The organization being inspected/assessed configures the information system to manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1095. |
Denial Of Service Protection | Excess Capacity / Bandwidth / Redundancy |
SC-5 (2) |
SC-5(2).1 |
Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning. |
The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding denial of service attacks. |
| CCI-001096 |
The information system limits the use of resources by priority. |
|
|
|
|
|
|
|
| CCI-001127 |
The information system protects the integrity of transmitted information. |
|
|
|
|
|
|
|
| CCI-001128 |
The organization employs cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures. |
|
|
|
|
|
|
|
| CCI-001129 |
The information system maintains the integrity of information during aggregation, packaging, and transformation in preparation for transmission. |
|
|
|
|
|
|
|
| CCI-001130 |
The information system protects the confidentiality of transmitted information. |
|
|
|
|
|
|
|
| CCI-001131 |
The organization employs cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures. |
|
|
|
|
|
|
|
| CCI-001132 |
The information system maintains the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission. |
|
|
|
|
|
|
|
| CCI-001133 |
The information system terminates the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to terminate the network connection associated with a communications session at the end of the session or after 10 minutes in band management and 15 minutes for user sessions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1133.
DoD has defined the time period as 10 minutes in band management and 15 minutes for user sessions. |
The organization being inspected/assessed configures the information system to terminate the network connection associated with a communications session at the end of the session or after 10 minutes in band management and 15 minutes for user sessions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1133.
DoD has defined the time period as 10 minutes in band management and 15 minutes for user sessions. |
Network Disconnect |
SC-10 |
SC-10.1 |
This control applies to both internal and external networks. Terminating network connections associated with communications sessions include, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of inactivity may be established by organizations and include, for example, time periods by type of network access or for specific network accesses. |
The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. |
| CCI-001134 |
The organization defines the time period of inactivity after which the information system terminates a network connection associated with a communications session. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 10 minutes in band management and 15 minutes for user sessions. |
DoD has defined the time period as 10 minutes in band management and 15 minutes for user sessions. |
Network Disconnect |
SC-10 |
SC-10.2 |
This control applies to both internal and external networks. Terminating network connections associated with communications sessions include, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of inactivity may be established by organizations and include, for example, time periods by type of network access or for specific network accesses. |
The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. |
| CCI-001137 |
The organization establishes cryptographic keys for required cryptography employed within the information system. |
|
|
|
|
|
|
|
| CCI-001138 |
The organization manages cryptographic keys for required cryptography employed within the information system. |
|
|
|
|
|
|
|
| CCI-001139 |
The organization maintains availability of information in the event of the loss of cryptographic keys by users. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed maintains availability of information in the event of the loss of cryptographic keys by users. |
The organization being inspected/assessed documents and implements a process to maintain availability of information in the event of the loss of cryptographic keys by users. |
Cryptographic Key Establishment And Management | Availability |
SC-12 (1) |
SC-12(1).1 |
Escrowing of encryption keys is a common practice for ensuring availability in the event of loss of keys (e.g., due to forgotten passphrase). |
The organization maintains availability of information in the event of the loss of cryptographic keys by users. |
| CCI-001140 |
The organization produces, controls, and distributes symmetric cryptographic keys using NIST-approved or NSA-approved key management technology and processes. |
|
|
|
|
|
|
|
| CCI-001141 |
The organization produces, controls, and distributes symmetric and asymmetric cryptographic keys using NSA-approved key management technology and processes. |
|
|
|
|
|
|
|
| CCI-001142 |
The organization produces, controls, and distributes asymmetric cryptographic keys using approved PKI Class 3 certificates or prepositioned keying material. |
|
|
|
|
|
|
|
| CCI-001143 |
The organization produces, controls, and distributes asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key. |
|
|
|
|
|
|
|
| CCI-001144 |
The information system implements required cryptographic protections using cryptographic modules that comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. |
|
|
|
|
|
|
|
| CCI-001145 |
The organization employs, at a minimum, FIPS-validated cryptography to protect unclassified information. |
|
|
|
|
|
|
|
| CCI-001146 |
The organization employs NSA-approved cryptography to protect classified information. |
|
|
|
|
|
|
|
| CCI-001147 |
The organization employs, at a minimum, FIPS-validated cryptography to protect information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals. |
|
|
|
|
|
|
|
| CCI-001149 |
The information system protects the integrity and availability of publicly available information and applications. |
|
|
|
|
|
|
|
| CCI-001150 |
The information system prohibits remote activation of collaborative computing devices, excluding the organization-defined exceptions where remote activation is to be allowed. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prohibit remote activation of collaborative computing devices excluding dedicated VTC suites located in approved VTC locations that are centrally managed.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1150.
DoD has defined the exceptions as dedicated VTC suites located in approved VTC locations that are centrally managed. |
The organization being inspected/assessed configures the information system to prohibit remote activation of collaborative computing devices excluding dedicated VTC suites located in approved VTC locations that are centrally managed.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1150.
DoD has defined the exceptions as dedicated VTC suites located in approved VTC locations that are centrally managed. |
Collaborative Computing Devices |
SC-15 |
SC-15.1 |
Collaborative computing devices include, for example, networked white boards, cameras, and microphones. Explicit indication of use includes, for example, signals to users when collaborative computing devices are activated. Related control: AC-21. |
The information system:
a. Prohibits remote activation of collaborative computing devices with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and
b. Provides an explicit indication of use to users physically present at the devices. |
| CCI-001151 |
The organization defines exceptions to the prohibition of collaborative computing devices where remote activation is to be allowed. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the exceptions as dedicated VTC suites located in approved VTC locations that are centrally managed. |
DoD has defined the exceptions as dedicated VTC suites located in approved VTC locations that are centrally managed. |
Collaborative Computing Devices |
SC-15 |
SC-15.2 |
Collaborative computing devices include, for example, networked white boards, cameras, and microphones. Explicit indication of use includes, for example, signals to users when collaborative computing devices are activated. Related control: AC-21. |
The information system:
a. Prohibits remote activation of collaborative computing devices with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and
b. Provides an explicit indication of use to users physically present at the devices. |
| CCI-001152 |
The information system provides an explicit indication of use to users physically present at collaborative computing devices. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide an explicit indication of use to users physically present at collaborative computing devices.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1152. |
The organization being inspected/assessed configures the information system to provide an explicit indication of use to users physically present at collaborative computing devices.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1152. |
Collaborative Computing Devices |
SC-15 |
SC-15.3 |
Collaborative computing devices include, for example, networked white boards, cameras, and microphones. Explicit indication of use includes, for example, signals to users when collaborative computing devices are activated. Related control: AC-21. |
The information system:
a. Prohibits remote activation of collaborative computing devices with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and
b. Provides an explicit indication of use to users physically present at the devices. |
| CCI-001153 |
The information system provides physical disconnect of collaborative computing devices in a manner that supports ease of use. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed provides a means of physical disconnect of collaborative computing devices in a manner that supports ease of use.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1153. |
The organization being inspected/assessed provides a means of physical disconnect of collaborative computing devices in a manner that supports ease of use.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1153. |
Collaborative Computing Devices | Physical Disconnect |
SC-15 (1) |
SC-15(1).1 |
Failing to physically disconnect from collaborative computing devices can result in subsequent compromises of organizational information. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure that participants actually carry out the disconnect activity without having to go through complex and tedious procedures. |
The information system provides physical disconnect of collaborative computing devices in a manner that supports ease of use. |
| CCI-001154 |
The information system or supporting environment blocks both inbound and outbound traffic between instant messaging clients that are independently configured by end users and external service providers. |
|
|
|
|
|
|
|
| CCI-001155 |
The organization disables or removes collaborative computing devices from organization-defined information systems or information system components in organization-defined secure work areas. |
The organization conducting the inspection/assessment obtains and examines the organization defined secure work area to ensure that any device that may incorporate camera, microphone, or smart board capability has been disabled or removed.
DoD has defined information systems or information system components as any device used that may incorporate camera, microphone, or smart board capability. |
The organization being inspected/assessed implements a process to disable or remove any device used that may incorporate camera, microphone, or smart board capability in secure work areas defined in SC-15 (3), CCI 1156.
DoD has defined information systems or information system components as any device used that may incorporate camera, microphone, or smart board capability. |
Collaborative Computing Devices | Disabling / Removal In Secure Work Areas |
SC-15 (3) |
SC-15(3).1 |
Failing to disable or remove collaborative computing devices from information systems or information system components can result in subsequent compromises of organizational information including, for example, eavesdropping on conversations. |
The organization disables or removes collaborative computing devices from [Assignment: organization-defined information systems or information system components] in [Assignment: organization-defined secure work areas]. |
| CCI-001156 |
The organization defines secure work areas where collaborative computing devices are to be disabled or removed. |
The organization conducting the inspection/assessment obtains and examines the documented secure work areas to ensure the organization being inspected/assessed defines secure work areas where collaborative computing devices are to be disabled or removed.
DoD has determined the secure work areas are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents secure work areas where collaborative computing devices are to be disabled or removed.
DoD has determined the secure work areas are not appropriate to define at the Enterprise level. |
Collaborative Computing Devices | Disabling / Removal In Secure Work Areas |
SC-15 (3) |
SC-15(3).2 |
Failing to disable or remove collaborative computing devices from information systems or information system components can result in subsequent compromises of organizational information including, for example, eavesdropping on conversations. |
The organization disables or removes collaborative computing devices from [Assignment: organization-defined information systems or information system components] in [Assignment: organization-defined secure work areas]. |
| CCI-001157 |
The information system associates organization-defined security attributes with information exchanged between information systems. |
The organization conducting the inspection/assessment examines the information system to ensure it associates security attributes defined in SC-16, CCI 2454 with information exchanged between information systems. |
The organization being inspected/assessed implements association of security attributes defined in SC-16, CCI 2454 with information exchanged between information systems. |
Transmission Of Security Attributes |
SC-16 |
SC-16.1 |
Security attributes can be explicitly or implicitly associated with the information contained in organizational information systems or system components. Related controls: AC-3, AC-4, AC-16. |
The information system associates [Assignment: organization-defined security attributes] with information exchanged between information systems and between system components.
|
| CCI-001158 |
The information system validates the integrity of transmitted security attributes. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to validate the integrity of transmitted security attributes.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1158. |
The organization being inspected/assessed configures the information system to validate the integrity of transmitted security attributes.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1158. |
Transmission Of Security Attributes | Integrity Validation |
SC-16 (1) |
SC-16(1).1 |
This control enhancement ensures that the verification of the integrity of transmitted information includes security attributes. Related controls: AU-10, SC-8. |
The information system validates the integrity of transmitted security attributes.
|
| CCI-001159 |
The organization issues public key certificates under an organization-defined certificate policy or obtains public key certificates from an approved service provider. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to issue public key certificates under DoDI 8520.02, "Public Key Infrastructure (PKI) and Public Key (PK) Enabling" or obtains public key certificates from an approved service provider.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1159.
DoD has defined the certificate policy as DoDI 8520.02, "Public Key Infrastructure (PKI) and Public Key (PK) Enabling." |
The organization being inspected/assessed configures the information system to issue public key certificates under DoDI 8520.02, "Public Key Infrastructure (PKI) and Public Key (PK) Enabling" or obtains public key certificates from an approved service provider.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1159.
DoD has defined the certificate policy as DoDI 8520.02, "Public Key Infrastructure (PKI) and Public Key (PK) Enabling." |
Public Key Infrastructure Certificates |
SC-17 |
SC-17.1 |
For all certificates, organizations manage information system trust stores to ensure only approved trust anchors are in the trust stores. This control addresses both certificates with visibility external to organizational information systems and certificates related to the internal operations of systems, for example, application-specific time services. Related control: SC-12. |
The organization issues public key certificates under an [Assignment: organization defined certificate policy] or obtains public key certificates from an approved service provider. |
| CCI-001180 |
The information system performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems. |
|
|
|
|
|
|
|
| CCI-001181 |
The information system performs data origin authentication and data integrity verification on all resolution responses received whether or not local client systems explicitly request this service. |
|
|
|
|
|
|
|
| CCI-001194 |
The information system employs organization-defined information system components with minimal functionality and information storage. |
The organization conducting the inspection/assessment obtains and examines the hardware list to ensure the organization being inspected/assessed employs information system components defined in SC-25, CCI 2471 with minimal functionality and information storage. |
The organization being inspected/assessed employs information system components defined in SC-25, CCI 2471 with minimal functionality and information storage. |
Thin Nodes |
SC-25 |
SC-25.1 |
The deployment of information system components with reduced/minimal functionality (e.g., diskless nodes and thin client technologies) reduces the need to secure every user endpoint, and may reduce the exposure of information, information systems, and services to cyber attacks. Related control: SC-30. |
The organization employs [Assignment: organization-defined information system components] with minimal functionality and information storage. |
| CCI-001195 |
The information system includes components specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting, and analyzing such attacks. |
The organization conducting the inspection/assessment obtains and examines the network topology diagrams, architecture documentation, or any other documentation identifying decoy components to be attacked to ensure the organization being inspected/assessed includes components specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting, and analyzing such attacks. |
The organization being inspected/assessed designs the information system to include decoy components specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting, and analyzing such attacks. |
Honeypots |
SC-26 |
SC-26.1 |
A honeypot is set up as a decoy to attract adversaries and to deflect their attacks away from the operational systems supporting organizational missions/business function. Depending upon the specific usage of the honeypot, consultation with the Office of the General Counsel before deployment may be needed. Related controls: SC-30, SC-44, SI-3, SI-4. |
The information system includes components specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting, and analyzing such attacks. |
| CCI-001196 |
The information system includes components that proactively seek to identify malicious websites and/or web-based malicious code. |
The organization conducting the inspection/assessment obtains and examines the software list to ensure the organization being inspected/assessed includes components in the information system that proactively seek to identify malicious websites and/or web-based malicious code. |
The organization being inspected/assessed includes components in the information system that proactively seek to identify malicious websites and/or web-based malicious code. |
Honeyclients |
SC-35 |
SC-35.1 |
Honeyclients differ from honeypots in that the components actively probe the Internet in search of malicious code (e.g., worms) contained on external websites. As with honeypots, honeyclients require some supporting isolation measures (e.g., virtualization) to ensure that any malicious code discovered during the search and subsequently executed does not infect organizational information systems. Related controls: SC-26, SC-44, SI-3, SI-4. |
The information system includes components that proactively seek to identify malicious websites and/or web-based malicious code. |
| CCI-001197 |
The information system includes organization-defined platform-independent applications. |
The organization conducting the inspection/assessment obtains and examines the software list to ensure the organization being inspected/assessed includes platform-independent applications defined in SC-27, CCI 1198. |
The organization being inspected/assessed includes platform-independent applications defined in SC-27, CCI 1198. |
Platform-Independent Applications |
SC-27 |
SC-27.1 |
Platforms are combinations of hardware and software used to run software applications. Platforms include: (i) operating systems; (ii) the underlying computer architectures, or (iii) both. Platform-independent applications are applications that run on multiple platforms. Such applications promote portability and reconstitution on different platforms, increasing the availability of critical functions within organizations while information systems with specific operating systems are under attack. Related control: SC-29. |
The information system includes: [Assignment: organization-defined platform-independent applications]. |
| CCI-001198 |
The organization defines applications that are platform independent. |
The organization conducting the inspection/assessment obtains and examines the documented applications to ensure the organization being inspected/assessed defines applications that are platform independent.
DoD has determined the applications are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents applications that are platform independent.
DoD has determined the applications are not appropriate to define at the Enterprise level. |
Platform-Independent Applications |
SC-27 |
SC-27.2 |
Platforms are combinations of hardware and software used to run software applications. Platforms include: (i) operating systems; (ii) the underlying computer architectures, or (iii) both. Platform-independent applications are applications that run on multiple platforms. Such applications promote portability and reconstitution on different platforms, increasing the availability of critical functions within organizations while information systems with specific operating systems are under attack. Related control: SC-29. |
The information system includes: [Assignment: organization-defined platform-independent applications]. |
| CCI-001201 |
The organization employs a diverse set of information technologies for organization-defined information system components in the implementation of the information system. |
The organization conducting the inspection/assessment obtains and examines the hardware and software lists to ensure the organization being inspected/assessed employs a diverse set of information technologies for information system components defined in SC-29, CCI 2480 in the implementation of the information system. |
The organization being inspected/assessed designs the information system to employ a diverse set of information technologies for information system components defined in SC-29, CCI 2480 in the implementation of the information system. |
Heterogeneity |
SC-29 |
SC-29.1 |
Increasing the diversity of information technologies within organizational information systems reduces the impact of potential exploitations of specific technologies and also defends against common mode failures, including those failures induced by supply chain attacks. Diversity in information technologies also reduces the likelihood that the means adversaries use to compromise one information system component will be equally effective against other system components, thus further increasing the adversary work factor to successfully complete planned cyber attacks. An increase in diversity may add complexity and management overhead which could ultimately lead to mistakes and unauthorized configurations. Related controls: SA-12, SA-14, SC-27. |
The organization employs a diverse set of information technologies for [Assignment: organization-defined information system components] in the implementation of the information system. |
| CCI-001202 |
The organization employs virtualization techniques to present information system components as other types of components, or components with differing configurations. |
|
|
|
|
|
|
|
| CCI-001203 |
The organization employs virtualization techniques to support the deployment of a diversity of operating systems that are changed on an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the hardware and software lists to ensure the organization being inspected/assessed employs virtualization techniques to support the deployment of a diversity of operating systems that are changed on the frequency defined in SC-29 (1), CCI 1204. |
The organization being inspected/assessed designs the information system to employ virtualization techniques to support the deployment of a diversity of operating systems that are changed on the frequency defined in SC-29 (1), CCI 1204. |
Heterogeneity | Virtualization Techniques |
SC-29 (1) |
SC-29(1).1 |
While frequent changes to operating systems and applications pose configuration management challenges, the changes can result in an increased work factor for adversaries in order to carry out successful cyber attacks. Changing virtual operating systems or applications, as opposed to changing actual operating systems/applications, provide virtual changes that impede attacker success while reducing configuration management efforts. In addition, virtualization techniques can assist organizations in isolating untrustworthy software and/or software of dubious provenance into confined execution environments. |
The organization employs virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed [Assignment: organization-defined frequency]. |
| CCI-001204 |
The organization defines the frequency of changes to operating systems and applications to support a diversity of deployments. |
The organization conducting the inspection/assessment obtains and examines the documented frequency to ensure the organization being inspected/assessed defines the frequency of changes to operating systems and applications to support a diversity of deployments.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the frequency of changes to operating systems and applications to support a diversity of deployments.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
Heterogeneity | Virtualization Techniques |
SC-29 (1) |
SC-29(1).2 |
While frequent changes to operating systems and applications pose configuration management challenges, the changes can result in an increased work factor for adversaries in order to carry out successful cyber attacks. Changing virtual operating systems or applications, as opposed to changing actual operating systems/applications, provide virtual changes that impede attacker success while reducing configuration management efforts. In addition, virtualization techniques can assist organizations in isolating untrustworthy software and/or software of dubious provenance into confined execution environments. |
The organization employs virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed [Assignment: organization-defined frequency]. |
| CCI-001205 |
The organization employs randomness in the implementation of the virtualization techniques. |
|
|
|
|
|
|
|
| CCI-001206 |
The organization requires that information system developers/integrators perform a covert channel analysis to identify those aspects of system communication that are potential avenues for covert storage and timing channels. |
|
|
|
|
|
|
|
| CCI-001207 |
The organization tests a subset of the identified covert channels to determine which channels are exploitable. |
The organization conducting the inspection/assessment obtains and examines the test results to ensure the organization being inspected/assessed tests a subset of the identified covert channels to determine which channels are exploitable. |
The organization being inspected/assessed tests a subset of the identified covert channels to determine which channels are exploitable.
The organization must maintain an audit trail of testing. |
Covert Channel Analysis | Test Covert Channels For Exploitability |
SC-31 (1) |
SC-31(1).1 |
|
The organization tests a subset of the identified covert channels to determine which channels are exploitable. |
| CCI-001208 |
The organization partitions the information system into components residing in separate physical domains (or environments) as deemed necessary. |
|
|
|
|
|
|
|
| CCI-001209 |
The information system protects the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission. |
|
|
|
|
|
|
|
| CCI-001210 |
The information system, at organization-defined information system components, loads and executes the operating environment from hardware-enforced, read-only media. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to load and execute the operating environment from hardware-enforced, read-only media at information system components defined in SC-34, CCI 1212.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1210. |
The organization being inspected/assessed configures the information system to load and execute the operating environment from hardware-enforced, read-only media at information system components defined in SC-34, CCI 1212.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1210. |
Non-Modifiable Executable Programs |
SC-34 |
SC-34.2 |
The term operating environment is defined as the specific code that hosts applications, for example, operating systems, executives, or monitors including virtual machine monitors (i.e., hypervisors). It can also include certain applications running directly on hardware platforms. Hardware-enforced, read-only media include, for example, Compact Disk-Recordable (CD-R)/Digital Video Disk-Recordable (DVD-R) disk drives and one-time programmable read-only memory. The use of non-modifiable storage ensures the integrity of software from the point of creation of the read-only image. The use of reprogrammable read-only memory can be accepted as read-only media provided: (i) integrity can be adequately protected from the point of initial writing to the insertion of the memory into the information system; and (ii) there are reliable hardware protections against reprogramming the memory while installed in organizational information systems. Related controls: AC-3, SI-7. |
The information system at [Assignment: organization-defined information system components]:
a. Loads and executes the operating environment from hardware-enforced, read-only media; and
b. Loads and executes [Assignment: organization-defined applications] from hardware enforced, read-only media. |
| CCI-001211 |
The information system, at organization-defined information system components, loads and executes organization-defined applications from hardware-enforced, read-only media. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to load and execute applications defined in SC-34, CCI 1213 from hardware-enforced, read-only media at information system components defined in SC-34, CCI 1212.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1211. |
The organization being inspected/assessed configures the information system to load and execute applications defined in SC-34, CCI 1213 from hardware-enforced, read-only media at information system components defined in SC-34, CCI 1212.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1211. |
Non-Modifiable Executable Programs |
SC-34 |
SC-34.3 |
The term operating environment is defined as the specific code that hosts applications, for example, operating systems, executives, or monitors including virtual machine monitors (i.e., hypervisors). It can also include certain applications running directly on hardware platforms. Hardware-enforced, read-only media include, for example, Compact Disk-Recordable (CD-R)/Digital Video Disk-Recordable (DVD-R) disk drives and one-time programmable read-only memory. The use of non-modifiable storage ensures the integrity of software from the point of creation of the read-only image. The use of reprogrammable read-only memory can be accepted as read-only media provided: (i) integrity can be adequately protected from the point of initial writing to the insertion of the memory into the information system; and (ii) there are reliable hardware protections against reprogramming the memory while installed in organizational information systems. Related controls: AC-3, SI-7. |
The information system at [Assignment: organization-defined information system components]:
a. Loads and executes the operating environment from hardware-enforced, read-only media; and
b. Loads and executes [Assignment: organization-defined applications] from hardware enforced, read-only media. |
| CCI-001212 |
The organization defines information system components on which the operating environment and organization-defined applications are loaded and executed from hardware-enforced, read-only media. |
The organization conducting the inspection/assessment obtains and examines the documented information system components to ensure the organization being inspected/assessed defines information system components for which the operating environment and organization-defined applications are loaded and executed from hardware-enforced, read-only media.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents information system components for which the operating environment and organization-defined applications are loaded and executed from hardware-enforced, read-only media.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
Non-Modifiable Executable Programs |
SC-34 |
SC-34.1 |
The term operating environment is defined as the specific code that hosts applications, for example, operating systems, executives, or monitors including virtual machine monitors (i.e., hypervisors). It can also include certain applications running directly on hardware platforms. Hardware-enforced, read-only media include, for example, Compact Disk-Recordable (CD-R)/Digital Video Disk-Recordable (DVD-R) disk drives and one-time programmable read-only memory. The use of non-modifiable storage ensures the integrity of software from the point of creation of the read-only image. The use of reprogrammable read-only memory can be accepted as read-only media provided: (i) integrity can be adequately protected from the point of initial writing to the insertion of the memory into the information system; and (ii) there are reliable hardware protections against reprogramming the memory while installed in organizational information systems. Related controls: AC-3, SI-7. |
The information system at [Assignment: organization-defined information system components]:
a. Loads and executes the operating environment from hardware-enforced, read-only media; and
b. Loads and executes [Assignment: organization-defined applications] from hardware enforced, read-only media. |
| CCI-001213 |
The organization defines applications that will be loaded and executed from hardware-enforced, read-only media. |
The organization conducting the inspection/assessment obtains and examines the documented applications to ensure the organization being inspected/assessed defines applications that will be loaded and executed from hardware-enforced, read-only media.
DoD has determined the applications are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents applications that will be loaded and executed from hardware-enforced, read-only media.
DoD has determined the applications are not appropriate to define at the Enterprise level. |
Non-Modifiable Executable Programs |
SC-34 |
SC-34.4 |
The term operating environment is defined as the specific code that hosts applications, for example, operating systems, executives, or monitors including virtual machine monitors (i.e., hypervisors). It can also include certain applications running directly on hardware platforms. Hardware-enforced, read-only media include, for example, Compact Disk-Recordable (CD-R)/Digital Video Disk-Recordable (DVD-R) disk drives and one-time programmable read-only memory. The use of non-modifiable storage ensures the integrity of software from the point of creation of the read-only image. The use of reprogrammable read-only memory can be accepted as read-only media provided: (i) integrity can be adequately protected from the point of initial writing to the insertion of the memory into the information system; and (ii) there are reliable hardware protections against reprogramming the memory while installed in organizational information systems. Related controls: AC-3, SI-7. |
The information system at [Assignment: organization-defined information system components]:
a. Loads and executes the operating environment from hardware-enforced, read-only media; and
b. Loads and executes [Assignment: organization-defined applications] from hardware enforced, read-only media. |
| CCI-001214 |
The organization employs organization-defined information system components with no writeable storage that are persistent across component restart or power on/off. |
The organization conducting the inspection/assessment obtains and examines the hardware list to ensure the organization being inspected/assessed employs information system components defined in SC-34 (1), CCI 1215 with no writeable storage that are persistent across component restart or power on/off. |
The organization being inspected/assessed designs the information system to employ information system components defined in SC-34 (1), CCI 1215 with no writeable storage that are persistent across component restart or power on/off. |
Non-Modifiable Executable Programs | No Writable Storage |
SC-34 (1) |
SC-34(1).1 |
This control enhancement: (i) eliminates the possibility of malicious code insertion via persistent, writeable storage within the designated information system components; and (ii) applies to both fixed and removable storage, with the latter being addressed directly or as specific restrictions imposed through access controls for mobile devices. Related controls: AC-19, MP-7. |
The organization employs [Assignment: organization-defined information system components] with no writeable storage that is persistent across component restart or power on/off. |
| CCI-001215 |
The organization defines the information system components to be employed with no writeable storage. |
The organization conducting the inspection/assessment obtains and examines the documented information system components to ensure the organization being inspected/assessed defines the information system components to be employed with no writeable storage.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system components to be employed with no writeable storage.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
Non-Modifiable Executable Programs | No Writable Storage |
SC-34 (1) |
SC-34(1).2 |
This control enhancement: (i) eliminates the possibility of malicious code insertion via persistent, writeable storage within the designated information system components; and (ii) applies to both fixed and removable storage, with the latter being addressed directly or as specific restrictions imposed through access controls for mobile devices. Related controls: AC-19, MP-7. |
The organization employs [Assignment: organization-defined information system components] with no writeable storage that is persistent across component restart or power on/off. |
| CCI-001216 |
The organization protects the integrity of information prior to storage on read-only media. |
The organization conducting the inspection/assessment obtains and examines the documented mechanisms to ensure the organization being inspected/assessed protects the integrity of the information prior to storage on read-only media. |
The organization being inspected/assessed documents and implements mechanisms to protect the integrity of the information prior to storage on read-only media. |
Non-Modifiable Executable Programs | Integrity Protection / Read-Only Media |
SC-34 (2) |
SC-34(2).1 |
Security safeguards prevent the substitution of media into information systems or the reprogramming of programmable read-only media prior to installation into the systems. Security safeguards include, for example, a combination of prevention, detection, and response. Related controls: AC-5, CM-3, CM-5, CM-9, MP-2, MP-4, MP-5, SA-12, SC-28, SI-3. |
The organization protects the integrity of information prior to storage on read-only media and controls the media after such information has been recorded onto the media. |
| CCI-001217 |
The organization develops and documents a system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
Documenting and implementing the Risk Management Framework (RMF) for DoD IT (DoDI 8510.01) meets the DoD requirement for a system and information integrity policy.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, Risk Management Framework (RMF) for DoD IT (DoDI 8510.01). |
Documenting and implementing the Risk Management Framework (RMF) for DoD IT (DoDI 8510.01) meets the DoD requirement for a system and information integrity policy.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, Risk Management Framework (RMF) for DoD IT (DoDI 8510.01). |
System And Information Integrity Policy And Procedures |
SI-1 |
SI-1.2 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SI family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and
b. Reviews and updates the current:
1. System and information integrity policy [Assignment: organization-defined frequency]; and
2. System and information integrity procedures [Assignment: organization-defined frequency]. |
| CCI-001218 |
The organization disseminates the system and information integrity policy to organization-defined personnel or roles. |
Documenting and implementing the Risk Management Framework (RMF) for DoD IT (DoDI 8510.01) meets the DoD requirement for a system and information integrity policy.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, Risk Management Framework (RMF) for DoD IT (DoDI 8510.01). |
DoD disseminates DoDI 8510.01 via the DoD Issuances website (http://www.dtic.mil/whs/directives/corres/dir.html) that meets the DoD requirement for a system and information integrity policy.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, Risk Management Framework (RMF) for DoD IT (DoDI 8510.01). |
System And Information Integrity Policy And Procedures |
SI-1 |
SI-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SI family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and
b. Reviews and updates the current:
1. System and information integrity policy [Assignment: organization-defined frequency]; and
2. System and information integrity procedures [Assignment: organization-defined frequency]. |
| CCI-001219 |
The organization reviews and updates system and information integrity policy in accordance with organization-defined frequency. |
Documenting and implementing the Risk Management Framework (RMF) for DoD IT (DoDI 8510.01) meets the DoD requirement for a system and information integrity policy.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, Risk Management Framework (RMF) for DoD IT (DoDI 8510.01). |
Documenting and implementing the Risk Management Framework (RMF) for DoD IT (DoDI 8510.01) meets the DoD requirement for a system and information integrity policy.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, Risk Management Framework (RMF) for DoD IT (DoDI 8510.01). |
System And Information Integrity Policy And Procedures |
SI-1 |
SI-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SI family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and
b. Reviews and updates the current:
1. System and information integrity policy [Assignment: organization-defined frequency]; and
2. System and information integrity procedures [Assignment: organization-defined frequency]. |
| CCI-001220 |
The organization develops and documents procedures to facilitate the implementation of the system and information integrity policy and associated system integrity controls. |
Documenting and implementing the Risk Management Framework (RMF) for DoD IT (DoDI 8510.01) meets the DoD requirement for a system and information integrity procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, Risk Management Framework (RMF) for DoD IT (DoDI 8510.01). |
Documenting and implementing the Risk Management Framework (RMF) for DoD IT (DoDI 8510.01) meets the DoD requirement for a system and information integrity procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, Risk Management Framework (RMF) for DoD IT (DoDI 8510.01). |
System And Information Integrity Policy And Procedures |
SI-1 |
SI-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SI family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and
b. Reviews and updates the current:
1. System and information integrity policy [Assignment: organization-defined frequency]; and
2. System and information integrity procedures [Assignment: organization-defined frequency]. |
| CCI-001221 |
The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the system and information integrity policy and associated system integrity controls. |
Documenting and implementing the Risk Management Framework (RMF) for DoD IT (DoDI 8510.01) meets the DoD requirement for a system and information integrity procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, Risk Management Framework (RMF) for DoD IT (DoDI 8510.01). |
DoD disseminates DoDI 8510.01 via the DoD Issuances website (http://www.dtic.mil/whs/directives/corres/dir.html) that meets the DoD requirement for a system and information integrity policy.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, Risk Management Framework (RMF) for DoD IT (DoDI 8510.01). |
System And Information Integrity Policy And Procedures |
SI-1 |
SI-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SI family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and
b. Reviews and updates the current:
1. System and information integrity policy [Assignment: organization-defined frequency]; and
2. System and information integrity procedures [Assignment: organization-defined frequency]. |
| CCI-001222 |
The organization reviews and updates system and information integrity procedures in accordance with organization-defined frequency. |
Documenting and implementing the Risk Management Framework (RMF) for DoD IT (DoDI 8510.01) meets the DoD requirement for a system and information integrity procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, Risk Management Framework (RMF) for DoD IT (DoDI 8510.01). |
Documenting and implementing the Risk Management Framework (RMF) for DoD IT (DoDI 8510.01) meets the DoD requirement for a system and information integrity procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, Risk Management Framework (RMF) for DoD IT (DoDI 8510.01). |
System And Information Integrity Policy And Procedures |
SI-1 |
SI-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SI family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and
b. Reviews and updates the current:
1. System and information integrity policy [Assignment: organization-defined frequency]; and
2. System and information integrity procedures [Assignment: organization-defined frequency]. |
| CCI-001223 |
The organization defines the frequency of system and information integrity policy reviews and updates. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10. |
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10. |
System And Information Integrity Policy And Procedures |
SI-1 |
SI-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SI family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and
b. Reviews and updates the current:
1. System and information integrity policy [Assignment: organization-defined frequency]; and
2. System and information integrity procedures [Assignment: organization-defined frequency]. |
| CCI-001224 |
The organization defines the frequency of system and information integrity procedure reviews and updates. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropriate. |
DoD has defined the frequency as reviewed annually - updated as appropriate. |
System And Information Integrity Policy And Procedures |
SI-1 |
SI-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SI family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and
b. Reviews and updates the current:
1. System and information integrity policy [Assignment: organization-defined frequency]; and
2. System and information integrity procedures [Assignment: organization-defined frequency]. |
| CCI-001285 |
The organization receives information system security alerts, advisories, and directives from organization-defined external organizations on an ongoing basis. |
The organization conducting the inspection/assessment obtains and examines alerts, advisories, and directives received by the organization being inspected/assessed to ensure they receive information system security alerts, advisories, and directives from at a minimum, USCYBERCOM on an ongoing basis.
DoD has defined the external organizations as at a minimum, USCYBERCOM. |
The organization being inspected/assessed receives information system security alerts, advisories, and directives from at a minimum, USCYBERCOM on an ongoing basis.
DoD has defined the external organizations as at a minimum, USCYBERCOM. |
Security Alerts, Advisories, And Directives |
SI-5 |
SI-5.1 |
The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission/business partners, supply chain partners, external service providers, and other peer/supporting organizations. Related control: SI-2. |
The organization:
a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;
b. Generates internal security alerts, advisories, and directives as deemed necessary;
c. Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel (identified by name and/or by role)];
[Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and
d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. |
| CCI-001286 |
The organization generates internal security alerts, advisories, and directives as deemed necessary. |
The organization conducting the inspection/assessment obtains and examines documented process as well as the generated internal security alerts, advisories, and directives to ensure the organization being inspected/assessed generates internal security alerts, advisories, and directives as deemed necessary. |
The organization being inspected/assessed documents and implements a process to generate internal security alerts, advisories, and directives as deemed necessary. |
Security Alerts, Advisories, And Directives |
SI-5 |
SI-5.3 |
The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission/business partners, supply chain partners, external service providers, and other peer/supporting organizations. Related control: SI-2. |
The organization:
a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;
b. Generates internal security alerts, advisories, and directives as deemed necessary;
c. Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel (identified by name and/or by role)];
[Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and
d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. |
| CCI-001287 |
The organization disseminates security alerts, advisories, and directives to organization-defined personnel or roles, organization-defined elements within the organization, and/or organization-defined external organizations. |
The organization conducting the inspection/assessment obtains and examines any applicable artifacts showing dissemination of security alerts, advisories, and directives to ensure the organization being inspected/assessed disseminates security alerts, advisories, and directives to the ISSO and ISSM and/or external organizations defined in SI-5, CCI 2694.
DoD has defined the personnel or roles as the ISSO and ISSM. |
The organization being inspected/assessed disseminates security alerts, advisories, and directives to the ISSO and ISSM and/or external organizations defined in SI-5, CCI 2694.
DoD has defined the personnel or roles as the ISSO and ISSM. |
Security Alerts, Advisories, And Directives |
SI-5 |
SI-5.4 |
The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission/business partners, supply chain partners, external service providers, and other peer/supporting organizations. Related control: SI-2. |
The organization:
a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;
b. Generates internal security alerts, advisories, and directives as deemed necessary;
c. Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel (identified by name and/or by role)];
[Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and
d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. |
| CCI-001288 |
The organization defines the personnel or roles to whom the organization will disseminate security alerts, advisories, and directives. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as the ISSO and ISSM. |
DoD has defined the personnel or roles as the ISSO and ISSM. |
Security Alerts, Advisories, And Directives |
SI-5 |
SI-5.5 |
The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission/business partners, supply chain partners, external service providers, and other peer/supporting organizations. Related control: SI-2. |
The organization:
a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;
b. Generates internal security alerts, advisories, and directives as deemed necessary;
c. Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel (identified by name and/or by role)];
[Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and
d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. |
| CCI-001289 |
The organization implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. |
The organization conducting the inspection/assessment examines the information system and obtains and examines records of compliance and/or non-compliance reporting to ensure that security directives have been implemented in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. |
The organization being inspected/assessed implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. |
Security Alerts, Advisories, And Directives |
SI-5 |
SI-5.8 |
The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission/business partners, supply chain partners, external service providers, and other peer/supporting organizations. Related control: SI-2. |
The organization:
a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;
b. Generates internal security alerts, advisories, and directives as deemed necessary;
c. Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel (identified by name and/or by role)];
[Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and
d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. |
| CCI-001290 |
The organization employs automated mechanisms to make security alert and advisory information available throughout the organization. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms to ensure the organization being inspected/assessed employs automated mechanisms to make security alert and advisory information available throughout the organization.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed documents and implements automated mechanisms to make security alert and advisory information available throughout the organization. |
Security Alerts, Advisories, And Directives | Automated Alerts And Advisories |
SI-5 (1) |
SI-5(1).1 |
The significant number of changes to organizational information systems and the environments in which those systems operate requires the dissemination of security-related information to a variety of organizational entities that have a direct interest in the success of organizational missions and business functions. Based on the information provided by the security alerts and advisories, changes may be required at one or more of the three tiers related to the management of information security risk including the governance level, mission/business process/enterprise architecture level, and the information system level. |
The organization employs automated mechanisms to make security alert and advisory information available throughout the organization. |
| CCI-001297 |
The information system detects unauthorized changes to software and information. |
|
|
|
|
|
|
|
| CCI-001298 |
The organization reassesses the integrity of software and information by performing, on an organization-defined frequency, integrity scans of the information system. |
|
|
|
|
|
|
|
| CCI-001299 |
The organization defines the frequency of integrity scans to be performed on the information system. |
|
|
|
|
|
|
|
| CCI-001300 |
The organization employs automated tools that provide notification to organization-defined personnel or roles upon discovering discrepancies during integrity verification. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated tools to ensure the organization being inspected/assessed employs automated tools that provide notification to at a minimum, the ISSO and ISSM upon discovering discrepancies during integrity verification.
The organization being inspected/assessed may be required to demonstrate use of their identified automated tools.
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
The organization being inspected/assessed documents and implements automated tools that provide notification to at a minimum, the ISSO and ISSM upon discovering discrepancies during integrity verification.
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
Software, Firmware, And Information Integrity | Automated Notifications Of Integrity Violations |
SI-7 (2) |
SI-7(2).1 |
The use of automated tools to report integrity violations and to notify organizational personnel in a timely matter is an essential precursor to effective risk response. Personnel having an interest in integrity violations include, for example, mission/business owners, information system owners, systems administrators, software developers, systems integrators, and information security officers. |
The organization employs automated tools that provide notification to [Assignment: organization-defined personnel or roles] upon discovering discrepancies during integrity verification. |
| CCI-001301 |
The organization employs centrally managed integrity verification tools. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified centrally managed integrity verification tools to ensure the organization being inspected/assessed employs centrally managed integrity verification tools.
The organization being inspected/assessed may be required to demonstrate use of their identified integrity verification tools. |
The organization being inspected/assessed documents and implements centrally managed integrity verification tools. |
Software, Firmware, And Information Integrity | Centrally-Managed Integrity Tools |
SI-7 (3) |
SI-7(3).1 |
Related controls: AU-3, SI-2, SI-8. |
The organization employs centrally managed integrity verification tools. |
| CCI-001302 |
The organization requires use of tamper-evident packaging for organization-defined information system components during organization-defined conditions. |
|
|
|
|
|
|
|
| CCI-001303 |
The organization defines information system components that require tamper-evident packaging. |
|
|
|
|
|
|
|
| CCI-001304 |
The organization defines conditions (i.e., transportation from vendor to operational site, during operation, both) under which tamper-evident packaging must be used for organization-defined information system components. |
|
|
|
|
|
|
|
| CCI-001309 |
The organization restricts the capability to input information to the information system to authorized personnel. |
|
|
|
|
|
|
|
| CCI-001310 |
The information system checks the validity of organization-defined inputs. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to check the validity of all inputs except those identified specifically by the organization.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1310.
DoD has defined the information inputs as all inputs except those identified specifically by the organization. |
The organization being inspected/assessed configures the information system to check the validity of all inputs except those identified specifically by the organization.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1310.
DoD has defined the information inputs as all inputs except those identified specifically by the organization. |
Information Input Validation |
SI-10 |
SI-10.1 |
Checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Software applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the tainted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation helps to ensure accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks. |
The information system checks the validity of [Assignment: organization-defined information inputs]. |
| CCI-001311 |
The information system identifies potentially security-relevant error conditions. |
|
|
|
|
|
|
|
| CCI-001312 |
The information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1312. |
The organization being inspected/assessed configures the information system to generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1312. |
Error Handling |
SI-11 |
SI-11.1 |
Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information such as account numbers, social security numbers, and credit card numbers. In addition, error messages may provide a covert channel for transmitting information. Related controls: AU-2, AU-3, SC-31. |
The information system:
a. Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and
b. Reveals error messages only to [Assignment: organization-defined personnel or roles]. |
| CCI-001313 |
The organization defines sensitive or potentially harmful information that should not be contained in error logs and administrative messages. |
|
|
|
|
|
|
|
| CCI-001314 |
The information system reveals error messages only to organization-defined personnel or roles. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to reveal error messages only to the ISSO, ISSM, and SCA.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1314.
DoD has defined the personnel or roles as the ISSO, ISSM, and SCA. |
The organization being inspected/assessed configures the information system to reveal error messages only to the ISSO, ISSM, and SCA.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1314.
DoD has defined the personnel or roles as the ISSO, ISSM, and SCA. |
Error Handling |
SI-11 |
SI-11.2 |
Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information such as account numbers, social security numbers, and credit card numbers. In addition, error messages may provide a covert channel for transmitting information. Related controls: AU-2, AU-3, SC-31. |
The information system:
a. Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and
b. Reveals error messages only to [Assignment: organization-defined personnel or roles]. |
| CCI-001462 |
The information system provides the capability for authorized users to capture/record and log content related to a user session. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide the capability for authorized users to capture/record and log content related to a user session.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1462. |
The organization being inspected/assessed configures the information system to provide the capability for authorized users to capture/record and log content related to a user session.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1462. |
Session Audit | Capture/Record And Log Content |
AU-14 (2) |
AU-14(2).1 |
|
The information system provides the capability for authorized users to capture/record and log content related to a user session. |
| CCI-001463 |
The information system provides the capability to remotely view/hear all content related to an established user session in real time. |
|
|
|
|
|
|
|
| CCI-001464 |
The information system initiates session audits at system start-up. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to initiate session audits at system start-up.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1464. |
The organization being inspected/assessed configures the information system to initiate session audits at system start-up.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1464. |
Session Audit | System Start-Up |
AU-14 (1) |
AU-14(1).1 |
|
The information system initiates session audits at system start-up. |
| CCI-001473 |
The organization designates individuals authorized to post information onto a publicly accessible information system. |
The organization conducting the inspection/assessment obtains and examines the list of individuals to ensure the organization being inspected/assessed designates individuals authorized to post information onto a publicly accessible information system. |
The organization being inspected/assessed identifies and documents individuals authorized to post information onto a publicly accessible information system. |
Publicly Accessible Content |
AC-22 |
AC-22.1 |
In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by organizational policy. Related controls: AC-3, AC-4, AT-2, AT-3, AU-13. |
The organization:
a. Designates individuals authorized to post information onto a publicly accessible information system;
b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and
d. Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered. |
| CCI-001474 |
The organization trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of the training conducted to ensure the organization being inspected/assessed trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information. |
The organization being inspected/assessed documents and implements a process to train authorized individuals to ensure that publicly accessible information does not contain nonpublic information.
The organization must maintain an audit trail of the training conducted. |
Publicly Accessible Content |
AC-22 |
AC-22.2 |
In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by organizational policy. Related controls: AC-3, AC-4, AT-2, AT-3, AU-13. |
The organization:
a. Designates individuals authorized to post information onto a publicly accessible information system;
b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and
d. Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered. |
| CCI-001475 |
The organization reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included. |
The organization conducting the inspection/assessment obtains and examines |
The organization being inspected/assessed |
Publicly Accessible Content |
AC-22 |
AC-22.3 |
In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by organizational policy. Related controls: AC-3, AC-4, AT-2, AT-3, AU-13. |
The organization:
a. Designates individuals authorized to post information onto a publicly accessible information system;
b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and
d. Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered. |
| CCI-001476 |
The organization reviews the content on the publicly accessible information system for nonpublic information on an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of reviews to ensure the organization being inspected/assessed reviews the content on the publicly accessible information system for nonpublic information on an organization-defined frequency. |
The organization being inspected/assessed documents and implements a process to review the content on the publicly accessible information system for nonpublic information on an organization-defined frequency.
The organization must maintain an audit trail of reviews. |
Publicly Accessible Content |
AC-22 |
AC-22.4 |
In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by organizational policy. Related controls: AC-3, AC-4, AT-2, AT-3, AU-13. |
The organization:
a. Designates individuals authorized to post information onto a publicly accessible information system;
b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and
d. Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered. |
| CCI-001477 |
The organization defines a frequency for reviewing the content on the publicly accessible information system for nonpublic information. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 90 days or as new information is posted. |
DoD has defined the frequency as every 90 days or as new information is posted. |
Publicly Accessible Content |
AC-22 |
AC-22.5 |
In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by organizational policy. Related controls: AC-3, AC-4, AT-2, AT-3, AU-13. |
The organization:
a. Designates individuals authorized to post information onto a publicly accessible information system;
b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and
d. Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered. |
| CCI-001478 |
The organization removes nonpublic information from the publicly accessible information system, if discovered. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed removes nonpublic information from the publicly accessible information system, if discovered. |
The organization being inspected/assessed documents and implements a process to remove nonpublic information from the publicly accessible information system, if discovered. |
Publicly Accessible Content |
AC-22 |
AC-22.6 |
In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by organizational policy. Related controls: AC-3, AC-4, AT-2, AT-3, AU-13. |
The organization:
a. Designates individuals authorized to post information onto a publicly accessible information system;
b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and
d. Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered. |
| CCI-001504 |
The organization develops and documents a personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
DoD 5200.2-R meets the DoD requirements for personnel security policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoD 5200.2-R. |
DoD 5200.2-R meets the DoD requirements for personnel security policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoD 5200.2-R. |
Personnel Security Policy And Procedures |
PS-1 |
PS-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and
b. Reviews and updates the current:
1. Personnel security policy [Assignment: organization-defined frequency]; and
2. Personnel security procedures [Assignment: organization-defined frequency]. |
| CCI-001505 |
The organization disseminates a personnel security policy to organization-defined personnel or roles. |
DoD 5200.2-R meets the DoD requirements for personnel security policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoD 5200.2-R. |
DoD disseminates DoD 5200.2-R via the DoD Issuance site: http://www.dtic.mil/whs/directives/corres/pub1.html to meet the DoD requirements for personnel security policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoD 5200.2-R. |
Personnel Security Policy And Procedures |
PS-1 |
PS-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and
b. Reviews and updates the current:
1. Personnel security policy [Assignment: organization-defined frequency]; and
2. Personnel security procedures [Assignment: organization-defined frequency]. |
| CCI-001506 |
The organization reviews and updates the current personnel security policy in accordance with organization-defined frequency. |
DoD 5200.2-R meets the DoD requirements for personnel security policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoD 5200.2-R. |
DoD 5200.2-R meets the DoD requirements for personnel security policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoD 5200.2-R. |
Personnel Security Policy And Procedures |
PS-1 |
PS-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and
b. Reviews and updates the current:
1. Personnel security policy [Assignment: organization-defined frequency]; and
2. Personnel security procedures [Assignment: organization-defined frequency]. |
| CCI-001507 |
The organization defines the frequency with which to review and update the current personnel security policy. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
Personnel Security Policy And Procedures |
PS-1 |
PS-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and
b. Reviews and updates the current:
1. Personnel security policy [Assignment: organization-defined frequency]; and
2. Personnel security procedures [Assignment: organization-defined frequency]. |
| CCI-001508 |
The organization defines the frequency with which to review and update the current personnel security procedures. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropriate. |
DoD has defined the frequency as reviewed annually - updated as appropriate. |
Personnel Security Policy And Procedures |
PS-1 |
PS-1.10 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and
b. Reviews and updates the current:
1. Personnel security policy [Assignment: organization-defined frequency]; and
2. Personnel security procedures [Assignment: organization-defined frequency]. |
| CCI-001509 |
The organization develops and documents procedures to facilitate the implementation of the personnel security policy and associated personnel security controls. |
DoD 5200.2-R meets the DoD requirements for personnel security policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoD 5200.2-R. |
DoD 5200.2-R meets the DoD requirements for personnel security policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoD 5200.2-R. |
Personnel Security Policy And Procedures |
PS-1 |
PS-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and
b. Reviews and updates the current:
1. Personnel security policy [Assignment: organization-defined frequency]; and
2. Personnel security procedures [Assignment: organization-defined frequency]. |
| CCI-001510 |
The organization disseminates personnel security procedures to organization-defined personnel or roles. |
DoD 5200.2-R meets the DoD requirements for personnel security policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoD 5200.2-R. |
DoD disseminates DoD 5200.2-R via the DoD Issuance site: http://www.dtic.mil/whs/directives/corres/pub1.html to meet the DoD requirements for personnel security policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoD 5200.2-R. |
Personnel Security Policy And Procedures |
PS-1 |
PS-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and
b. Reviews and updates the current:
1. Personnel security policy [Assignment: organization-defined frequency]; and
2. Personnel security procedures [Assignment: organization-defined frequency]. |
| CCI-001511 |
The organization reviews and updates the current personnel security procedures in accordance with organization-defined frequency. |
DoD 5200.2-R meets the DoD requirements for personnel security policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoD 5200.2-R. |
DoD 5200.2-R meets the DoD requirements for personnel security policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoD 5200.2-R. |
Personnel Security Policy And Procedures |
PS-1 |
PS-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and
b. Reviews and updates the current:
1. Personnel security policy [Assignment: organization-defined frequency]; and
2. Personnel security procedures [Assignment: organization-defined frequency]. |
| CCI-001512 |
The organization assigns a risk designation to all organizational positions. |
The organization conducting the inspection/assessment obtains and examines documentation of the ADP/IT level designations. |
The organization being inspected/assessed will designate and document all organizational positions, to include government and contract positions, with the appropriate ADP/IT level designation, IAW DoD 5200.2-R. |
Position Risk Designation |
PS-2 |
PS-2.1 |
Position risk designations reflect Office of Personnel Management policy and guidance. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements (e.g., training, security clearances). Related controls: AT-3, PL-2, PS-3. |
The organization:
a. Assigns a risk designation to all organizational positions;
b. Establishes screening criteria for individuals filling those positions; and
c. Reviews and updates position risk designations [Assignment: organization-defined frequency]. |
| CCI-001513 |
The organization establishes screening criteria for individuals filling organizational positions. |
DoD 5200.2-R meets the DoD requirements for establishing screening criteria for individuals filling organizational positions.
DoD organizations are automatically compliant with this CCI as they are covered at the DoD level by DoD 5200.2-R. |
DoD 5200.2-R meets the DoD requirements for establishing screening criteria for individuals filling organizational positions.
DoD organizations are automatically compliant with this CCI as they are covered at the DoD level by DoD 5200.2-R. |
Position Risk Designation |
PS-2 |
PS-2.2 |
Position risk designations reflect Office of Personnel Management policy and guidance. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements (e.g., training, security clearances). Related controls: AT-3, PL-2, PS-3. |
The organization:
a. Assigns a risk designation to all organizational positions;
b. Establishes screening criteria for individuals filling those positions; and
c. Reviews and updates position risk designations [Assignment: organization-defined frequency]. |
| CCI-001514 |
The organization reviews and updates position risk designations in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment reviews the audit records of the position designation reviews to ensure reviews are done annually.
DoD has defined the frequency as annually. |
The organization being inspected/assessed reviews position risk designations annually and revises designations as required based on the reviews.
Records of these reviews must be maintained as an audit trail.
DoD has defined the frequency as annually. |
Position Risk Designation |
PS-2 |
PS-2.3 |
Position risk designations reflect Office of Personnel Management policy and guidance. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements (e.g., training, security clearances). Related controls: AT-3, PL-2, PS-3. |
The organization:
a. Assigns a risk designation to all organizational positions;
b. Establishes screening criteria for individuals filling those positions; and
c. Reviews and updates position risk designations [Assignment: organization-defined frequency]. |
| CCI-001515 |
The organization defines the frequency with which to review and update position risk designations. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Position Risk Designation |
PS-2 |
PS-2.4 |
Position risk designations reflect Office of Personnel Management policy and guidance. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements (e.g., training, security clearances). Related controls: AT-3, PL-2, PS-3. |
The organization:
a. Assigns a risk designation to all organizational positions;
b. Establishes screening criteria for individuals filling those positions; and
c. Reviews and updates position risk designations [Assignment: organization-defined frequency]. |
| CCI-001516 |
The organization screens individuals prior to authorizing access to the information system. |
The organization conducting the inspection/assessment obtains and examines the information system access list (AC-2) and compares a sampling of authorized users to manning documents (PS-2) to ensure access was granted appropriately IAW ADP/IT level designation requirements within DoD 5200.2-R. |
The organization being inspected/assessed will screen all government and contract personnel to ensure they meet the appropriate ADP/IT level designation requirements IAW DoD 5200.2-R prior to authorizing access to the information system. |
Personnel Screening |
PS-3 |
PS-3.1 |
Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems. Related controls: AC-2, IA-4, PE-2, PS-2. |
The organization:
a. Screens individuals prior to authorizing access to the information system; and
b. Rescreens individuals according to [Assignment: organization -defined conditions requiring rescreening and, where re-screening is so indicated, the frequency of such rescreening]. |
| CCI-001517 |
The organization rescreens individuals with authorized access to the information system according to organization-defined conditions requiring rescreening, and where rescreening is so indicated, on the organization-defined frequency of such rescreening. |
The organization conducting the inspection/assessment obtains and examines audit records of rescreening actions to ensure the system owner is rescreening individuals according to a system owner-defined list of conditions requiring rescreening and, where re-screening is so indicated, based on the system owner-defined frequency of such rescreening. |
The information system owner will rescreen individuals according to system owner defined list of conditions requiring rescreening (CCI-001518) individuals for access to the information system and frequency (CCI - 001519) of such rescreening.
Rescreening actions will be maintained as an audit trail (AU-2). |
Personnel Screening |
PS-3 |
PS-3.2 |
Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems. Related controls: AC-2, IA-4, PE-2, PS-2. |
The organization:
a. Screens individuals prior to authorizing access to the information system; and
b. Rescreens individuals according to [Assignment: organization -defined conditions requiring rescreening and, where re-screening is so indicated, the frequency of such rescreening]. |
| CCI-001518 |
The organization defines the conditions requiring rescreening of individuals with authorized access to the information system. |
The organization conducting the inspection/assessment obtains and examines the documentation of conditions requiring rescreening of individuals for access to the information system.
DoD has determined the list of conditions is not appropriate to define at the Enterprise level. |
The information system owner will develop and document the list of conditions requiring rescreening individuals for access to the information system.
DoD has determined the list of conditions is not appropriate to define at the Enterprise level. |
Personnel Screening |
PS-3 |
PS-3.3 |
Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems. Related controls: AC-2, IA-4, PE-2, PS-2. |
The organization:
a. Screens individuals prior to authorizing access to the information system; and
b. Rescreens individuals according to [Assignment: organization -defined conditions requiring rescreening and, where re-screening is so indicated, the frequency of such rescreening]. |
| CCI-001519 |
The organization defines the frequency for rescreening individuals with authorized access to the information system when organization-defined conditions requiring rescreening are met. |
The organization conducting the inspection/assessment obtains and examines the documentation defining the required frequency for rescreening individuals for access to the system.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
The information system owner will define and document the required frequency of rescreening for access to the information system.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
Personnel Screening |
PS-3 |
PS-3.4 |
Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems. Related controls: AC-2, IA-4, PE-2, PS-2. |
The organization:
a. Screens individuals prior to authorizing access to the information system; and
b. Rescreens individuals according to [Assignment: organization -defined conditions requiring rescreening and, where re-screening is so indicated, the frequency of such rescreening]. |
| CCI-001520 |
The organization ensures that individuals accessing an information system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system. |
The organization conducting the inspection/assessment obtains and examines security clearance data for all individuals using the classified information system and the system account list (AC-2) and compares lists to ensure all personnel accessing the system are cleared and indoctrinated to the highest classification level of the information to which they have access on the system. |
The organization being inspected/assessed ensures that individuals accessing an information system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system. |
Personnel Screening | Classified Information |
PS-3 (1) |
PS-3(1).1 |
Related controls: AC-3, AC-4. |
The organization ensures that individuals accessing an information system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system. |
| CCI-001521 |
The organization ensures that individuals accessing an information system processing, storing, or transmitting types of classified information which require formal indoctrination, are formally indoctrinated for all of the relevant types of information to which they have access on the system. |
The organization conducting the inspection/assessment obtains and examines security clearance data for all individuals using the classified information system and the system account list (AC-2) and compares lists to ensure all personnel accessing the system are formally indoctrinated for all of the relevant types of information to which they have access on the system. |
The organization being inspected/assessed ensures that individuals accessing an information system processing, storing, or transmitting types of classified information (e.g. Special Access Programs (SAP), Restricted Data (RD), and Sensitive Compartmented Information (SCI)) which require formal indoctrination, is formally indoctrinated for all of the relevant types of information to which they have access on the system. |
Personnel Screening | Formal Indoctrination |
PS-3 (2) |
PS-3(2).1 |
Types of classified information requiring formal indoctrination include, for example, Special Access Program (SAP), Restricted Data (RD), and Sensitive Compartment Information (SCI). Related controls: AC-3, AC-4. |
The organization ensures that individuals accessing an information system processing, storing, or transmitting types of classified information which require formal indoctrination, are formally indoctrinated for all of the relevant types of information to which they have access on the system. |
| CCI-001522 |
The organization, upon termination of individual employment, disables information system access within an organization-defined time period. |
The organization conducting the inspection/assessment obtains and examines organizational security policy and procedures documentation and audit records of account termination actions to ensure account termination actions are conducted immediately and IAW organizational security policy and procedures.
DoD has defined the time period as immediately. |
The organization being inspected/assessed upon termination of individual employment, terminates information system access immediately and IAW organization security policy and procedures. The organization must retain an audit trail of account termination actions (AU-2).
DoD has defined the time period as immediately. |
Personnel Termination |
PS-4 |
PS-4.1 |
Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified. Related controls: AC-2, IA-4, PE-2, PS-5, PS-6. |
The organization, upon termination of individual employment:
a. Disables information system access within [Assignment: organization-defined time period];
b. Terminates/revokes any authenticators/credentials associated with the individual;
c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];
d. Retrieves all security-related organizational information system-related property;
e. Retains access to organizational information and information systems formerly controlled by terminated individual; and
f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. |
| CCI-001523 |
The organization, upon termination of individual employment, conducts exit interviews that include a discussion of organization-defined information security topics. |
The organization conducting the inspection/assessment obtains and examines documentation of departed personnel and the audit trail of conducted exit interviews to ensure all departed personnel had exit interviews conducted that include a discussion of information security topics defined in PS-4, CCI 3024. |
The organization being inspected/assessed, conducts exit interviews that include a discussion of information security topics defined in PS-4, CCI 3024 upon termination of individual employment IAW organization security policy and procedures. The organization must retain an audit trail of conducted exit interviews (AU-2) |
Personnel Termination |
PS-4 |
PS-4.4 |
Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified. Related controls: AC-2, IA-4, PE-2, PS-5, PS-6. |
The organization, upon termination of individual employment:
a. Disables information system access within [Assignment: organization-defined time period];
b. Terminates/revokes any authenticators/credentials associated with the individual;
c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];
d. Retrieves all security-related organizational information system-related property;
e. Retains access to organizational information and information systems formerly controlled by terminated individual; and
f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. |
| CCI-001524 |
The organization, upon termination of individual employment, retrieves all security-related organizational information system-related property. |
The organization conducting the inspection/assessment obtains and examines appropriate organization security-related organizational information systems-related property documentation/logs and compares to audit trail of all retrieved security-related organizational information systems-related property (AU-2) to ensure all property has been retrieved. |
The organization being inspected/assessed upon termination of individual employment retrieves all security-related organizational information systems-related property IAW organization security policy and procedures. The organization must retain an audit trail of all retrieved security-related organizational information systems-related property (AU-2). |
Personnel Termination |
PS-4 |
PS-4.6 |
Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified. Related controls: AC-2, IA-4, PE-2, PS-5, PS-6. |
The organization, upon termination of individual employment:
a. Disables information system access within [Assignment: organization-defined time period];
b. Terminates/revokes any authenticators/credentials associated with the individual;
c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];
d. Retrieves all security-related organizational information system-related property;
e. Retains access to organizational information and information systems formerly controlled by terminated individual; and
f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. |
| CCI-001525 |
The organization, upon termination of individual employment, retains access to organizational information formerly controlled by the terminated individual. |
The organization conducting the inspection/assessment interviews appropriate IT and security personnel to validate the organization has procedures in place which, upon termination of individual's employment, will ensure it retains access to organizational information formerly controlled by the terminated individual. |
The organization being inspected/assessed upon termination of individual employment retains access to organizational information formerly controlled by terminated individual IAW organization security policy and procedures.
Organizational information formerly controlled by terminated individuals generally refers to online work-product including email files. |
Personnel Termination |
PS-4 |
PS-4.7 |
Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified. Related controls: AC-2, IA-4, PE-2, PS-5, PS-6. |
The organization, upon termination of individual employment:
a. Disables information system access within [Assignment: organization-defined time period];
b. Terminates/revokes any authenticators/credentials associated with the individual;
c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];
d. Retrieves all security-related organizational information system-related property;
e. Retains access to organizational information and information systems formerly controlled by terminated individual; and
f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. |
| CCI-001526 |
The organization, upon termination of individual employment, retains access to organizational information systems formerly controlled by the terminated individual. |
The organization conducting the inspection/assessment interviews appropriate IT and security personnel to validate the organization has procedures in place which, upon termination of individual's employment, will ensure it retains access to organizational information systems formerly controlled by the terminated individual. |
The organization being inspected/assessed upon termination of individual employment retains access to organizational information systems formerly controlled by terminated individual IAW organization security policy and procedures.
Organizational information systems formerly controlled by terminated individuals generally refers to issued hardware (e.g. laptops, BlackBerrys, PEDs, removable media, etc.) |
Personnel Termination |
PS-4 |
PS-4.8 |
Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified. Related controls: AC-2, IA-4, PE-2, PS-5, PS-6. |
The organization, upon termination of individual employment:
a. Disables information system access within [Assignment: organization-defined time period];
b. Terminates/revokes any authenticators/credentials associated with the individual;
c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];
d. Retrieves all security-related organizational information system-related property;
e. Retains access to organizational information and information systems formerly controlled by terminated individual; and
f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. |
| CCI-001527 |
The organization reviews and confirms the ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization. |
The organization conducting the inspection/assessment obtains and examines the audit trail of reviews to ensure that the organization has confirmed the ongoing operational need for logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization. |
The organization being inspected/assessed reviews and confirms ongoing operational need for logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization.
The organization must maintain an audit trail of reviews. |
Personnel Transfer |
PS-5 |
PS-5.1 |
This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts. Related controls: AC-2, IA-4, PE-2, PS-4. |
The organization:
a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;
b. Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action];
c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and
d. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. |
| CCI-001528 |
The organization initiates organization-defined transfer or reassignment actions within an organization-defined time period following the formal personnel transfer action. |
The organization conducting the inspection/assessment obtains and examines appropriate organization security-related organizational physical and logical access documentation/logs and compares to transferred personnel documentation to ensure appropriate logical and physical access have been revoked for previous positions and granted for new positions immediately.
DoD defines the time period as immediately. |
The organization being inspected/assessed initiates transfer or reassignment actions to ensure all system accesses no longer required are removed and actions to ensure all system accesses required due to the individual's new position are granted immediately when personnel are reassigned or transferred to other positions.
DoD defines transfer or reassignment actions as actions to ensure all system accesses no longer required are removed.
DoD defines the time period as immediately. |
Personnel Transfer |
PS-5 |
PS-5.2 |
This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts. Related controls: AC-2, IA-4, PE-2, PS-4. |
The organization:
a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;
b. Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action];
c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and
d. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. |
| CCI-001529 |
The organization defines transfer or reassignment actions to initiate within an organization-defined time period following the formal personnel transfer action. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD defines transfer or reassignment actions as actions to ensure all system accesses no longer required are removed. |
DoD defines transfer or reassignment actions as actions to ensure all system accesses no longer required are removed. |
Personnel Transfer |
PS-5 |
PS-5.3 |
This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts. Related controls: AC-2, IA-4, PE-2, PS-4. |
The organization:
a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;
b. Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action];
c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and
d. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. |
| CCI-001530 |
The organization defines the time period within which the organization initiates organization-defined transfer or reassignment actions following the formal personnel transfer action. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD defines the time period as immediately. |
DoD defines the time period as immediately. |
Personnel Transfer |
PS-5 |
PS-5.4 |
This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts. Related controls: AC-2, IA-4, PE-2, PS-4. |
The organization:
a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;
b. Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action];
c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and
d. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. |
| CCI-001531 |
The organization ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access. |
The organization conducting the inspection/assessment obtains a list of organizational individuals with active accounts and validates the existence of signed DD Form 2875 (paper or electronic) associated with a sampling of individuals selected from the list. |
The organization being inspected/assessed will ensure all individuals have appropriate access agreements in place prior to being granted access to information and information systems.
DD Form 2875 is the accepted DoD methodology of requesting and granting of access to information and information systems. |
Access Agreements |
PS-6 |
PS-6.4 |
Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy. Related control: PL-4, PS-2, PS-3, PS-4, PS-8. |
The organization:
a. Develops and documents access agreements for organizational information systems;
b. Reviews and updates the access agreements [Assignment: organization-defined frequency]; and
c. Ensures that individuals requiring access to organizational information and information systems:
1. Sign appropriate access agreements prior to being granted access; and
2. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [Assignment: organization-defined frequency]. |
| CCI-001532 |
The organization reviews and updates access agreements for organizational information systems in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit trail to ensure review/update occurred annually and departed employees no longer have valid access agreements. |
The organization being inspected/assessed reviews/updates the access agreements annually of employees who have signed access agreements. The purpose of this review/update is to ensure access agreements are current and departed employees no longer have access agreements.
The organization must maintain an audit trail of the review and update activity for review.
DoD has defined the frequency as annually. |
Access Agreements |
PS-6 |
PS-6.2 |
Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy. Related control: PL-4, PS-2, PS-3, PS-4, PS-8. |
The organization:
a. Develops and documents access agreements for organizational information systems;
b. Reviews and updates the access agreements [Assignment: organization-defined frequency]; and
c. Ensures that individuals requiring access to organizational information and information systems:
1. Sign appropriate access agreements prior to being granted access; and
2. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [Assignment: organization-defined frequency]. |
| CCI-001533 |
The organization defines the frequency with which to review and update access agreements for organizational information systems. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Access Agreements |
PS-6 |
PS-6.3 |
Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy. Related control: PL-4, PS-2, PS-3, PS-4, PS-8. |
The organization:
a. Develops and documents access agreements for organizational information systems;
b. Reviews and updates the access agreements [Assignment: organization-defined frequency]; and
c. Ensures that individuals requiring access to organizational information and information systems:
1. Sign appropriate access agreements prior to being granted access; and
2. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [Assignment: organization-defined frequency]. |
| CCI-001534 |
The organization ensures that access to information with special protection measures is granted only to individuals who have a valid access authorization that is demonstrated by assigned official government duties. |
|
|
|
|
|
|
|
| CCI-001535 |
The organization ensures that access to information with special protection measures is granted only to individuals who satisfy associated personnel security criteria. |
|
|
|
|
|
|
|
| CCI-001536 |
The organization ensures that access to classified information requiring special protection is granted only to individuals who have a valid access authorization that is demonstrated by assigned official government duties. |
The organization conducting the inspection/assessment obtains a list of organizational individuals with active accounts and validates the existence of signed DD Form 2875 (paper or electronic) associated with individuals requiring access to classified information with special protection. |
The organization being inspected/assessed will grant access to classified information requiring special protection only to individuals who have a valid access authorization that is demonstrated by assigned official government duties.
DD Form 2875 is the accepted DoD methodology of requesting and granting of access to information and information systems. |
Access Agreements | Classified Information Requiring Special Protection |
PS-6 (2) |
PS-6(2).1 |
Classified information requiring special protection includes, for example, collateral information, Special Access Program (SAP) information, and Sensitive Compartmented Information (SCI). Personnel security criteria reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. |
The organization ensures that access to classified information requiring special protection is granted only to individuals who:
(a) Have a valid access authorization that is demonstrated by assigned official government duties;
(b) Satisfy associated personnel security criteria; and
(c) Have read, understood, and signed a nondisclosure agreement. |
| CCI-001537 |
The organization ensures that access to classified information requiring special protection is granted only to individuals who satisfy associated personnel security criteria. |
The organization conducting the inspection/assessment reviews access agreements; access authorizations; personnel security criteria; along with other relevant documents or records to ensure the organization has granted authorized access to classified information requiring special protection only to those individuals who have satisfied the associated personnel security criteria. |
The organization being inspected/assessed ensures all authorized access to classified information requiring special protection is granted only to those individuals who have satisfied the associated personnel security criteria.
DD Form 2875 is the accepted DoD methodology of requesting and granting of access to information and information systems. |
Access Agreements | Classified Information Requiring Special Protection |
PS-6 (2) |
PS-6(2).2 |
Classified information requiring special protection includes, for example, collateral information, Special Access Program (SAP) information, and Sensitive Compartmented Information (SCI). Personnel security criteria reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. |
The organization ensures that access to classified information requiring special protection is granted only to individuals who:
(a) Have a valid access authorization that is demonstrated by assigned official government duties;
(b) Satisfy associated personnel security criteria; and
(c) Have read, understood, and signed a nondisclosure agreement. |
| CCI-001538 |
The organization ensures that access to classified information requiring special protection is granted only to individuals who have read, understood, and signed a nondisclosure agreement. |
The organization conducting the inspection/assessment obtains and examines the access roster and requests the signed nondisclosure agreements of a sampling of individuals to validate the organization requires all access to classified information requiring special protection is granted only to individuals who have a signed nondisclosure agreement. |
The organization being inspected/assessed grants access to classified information requiring special protection only to individuals who have read, understood, and signed a nondisclosure agreement. |
Access Agreements | Classified Information Requiring Special Protection |
PS-6 (2) |
PS-6(2).3 |
Classified information requiring special protection includes, for example, collateral information, Special Access Program (SAP) information, and Sensitive Compartmented Information (SCI). Personnel security criteria reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. |
The organization ensures that access to classified information requiring special protection is granted only to individuals who:
(a) Have a valid access authorization that is demonstrated by assigned official government duties;
(b) Satisfy associated personnel security criteria; and
(c) Have read, understood, and signed a nondisclosure agreement. |
| CCI-001539 |
The organization establishes personnel security requirements including security roles and responsibilities for third-party providers. |
DoD 5220.22-M, DoD 5220.22-R, DoD 5200.2-R, DoD 8570.01-M and DoDI 3020.41 meet the DoD personnel security requirements including security roles and responsibilities for third-party providers.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoD 5220.22-M, DoD 5220.22-R, DoD 5200.2-R, DoD 8570.01-M and DoDI 3020.41. |
DoD 5220.22-M, DoD 5220.22-R, DoD 5200.2-R, DoD 8570.01-M and DoDI 3020.41 meet the DoD personnel security requirements including security roles and responsibilities for third-party providers.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoD 5220.22-M, DoD 5220.22-R, DoD 5200.2-R, DoD 8570.01-M and DoDI 3020.41. |
Third-Party Personnel Security |
PS-7 |
PS-7.1 |
Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials/privileges associated with individuals transferred or terminated. Related controls: PS-2, PS-3, PS-4, PS-5, PS-6, SA-9, SA-21. |
The organization:
a. Establishes personnel security requirements including security roles and responsibilities for third-party providers;
b. Requires third-party providers to comply with personnel security policies and procedures established by the organization;
c. Documents personnel security requirements;
d. Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and
e. Monitors provider compliance. |
| CCI-001540 |
The organization documents personnel security requirements for third-party providers. |
The organization conducting the inspection/assessment obtains and examines the personnel security requirements to ensure the organization being inspected/assessed documents personnel security requirements for third-party providers. |
The organization being inspected/assessed documents personnel security requirements for third-party providers. |
Third-Party Personnel Security |
PS-7 |
PS-7.3 |
Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials/privileges associated with individuals transferred or terminated. Related controls: PS-2, PS-3, PS-4, PS-5, PS-6, SA-9, SA-21. |
The organization:
a. Establishes personnel security requirements including security roles and responsibilities for third-party providers;
b. Requires third-party providers to comply with personnel security policies and procedures established by the organization;
c. Documents personnel security requirements;
d. Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and
e. Monitors provider compliance. |
| CCI-001541 |
The organization monitors third-party provider compliance with personnel security requirements. |
The organization conducting the inspection/assessment obtains and examines the audit trail of monitoring activity to ensure the organization being inspected/assessed monitors third-party provider compliance with personnel security requirements. |
The organization being inspected/assessed monitors third-party provider compliance with personnel security requirements.
The organization must maintain an audit trail of monitoring activity. |
Third-Party Personnel Security |
PS-7 |
PS-7.7 |
Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials/privileges associated with individuals transferred or terminated. Related controls: PS-2, PS-3, PS-4, PS-5, PS-6, SA-9, SA-21. |
The organization:
a. Establishes personnel security requirements including security roles and responsibilities for third-party providers;
b. Requires third-party providers to comply with personnel security policies and procedures established by the organization;
c. Documents personnel security requirements;
d. Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and
e. Monitors provider compliance. |
| CCI-001542 |
The organization employs a formal sanctions process for individuals failing to comply with established information security policies and procedures. |
The organization conducting the inspection/assessment obtains and examines the organizational security policy to ensure it addresses formal procedures for sanctions and interviews security personnel to validate the organization employs a formal sanctions process for personnel failing to comply with established information security policies and procedures. |
The organization being inspected/assessed will develop formal procedures within the organizational security policy to employ formal sanctions for personnel failing to comply with established information security policies and procedures. |
Personnel Sanctions |
PS-8 |
PS-8.1 |
Organizational sanctions processes reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Sanctions processes are described in access agreements and can be included as part of general personnel policies and procedures for organizations. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions. Related controls: PL-4, PS-6. |
The organization:
a. Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and
b. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. |
| CCI-002106 |
The organization documents the access control policy. |
|
|
|
|
|
|
|
| CCI-002107 |
The organization defines the personnel or roles to be recipients of the access control policy necessary to facilitate the implementation of the access control policy and associated access controls. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as all personnel. |
DoD has defined the personnel or roles as all personnel. |
Access Control Policy And Procedures |
AC-1 |
AC-1.1 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the access control policy and associated access controls; and
b. Reviews and updates the current:
1. Access control policy [Assignment: organization-defined frequency]; and
2. Access control procedures [Assignment: organization-defined frequency]. |
| CCI-002108 |
The organization defines the personnel or roles to be recipients of the procedures necessary to facilitate the implementation of the access control policy and associated access controls. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as all personnel. |
DoD has defined the personnel or roles as all personnel. |
Access Control Policy And Procedures |
AC-1 |
AC-1.2 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the access control policy and associated access controls; and
b. Reviews and updates the current:
1. Access control policy [Assignment: organization-defined frequency]; and
2. Access control procedures [Assignment: organization-defined frequency]. |
| CCI-002109 |
The organization documents procedures to facilitate the implementation of the access control policy and associated access controls. |
|
|
|
|
|
|
|
| CCI-002110 |
The organization defines the information system account types that support the organizational missions/business functions. |
The organization conducting the inspection/assessment obtains and examines the documented information system account types to ensure the organization being inspected/assessed defines the information system account types that support the organizational missions/business functions.
DoD has determined the information system account types are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system account types that support the organizational missions/business functions.
DoD has determined the information system account types are not appropriate to define at the Enterprise level. |
Account Management |
AC-2 |
AC-2.1 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002111 |
The organization identifies and selects the organization-defined information system account types of information system accounts which support organizational missions/business functions. |
The account types are defined per AC-2, CCI 2110. |
The account types are defined per AC-2, CCI 2110. |
Account Management |
AC-2 |
AC-2.2 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002112 |
The organization assigns account managers for information system accounts. |
The organization conducting the inspection/assessment obtains and examines the documented appointment of management personnel to ensure that the organization being inspected/assessed has documented personnel responsible for the management of system accounts. |
The organization being inspected/assessed documents personnel responsible for the management of system accounts. |
Account Management |
AC-2 |
AC-2.3 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002113 |
The organization establishes conditions for role membership. |
The organization conducting the inspection/assessment obtains and examines the documented conditions for adding accounts as members of roles to ensure that the conditions are established. |
The organization being inspected/assessed documents conditions for adding accounts as members of roles. |
Account Management |
AC-2 |
AC-2.5 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002114 |
The organization specifies authorized users of the information system for each account. |
|
|
|
|
|
|
|
| CCI-002115 |
The organization specifies authorized users of the information system. |
The organization conducting the inspection/assessment obtains and examines the documented list of authorized users for a sampling of information system accounts to ensure that the authorized users are specified. |
The organization being inspected/assessed documents authorized users of the information system. |
Account Management |
AC-2 |
AC-2.6 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002116 |
The organization specifies authorized group membership on the information system. |
The organization conducting the inspection/assessment obtains and examines the documented list of authorized groups for a sampling of information system accounts to ensure that the authorized groups are specified. |
The organization being inspected/assessed documents authorized group membership on the information system. |
Account Management |
AC-2 |
AC-2.7 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002117 |
The organization specifies authorized role membership on the information system. |
The organization conducting the inspection/assessment obtains and examines the documented list of authorized roles for a sampling of information system accounts to ensure that the authorized roles are specified |
The organization being inspected/assessed documents authorized role membership on the information system. |
Account Management |
AC-2 |
AC-2.8 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002118 |
The organization specifies access authorizations (i.e., privileges) for each account on the information system. |
The organization conducting the inspection/assessment obtains and examines the documented list of access authorizations for a sampling of information system accounts to ensure that the access authorizations are specified. |
The organization being inspected/assessed documents access authorizations (i.e., privileges) for each account on the information system. |
Account Management |
AC-2 |
AC-2.9 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002119 |
The organization specifies other attributes for each account on the information system. |
The organization conducting the inspection/assessment obtains and examines the documented list of other attributes for a sampling of information system accounts to ensure that other attributes are specified. |
The organization being inspected/assessed documents other attributes for each account on the information system. |
Account Management |
AC-2 |
AC-2.10 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002120 |
The organization defines the personnel or roles authorized to approve the creation of information system accounts. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as the ISSM or ISSO. |
DoD has defined the personnel or roles as the ISSM or ISSO. |
Account Management |
AC-2 |
AC-2.12 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002121 |
The organization defines the procedures or conditions to be employed when creating, enabling, modifying, disabling, and removing information system accounts. |
The organization conducting the inspection/assessment obtains and examines the documented procedures or conditions to ensure the organization being inspected/assessed defines the procedures or conditions to be employed when creating, enabling, modifying, disabling, and removing information system accounts.
DoD has determined the procedures or conditions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the procedures or conditions to be employed when creating, enabling, modifying, disabling, and removing information system accounts.
DoD has determined the procedures or conditions are not appropriate to define at the Enterprise level. |
Account Management |
AC-2 |
AC-2.14 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002122 |
The organization monitors the use of information system accounts. |
The organization conducting the inspection/assessment obtains and examines the audit trail to ensure that the organization being inspected/assessed implements a process to monitor the use of information system accounts. |
The organization being inspected/assessed implements a process to monitor the use of information system accounts. |
Account Management |
AC-2 |
AC-2.15 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002123 |
The organization notifies account managers when accounts are no longer required. |
The organization conducting the inspection/assessment obtains and examines the audit trail of notifications to ensure the organization being inspected/assessed implements a process to notify account managers when accounts are no longer required. |
The organization being inspected/assessed implements a process to notify account managers when accounts are no longer required.
The organization being inspected/assessed maintains an audit trail of notifications. |
Account Management |
AC-2 |
AC-2.16 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002124 |
The organization notifies account managers when users are terminated or transferred. |
The organization conducting the inspection/assessment obtains and examines the audit trail of notifications to ensure the organization being inspected/assessed implements a process to notify account managers when users are terminated or transferred. |
The organization being inspected/assessed implements a process to notify account managers when users are terminated or transferred.
The organization being inspected/assessed maintains an audit trail of notifications. |
Account Management |
AC-2 |
AC-2.17 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002125 |
The organization notifies account managers when individual information system usage or need-to-know changes. |
The organization conducting the inspection/assessment obtains and examines the audit trail of notifications to ensure the organization being inspected/assessed implements a process to notify account managers when individual information system usage or need-to-know changes. |
The organization being inspected/assessed implements a process to notify account managers when individual information system usage or need-to-know changes.
The organization being inspected/assessed maintains an audit trail of notifications. |
Account Management |
AC-2 |
AC-2.18 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002126 |
The organization authorizes access to the information system based on a valid access authorization. |
The organization conducting the inspection/assessment obtains and examines the audit trail of approved access to ensure the organization being inspected/assessed authorizes access to the information system based on the access authorization process. |
The organization being inspected/assessed authorizes access to the information system based on the access authorization process.
The organization being inspected/assessed maintains an audit trail of approved access. |
Account Management |
AC-2 |
AC-2.19 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002127 |
The organization authorizes access to the information system based on intended system usage. |
The organization conducting the inspection/assessment obtains and examines the audit trail of approved access to ensure the organization being inspected/assessed authorizes access to the information system based on intended system usage. |
The organization being inspected/assessed authorizes access to the information system based on intended system usage.
The organization being inspected/assessed maintains an audit trail of approved access. |
Account Management |
AC-2 |
AC-2.20 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002128 |
The organization authorizes access to the information system based on other attributes as required by the organization or associated missions/business functions. |
The organization conducting the inspection/assessment obtains and examines the audit trail of approved access to ensure the organization being inspected/assessed authorizes access to the information system based on other attributes as required by the organization or associated missions/business functions. |
The organization being inspected/assessed authorizes access to the information system based on other attributes as required by the organization or associated missions/business functions.
The organization being inspected/assessed maintains an audit trail of approved access. |
Account Management |
AC-2 |
AC-2.21 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002129 |
The organization establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
The organization conducting the inspection/assessment obtains and examines the account management procedures to ensure the organization being inspected/assessed includes in the account management procedures a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
The organization being inspected/assessed includes in the account management procedures a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
Account Management |
AC-2 |
AC-2.24 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002130 |
The information system automatically audits account enabling actions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to automatically audit account enabling actions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2130. |
The organization being inspected/assessed configures the information system to automatically audit account enabling actions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2130. |
Account Management | Automated Audit Actions |
AC-2 (4) |
AC-2(4).9 |
Related controls: AU-2, AU-12. |
The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]. |
| CCI-002131 |
The organization defines the personnel or roles to be notified on account creation, modification, enabling, disabling, and removal actions. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as the system administrator and ISSO. |
DoD has defined the personnel or roles as the system administrator and ISSO. |
Account Management | Automated Audit Actions |
AC-2 (4) |
AC-2(4).10 |
Related controls: AU-2, AU-12. |
The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]. |
| CCI-002132 |
The information system notifies organization-defined personnel or roles for account enabling actions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to notify the system administrator and ISSO for account enabling actions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2132.
DoD has defined the personnel or roles as the system administrator and ISSO. |
The organization being inspected/assessed configures the information system to notify the system administrator and ISSO for account enabling actions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2132.
DoD has defined the personnel or roles as the system administrator and ISSO. |
Account Management | Automated Audit Actions |
AC-2 (4) |
AC-2(4).11 |
Related controls: AU-2, AU-12. |
The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]. |
| CCI-002133 |
The organization defines other conditions when users are required to log out. |
The organization conducting the inspection/assessment obtains and examines the documented conditions to ensure they have been defined.
DoD has determined the conditions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the other conditions when users are required to log out.
DoD has determined the conditions are not appropriate to define at the Enterprise level. |
Account Management | Inactivity Logout |
AC-2 (5) |
AC-2(5).1 |
Related control: SC-23. |
The organization requires that users log out when [Assignment: organization-defined time-period of expected inactivity or description of when to log out]. |
| CCI-002134 |
The organization defines a list of dynamic privilege management capabilities to be implemented by the information system. |
The organization conducting the inspection/assessment obtains and examines the documented list to ensure the dynamic privilege management capabilities have been defined.
DoD has determined the list is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents a list of dynamic privilege management capabilities to be implemented by the information system.
DoD has determined the list is not appropriate to define at the Enterprise level. |
Account Management | Dynamic Privilege Management |
AC-2 (6) |
AC-2(6).1 |
In contrast to conventional access control approaches which employ static information system accounts and predefined sets of user privileges, dynamic access control approaches (e.g., service-oriented architectures) rely on run time access control decisions facilitated by dynamic privilege management. While user identities may remain relatively constant over time, user privileges may change more frequently based on ongoing mission/business requirements and operational needs of organizations. Dynamic privilege management can include, for example, the immediate revocation of privileges from users, as opposed to requiring that users terminate and restart their sessions to reflect any changes in privileges. Dynamic privilege management can also refer to mechanisms that change the privileges of users based on dynamic rules as opposed to editing specific user profiles. This type of privilege management includes, for example, automatic adjustments of privileges if users are operating out of their normal work times, or if information systems are under duress or in emergency maintenance situations. This control enhancement also includes the ancillary effects of privilege changes, for example, the potential changes to encryption keys used for communications. Dynamic privilege management can support requirements for information system resiliency. Related control: AC-16. |
The information system implements the following dynamic privilege management capabilities: [Assignment: organization-defined list of dynamic privilege management capabilities]. |
| CCI-002135 |
The information system implements the organization-defined list of dynamic privilege management capabilities. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement the list of dynamic privilege management capabilities defined in AC-2 (6), CCI 2134.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2135. |
The organization being inspected/assessed configures the information system to implement the list of dynamic privilege management capabilities defined in AC-2 (6), CCI 2134.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2135. |
Account Management | Dynamic Privilege Management |
AC-2 (6) |
AC-2(6).2 |
In contrast to conventional access control approaches which employ static information system accounts and predefined sets of user privileges, dynamic access control approaches (e.g., service-oriented architectures) rely on run time access control decisions facilitated by dynamic privilege management. While user identities may remain relatively constant over time, user privileges may change more frequently based on ongoing mission/business requirements and operational needs of organizations. Dynamic privilege management can include, for example, the immediate revocation of privileges from users, as opposed to requiring that users terminate and restart their sessions to reflect any changes in privileges. Dynamic privilege management can also refer to mechanisms that change the privileges of users based on dynamic rules as opposed to editing specific user profiles. This type of privilege management includes, for example, automatic adjustments of privileges if users are operating out of their normal work times, or if information systems are under duress or in emergency maintenance situations. This control enhancement also includes the ancillary effects of privilege changes, for example, the potential changes to encryption keys used for communications. Dynamic privilege management can support requirements for information system resiliency. Related control: AC-16. |
The information system implements the following dynamic privilege management capabilities: [Assignment: organization-defined list of dynamic privilege management capabilities]. |
| CCI-002136 |
The organization defines the actions to be taken when privileged role assignments are no longer appropriate. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the actions as disables (or revokes) privileged user account. |
DoD has defined the actions as disables (or revokes) privileged user account. |
Account Management | Role-Based Schemes |
AC-2 (7) |
AC-2(7).4 |
Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. These privileged roles include, for example, key management, account management, network and system administration, database administration, and web administration. |
The organization:
(a) Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;
(b) Monitors privileged role assignments; and
(c) Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate. |
| CCI-002137 |
The organization takes organization-defined actions when privileged role assignments are no longer appropriate. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of actions taken to ensure the organization being inspected/assessed disables (or revokes) the privileged user account when privileged role assignments are no longer appropriate.
DoD has defined the actions as disables (or revokes) privileged user account. |
The organization being inspected/assessed documents and implements a process to disable (or revoke) the privileged user account when privileged role assignments are no longer appropriate.
The organization must maintain an audit trail of the actions taken.
DoD has defined the actions as disables (or revokes) privileged user account. |
Account Management | Role-Based Schemes |
AC-2 (7) |
AC-2(7).5 |
Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. These privileged roles include, for example, key management, account management, network and system administration, database administration, and web administration. |
The organization:
(a) Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;
(b) Monitors privileged role assignments; and
(c) Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate. |
| CCI-002138 |
The organization defines the information system accounts that can be dynamically created. |
The organization conducting the inspection/assessment obtains and examines the documented information system accounts to ensure they have been defined.
DoD has determined the information system accounts are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system accounts that can be dynamically created.
DoD has determined the information system accounts are not appropriate to define at the Enterprise level. |
Account Management | Dynamic Account Creation |
AC-2 (8) |
AC-2(8).1 |
Dynamic approaches for creating information system accounts (e.g., as implemented within service-oriented architectures) rely on establishing accounts (identities) at run time for entities that were previously unknown. Organizations plan for dynamic creation of information system accounts by establishing trust relationships and mechanisms with the appropriate authorities to validate related authorizations and privileges. Related control: AC-16. |
The information system creates [Assignment: organization-defined information system accounts] dynamically. |
| CCI-002139 |
The information system creates organization-defined information system accounts dynamically. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to dynamically create information system accounts defined in AC-2 (8), CCI 2138.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2139. |
The organization being inspected/assessed configures the information system to dynamically create information system accounts defined in AC-2 (8), CCI 2138.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2139. |
Account Management | Dynamic Account Creation |
AC-2 (8) |
AC-2(8).2 |
Dynamic approaches for creating information system accounts (e.g., as implemented within service-oriented architectures) rely on establishing accounts (identities) at run time for entities that were previously unknown. Organizations plan for dynamic creation of information system accounts by establishing trust relationships and mechanisms with the appropriate authorities to validate related authorizations and privileges. Related control: AC-16. |
The information system creates [Assignment: organization-defined information system accounts] dynamically. |
| CCI-002140 |
The organization defines the conditions for establishing shared/group accounts. |
The organization conducting the inspection/assessment obtains and examines the documented conditions to ensure they have been defined.
DoD has determined the conditions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the conditions for establishing shared/group accounts.
DoD has determined the conditions are not appropriate to define at the Enterprise level. |
Account Management | Restrictions On Use Of Shared Groups / Accounts |
AC-2 (9) |
AC-2(9).1 |
|
The organization only permits the use of shared/group accounts that meet [Assignment: organization-defined conditions for establishing shared/group accounts]. |
| CCI-002141 |
The organization only permits the use of shared/group accounts that meet organization-defined conditions for establishing shared/group accounts. |
The organization conducting the inspection/assessment examines the shared/group accounts to ensure the organization being inspected/assessed only permits the use of shared/group accounts that meet the conditions for establishing shared/group accounts defined in AC-2 (9), CCI 2140. |
The organization being inspected/assessed only permits the use of shared/group accounts that meet the conditions for establishing shared/group accounts defined in AC-2 (9), CCI 2140. |
Account Management | Restrictions On Use Of Shared Groups / Accounts |
AC-2 (9) |
AC-2(9).2 |
|
The organization only permits the use of shared/group accounts that meet [Assignment: organization-defined conditions for establishing shared/group accounts]. |
| CCI-002142 |
The information system terminates shared/group account credentials when members leave the group. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to terminate shared/group account credentials when members leave the group.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2142. |
The organization being inspected/assessed configures the information system to terminate shared/group account credentials when members leave the group.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2142. |
Account Management | Shared / Group Account Credential Termination |
AC-2 (10) |
AC-2(10).1 |
|
The information system terminates shared/group account credentials when members leave the group. |
| CCI-002143 |
The organization defines the circumstances and/or usage conditions that are to be enforced for organization-defined information system accounts. |
The organization conducting the inspection/assessment obtains and examines the documented circumstances and/or usage conditions to ensure they have been defined.
DoD has determined the circumstances and/or usage conditions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the circumstances and/or usage conditions that are to be enforced for organization-defined information system accounts.
DoD has determined the circumstances and/or usage conditions are not appropriate to define at the Enterprise level. |
Account Management | Usage Conditions |
AC-2 (11) |
AC-2(11).1 |
Organizations can describe the specific conditions or circumstances under which information system accounts can be used, for example, by restricting usage to certain days of the week, time of day, or specific durations of time. |
The information system enforces [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined information system accounts]. |
| CCI-002144 |
The organization defines the information system accounts that are to be subject to the enforcement of organization-defined circumstances and/or usage conditions. |
The organization conducting the inspection/assessment obtains and examines the documented information system accounts to ensure they have been defined.
DoD has determined the information system accounts are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system accounts that are to be subject to the enforcement of organization-defined circumstances and/or usage conditions.
DoD has determined the information system accounts are not appropriate to define at the Enterprise level. |
Account Management | Usage Conditions |
AC-2 (11) |
AC-2(11).2 |
Organizations can describe the specific conditions or circumstances under which information system accounts can be used, for example, by restricting usage to certain days of the week, time of day, or specific durations of time. |
The information system enforces [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined information system accounts]. |
| CCI-002145 |
The information system enforces organization-defined circumstances and/or usage conditions for organization-defined information system accounts. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce the circumstances and/or usage conditions defined in AC-2 (11), CCI 2143 for information system accounts defined in AC-2 (11), CCI 2144.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2145. |
The organization being inspected/assessed configures the information system to enforce the circumstances and/or usage conditions defined in AC-2 (11), CCI 2143 for information system accounts defined in AC-2 (11), CCI 2144.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2145. |
Account Management | Usage Conditions |
AC-2 (11) |
AC-2(11).3 |
Organizations can describe the specific conditions or circumstances under which information system accounts can be used, for example, by restricting usage to certain days of the week, time of day, or specific durations of time. |
The information system enforces [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined information system accounts]. |
| CCI-002146 |
The organization defines atypical usage for which the information system accounts are to be monitored. |
The organization conducting the inspection/assessment obtains and examines the documented atypical usage to ensure it has been defined.
DoD has determined atypical usage is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents atypical usage for which the information system accounts are to be monitored.
DoD has determined atypical usage is not appropriate to define at the Enterprise level. |
Account Management | Account Monitoring / Atypical Usage |
AC-2 (12) |
AC-2(12).1 |
Atypical usage includes, for example, accessing information systems at certain times of the day and from locations that are not consistent with the normal usage patterns of individuals working in organizations. Related control: CA-7. |
The organization:
(a) Monitors information system accounts for [Assignment: organization-defined atypical use]; and
(b) Reports atypical usage of information system accounts to [Assignment: organization-defined personnel or roles]. |
| CCI-002147 |
The organization monitors information system accounts for organization-defined atypical use. |
The organization conducting the inspection/assessment obtains and examines the audit trail of monitoring to ensure the organization being inspected/assessed monitors information system accounts for atypical use defined in AC-2 (12), CCI 2146. |
The organization being inspected/assessed monitors information system accounts for atypical use defined in AC-2 (12), CCI 2146.
The organization must maintain an audit trail of monitoring. |
Account Management | Account Monitoring / Atypical Usage |
AC-2 (12) |
AC-2(12).2 |
Atypical usage includes, for example, accessing information systems at certain times of the day and from locations that are not consistent with the normal usage patterns of individuals working in organizations. Related control: CA-7. |
The organization:
(a) Monitors information system accounts for [Assignment: organization-defined atypical use]; and
(b) Reports atypical usage of information system accounts to [Assignment: organization-defined personnel or roles]. |
| CCI-002148 |
The organization defines the personnel or roles to whom atypical usage of information system accounts are to be reported. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as at a minimum, the ISSO. |
DoD has defined the personnel or roles as at a minimum, the ISSO. |
Account Management | Account Monitoring / Atypical Usage |
AC-2 (12) |
AC-2(12).3 |
Atypical usage includes, for example, accessing information systems at certain times of the day and from locations that are not consistent with the normal usage patterns of individuals working in organizations. Related control: CA-7. |
The organization:
(a) Monitors information system accounts for [Assignment: organization-defined atypical use]; and
(b) Reports atypical usage of information system accounts to [Assignment: organization-defined personnel or roles]. |
| CCI-002149 |
The organization reports atypical usage of information system accounts to organization-defined personnel or roles. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of reporting to ensure the organization being inspected/assessed reports atypical usage defined in AC-2 (12), CCI 2146 of information system accounts to at a minimum, the ISSO.
DoD has defined the personnel or roles as at a minimum, the ISSO. |
The organization being inspected/assessed documents and implements a process to report atypical usage defined in AC-2 (12), CCI 2146 of information system accounts to at a minium, the ISSO.
The organization must maintain an audit trail of reporting.
DoD has defined the personnel or roles as at a minium, the ISSO. |
Account Management | Account Monitoring / Atypical Usage |
AC-2 (12) |
AC-2(12).4 |
Atypical usage includes, for example, accessing information systems at certain times of the day and from locations that are not consistent with the normal usage patterns of individuals working in organizations. Related control: CA-7. |
The organization:
(a) Monitors information system accounts for [Assignment: organization-defined atypical use]; and
(b) Reports atypical usage of information system accounts to [Assignment: organization-defined personnel or roles]. |
| CCI-002150 |
The organization defines the time period within which the accounts of users posing a significant risk are to be disabled after discovery of the risk. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 30 minutes unless otherwise defined in formal organizational policy.
|
DoD has defined the time period as 30 minutes unless otherwise defined in formal organizational policy.
|
Account Management | Disable Accounts For High-Risk Individuals |
AC-2 (13) |
AC-2(13).1 |
Users posing a significant risk to organizations include individuals for whom reliable evidence or intelligence indicates either the intention to use authorized access to information systems to cause harm or through whom adversaries will cause harm. Harm includes potential adverse impacts to organizational operations and assets, individuals, other organizations, or the Nation. Close coordination between authorizing officials, information system administrators, and human resource managers is essential in order for timely execution of this control enhancement. Related control: PS-4. |
The organization disables accounts of users posing a significant risk within [Assignment: organization-defined time period] of discovery of the risk. |
| CCI-002151 |
The organization disables accounts of users posing a significant risk within an organization-defined time period of discovery of the risk. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed disables accounts of users posing a significant risk within 30 minutes unless otherwise defined in formal organizational policy.
DoD has defined the time period as 30 minutes unless otherwise defined in formal organizational policy.
|
The organization being inspected/assessed documents and implements a process to disable accounts of users posing a significant risk within 30 minutes unless otherwise defined in formal organizational policy.
DoD has defined the time period as 30 minutes unless otherwise defined in formal organizational policy.
|
Account Management | Disable Accounts For High-Risk Individuals |
AC-2 (13) |
AC-2(13).2 |
Users posing a significant risk to organizations include individuals for whom reliable evidence or intelligence indicates either the intention to use authorized access to information systems to cause harm or through whom adversaries will cause harm. Harm includes potential adverse impacts to organizational operations and assets, individuals, other organizations, or the Nation. Close coordination between authorizing officials, information system administrators, and human resource managers is essential in order for timely execution of this control enhancement. Related control: PS-4. |
The organization disables accounts of users posing a significant risk within [Assignment: organization-defined time period] of discovery of the risk. |
| CCI-002152 |
The organization defines other actions necessary for which dual authorization is to be enforced. |
The organization conducting the inspection/assessment obtains and examines the documented actions to ensure they have been defined.
DoD has determined the other actions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the other actions necessary for which dual authorization is to be enforced.
DoD has determined the other actions are not appropriate to define at the Enterprise level. |
Access Enforcement | Dual Authorization |
AC-3 (2) |
AC-3(2).3 |
Dual authorization mechanisms require the approval of two authorized individuals in order to execute. Organizations do not require dual authorization mechanisms when immediate responses are necessary to ensure public and environmental safety. Dual authorization may also be known as two-person control. Related controls: CP-9, MP-6. |
The information system enforces dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions]. |
| CCI-002153 |
The organization defines the mandatory access control policies that are to be enforced over all subjects and objects. |
The organization conducting the inspection/assessment obtains and examines the documented mandatory access control policies to ensure they have been defined.
DoD has determined the mandatory access control policies are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the mandatory access control policies that are to be enforced over all subjects and objects.
DoD has determined the mandatory access control policies are not appropriate to define at the Enterprise level. |
Access Enforcement | Mandatory Access Control |
AC-3 (3) |
AC-3(3).1 |
Mandatory access control as defined in this control enhancement is synonymous with nondiscretionary access control, and is not constrained only to certain historical uses (e.g., implementations using the Bell-LaPadula Model). The above class of mandatory access control policies constrains what actions subjects can take with information obtained from data objects for which they have already been granted access, thus preventing the subjects from passing the information to unauthorized subjects and objects. This class of mandatory access control policies also constrains what actions subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the information system has control. Otherwise, the access control policy can be circumvented. This enforcement typically is provided via an implementation that meets the reference monitor concept (see AC-25). The policy is bounded by the information system boundary (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect). The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-6). Trusted subjects are only given the minimum privileges relative to the above policy necessary for satisfying organizational mission/business needs. The control is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes a policy regarding access to sensitive/classified information and some users of the information system are not authorized access to all sensitive/classified information resident in the information system. This control can operate in conjunction with AC-3 (4). A subject that is constrained in its operation by policies governed by this control is still able to operate under the less rigorous constraints of AC-3 (4), but policies governed by this control take precedence over the less rigorous constraints of AC-3 (4). For example, while a mandatory access control policy imposes a constraint preventing a subject from passing information to another subject operating at a different sensitivity label, AC-3 (4) permits the subject to pass the information to any subject with the same sensitivity label as the subject. Related controls: AC-25, SC-11. |
The information system enforces [Assignment: organization-defined mandatory access control policies] over all subjects and objects where the policy specifies that:
(a) The policy is uniformly enforced across all subjects and objects within the boundary of the information system;
(b) A subject that has been granted access to information is constrained from doing any of the following;
(1) Passing the information to unauthorized subjects or objects;
(2) Granting its privileges to other subjects;
(3) Changing one or more security attributes on subjects, objects, the information system, or information system components;
(4) Choosing the security attributes and attribute values to be associated with newly created or modified objects; or
(5) Changing the rules governing access control; and
(c) [Assignment: Organized-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints. |
| CCI-002154 |
The mandatory access control policy specifies that the policy is uniformly enforced across all subjects and objects within the boundary of the information system. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to uniformly enforce the mandatory access control policies defined in AC-3 (3), CCI 2153 across all subjects and objects within the boundary of the information system
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2154. |
The organization being inspected/assessed configures the information system to uniformly enforce the mandatory access control policies defined in AC-3 (3), CCI 2153 across all subjects and objects within the boundary of the information system
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2154. |
Access Enforcement | Mandatory Access Control |
AC-3 (3) |
AC-3(3).2 |
Mandatory access control as defined in this control enhancement is synonymous with nondiscretionary access control, and is not constrained only to certain historical uses (e.g., implementations using the Bell-LaPadula Model). The above class of mandatory access control policies constrains what actions subjects can take with information obtained from data objects for which they have already been granted access, thus preventing the subjects from passing the information to unauthorized subjects and objects. This class of mandatory access control policies also constrains what actions subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the information system has control. Otherwise, the access control policy can be circumvented. This enforcement typically is provided via an implementation that meets the reference monitor concept (see AC-25). The policy is bounded by the information system boundary (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect). The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-6). Trusted subjects are only given the minimum privileges relative to the above policy necessary for satisfying organizational mission/business needs. The control is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes a policy regarding access to sensitive/classified information and some users of the information system are not authorized access to all sensitive/classified information resident in the information system. This control can operate in conjunction with AC-3 (4). A subject that is constrained in its operation by policies governed by this control is still able to operate under the less rigorous constraints of AC-3 (4), but policies governed by this control take precedence over the less rigorous constraints of AC-3 (4). For example, while a mandatory access control policy imposes a constraint preventing a subject from passing information to another subject operating at a different sensitivity label, AC-3 (4) permits the subject to pass the information to any subject with the same sensitivity label as the subject. Related controls: AC-25, SC-11. |
The information system enforces [Assignment: organization-defined mandatory access control policies] over all subjects and objects where the policy specifies that:
(a) The policy is uniformly enforced across all subjects and objects within the boundary of the information system;
(b) A subject that has been granted access to information is constrained from doing any of the following;
(1) Passing the information to unauthorized subjects or objects;
(2) Granting its privileges to other subjects;
(3) Changing one or more security attributes on subjects, objects, the information system, or information system components;
(4) Choosing the security attributes and attribute values to be associated with newly created or modified objects; or
(5) Changing the rules governing access control; and
(c) [Assignment: Organized-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints. |
| CCI-002155 |
The mandatory access control policy specifies that a subject that has been granted access to information is constrained from passing the information to unauthorized subjects or objects. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce the mandatory access control policies defined in AC-3 (3), CCI 2153 which specifies that a subject that has been granted access to information is constrained from passing the information to unauthorized subjects or objects.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2155. |
The organization being inspected/assessed configures the information system to enforce the mandatory access control policies defined in AC-3 (3), CCI 2153 which specifies that a subject that has been granted access to information is constrained from passing the information to unauthorized subjects or objects.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2155. |
Access Enforcement | Mandatory Access Control |
AC-3 (3) |
AC-3(3).3 |
Mandatory access control as defined in this control enhancement is synonymous with nondiscretionary access control, and is not constrained only to certain historical uses (e.g., implementations using the Bell-LaPadula Model). The above class of mandatory access control policies constrains what actions subjects can take with information obtained from data objects for which they have already been granted access, thus preventing the subjects from passing the information to unauthorized subjects and objects. This class of mandatory access control policies also constrains what actions subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the information system has control. Otherwise, the access control policy can be circumvented. This enforcement typically is provided via an implementation that meets the reference monitor concept (see AC-25). The policy is bounded by the information system boundary (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect). The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-6). Trusted subjects are only given the minimum privileges relative to the above policy necessary for satisfying organizational mission/business needs. The control is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes a policy regarding access to sensitive/classified information and some users of the information system are not authorized access to all sensitive/classified information resident in the information system. This control can operate in conjunction with AC-3 (4). A subject that is constrained in its operation by policies governed by this control is still able to operate under the less rigorous constraints of AC-3 (4), but policies governed by this control take precedence over the less rigorous constraints of AC-3 (4). For example, while a mandatory access control policy imposes a constraint preventing a subject from passing information to another subject operating at a different sensitivity label, AC-3 (4) permits the subject to pass the information to any subject with the same sensitivity label as the subject. Related controls: AC-25, SC-11. |
The information system enforces [Assignment: organization-defined mandatory access control policies] over all subjects and objects where the policy specifies that:
(a) The policy is uniformly enforced across all subjects and objects within the boundary of the information system;
(b) A subject that has been granted access to information is constrained from doing any of the following;
(1) Passing the information to unauthorized subjects or objects;
(2) Granting its privileges to other subjects;
(3) Changing one or more security attributes on subjects, objects, the information system, or information system components;
(4) Choosing the security attributes and attribute values to be associated with newly created or modified objects; or
(5) Changing the rules governing access control; and
(c) [Assignment: Organized-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints. |
| CCI-002156 |
The mandatory access control policy specifies that a subject that has been granted access to information is constrained from granting its privileges to other subjects. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce the mandatory access control policies defined in AC-3 (3), CCI 2153 which specifies that a subject that has been granted access to information is constrained from granting its privileges to other subjects.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2156. |
The organization being inspected/assessed configures the information system to enforce the mandatory access control policies defined in AC-3 (3), CCI 2153 which specifies that a subject that has been granted access to information is constrained from granting its privileges to other subjects.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2156. |
Access Enforcement | Mandatory Access Control |
AC-3 (3) |
AC-3(3).4 |
Mandatory access control as defined in this control enhancement is synonymous with nondiscretionary access control, and is not constrained only to certain historical uses (e.g., implementations using the Bell-LaPadula Model). The above class of mandatory access control policies constrains what actions subjects can take with information obtained from data objects for which they have already been granted access, thus preventing the subjects from passing the information to unauthorized subjects and objects. This class of mandatory access control policies also constrains what actions subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the information system has control. Otherwise, the access control policy can be circumvented. This enforcement typically is provided via an implementation that meets the reference monitor concept (see AC-25). The policy is bounded by the information system boundary (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect). The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-6). Trusted subjects are only given the minimum privileges relative to the above policy necessary for satisfying organizational mission/business needs. The control is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes a policy regarding access to sensitive/classified information and some users of the information system are not authorized access to all sensitive/classified information resident in the information system. This control can operate in conjunction with AC-3 (4). A subject that is constrained in its operation by policies governed by this control is still able to operate under the less rigorous constraints of AC-3 (4), but policies governed by this control take precedence over the less rigorous constraints of AC-3 (4). For example, while a mandatory access control policy imposes a constraint preventing a subject from passing information to another subject operating at a different sensitivity label, AC-3 (4) permits the subject to pass the information to any subject with the same sensitivity label as the subject. Related controls: AC-25, SC-11. |
The information system enforces [Assignment: organization-defined mandatory access control policies] over all subjects and objects where the policy specifies that:
(a) The policy is uniformly enforced across all subjects and objects within the boundary of the information system;
(b) A subject that has been granted access to information is constrained from doing any of the following;
(1) Passing the information to unauthorized subjects or objects;
(2) Granting its privileges to other subjects;
(3) Changing one or more security attributes on subjects, objects, the information system, or information system components;
(4) Choosing the security attributes and attribute values to be associated with newly created or modified objects; or
(5) Changing the rules governing access control; and
(c) [Assignment: Organized-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints. |
| CCI-002157 |
The mandatory access control policy specifies that a subject that has been granted access to information is constrained from changing one or more security attributes on subjects, objects, the information system, or information system components. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce the mandatory access control policies defined in AC-3 (3), CCI 2153 which specifies that a subject that has been granted access to information is constrained from changing one or more security attributes on subjects, objects, the information system, or information system components.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2157. |
The organization being inspected/assessed configures the information system to enforce the mandatory access control policies defined in AC-3 (3), CCI 2153 which specifies that a subject that has been granted access to information is constrained from changing one or more security attributes on subjects, objects, the information system, or information system components.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2157. |
Access Enforcement | Mandatory Access Control |
AC-3 (3) |
AC-3(3).5 |
Mandatory access control as defined in this control enhancement is synonymous with nondiscretionary access control, and is not constrained only to certain historical uses (e.g., implementations using the Bell-LaPadula Model). The above class of mandatory access control policies constrains what actions subjects can take with information obtained from data objects for which they have already been granted access, thus preventing the subjects from passing the information to unauthorized subjects and objects. This class of mandatory access control policies also constrains what actions subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the information system has control. Otherwise, the access control policy can be circumvented. This enforcement typically is provided via an implementation that meets the reference monitor concept (see AC-25). The policy is bounded by the information system boundary (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect). The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-6). Trusted subjects are only given the minimum privileges relative to the above policy necessary for satisfying organizational mission/business needs. The control is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes a policy regarding access to sensitive/classified information and some users of the information system are not authorized access to all sensitive/classified information resident in the information system. This control can operate in conjunction with AC-3 (4). A subject that is constrained in its operation by policies governed by this control is still able to operate under the less rigorous constraints of AC-3 (4), but policies governed by this control take precedence over the less rigorous constraints of AC-3 (4). For example, while a mandatory access control policy imposes a constraint preventing a subject from passing information to another subject operating at a different sensitivity label, AC-3 (4) permits the subject to pass the information to any subject with the same sensitivity label as the subject. Related controls: AC-25, SC-11. |
The information system enforces [Assignment: organization-defined mandatory access control policies] over all subjects and objects where the policy specifies that:
(a) The policy is uniformly enforced across all subjects and objects within the boundary of the information system;
(b) A subject that has been granted access to information is constrained from doing any of the following;
(1) Passing the information to unauthorized subjects or objects;
(2) Granting its privileges to other subjects;
(3) Changing one or more security attributes on subjects, objects, the information system, or information system components;
(4) Choosing the security attributes and attribute values to be associated with newly created or modified objects; or
(5) Changing the rules governing access control; and
(c) [Assignment: Organized-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints. |
| CCI-002158 |
The mandatory access control policy specifies that a subject that has been granted access to information is constrained from choosing the security attributes to be associated with newly created or modified objects. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce the mandatory access control policies defined in AC-3 (3), CCI 2153 which specifies that a subject that has been granted access to information is constrained from choosing the security attributes to be associated with newly created or modified objects.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2158. |
The organization being inspected/assessed configures the information system to enforce the mandatory access control policies defined in AC-3 (3), CCI 2153 which specifies that a subject that has been granted access to information is constrained from choosing the security attributes to be associated with newly created or modified objects.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2158. |
Access Enforcement | Mandatory Access Control |
AC-3 (3) |
AC-3(3).6 |
Mandatory access control as defined in this control enhancement is synonymous with nondiscretionary access control, and is not constrained only to certain historical uses (e.g., implementations using the Bell-LaPadula Model). The above class of mandatory access control policies constrains what actions subjects can take with information obtained from data objects for which they have already been granted access, thus preventing the subjects from passing the information to unauthorized subjects and objects. This class of mandatory access control policies also constrains what actions subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the information system has control. Otherwise, the access control policy can be circumvented. This enforcement typically is provided via an implementation that meets the reference monitor concept (see AC-25). The policy is bounded by the information system boundary (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect). The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-6). Trusted subjects are only given the minimum privileges relative to the above policy necessary for satisfying organizational mission/business needs. The control is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes a policy regarding access to sensitive/classified information and some users of the information system are not authorized access to all sensitive/classified information resident in the information system. This control can operate in conjunction with AC-3 (4). A subject that is constrained in its operation by policies governed by this control is still able to operate under the less rigorous constraints of AC-3 (4), but policies governed by this control take precedence over the less rigorous constraints of AC-3 (4). For example, while a mandatory access control policy imposes a constraint preventing a subject from passing information to another subject operating at a different sensitivity label, AC-3 (4) permits the subject to pass the information to any subject with the same sensitivity label as the subject. Related controls: AC-25, SC-11. |
The information system enforces [Assignment: organization-defined mandatory access control policies] over all subjects and objects where the policy specifies that:
(a) The policy is uniformly enforced across all subjects and objects within the boundary of the information system;
(b) A subject that has been granted access to information is constrained from doing any of the following;
(1) Passing the information to unauthorized subjects or objects;
(2) Granting its privileges to other subjects;
(3) Changing one or more security attributes on subjects, objects, the information system, or information system components;
(4) Choosing the security attributes and attribute values to be associated with newly created or modified objects; or
(5) Changing the rules governing access control; and
(c) [Assignment: Organized-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints. |
| CCI-002159 |
The mandatory access control policy specifies that a subject that has been granted access to information is constrained from choosing the attribute values to be associated with newly created or modified objects. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce the mandatory access control policies defined in AC-3 (3), CCI 2153 which specifies that a subject that has been granted access to information is constrained from choosing the attribute values to be associated with newly created or modified objects.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2159. |
The organization being inspected/assessed configures the information system to enforce the mandatory access control policies defined in AC-3 (3), CCI 2153 which specifies that a subject that has been granted access to information is constrained from choosing the attribute values to be associated with newly created or modified objects.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2159. |
Access Enforcement | Mandatory Access Control |
AC-3 (3) |
AC-3(3).7 |
Mandatory access control as defined in this control enhancement is synonymous with nondiscretionary access control, and is not constrained only to certain historical uses (e.g., implementations using the Bell-LaPadula Model). The above class of mandatory access control policies constrains what actions subjects can take with information obtained from data objects for which they have already been granted access, thus preventing the subjects from passing the information to unauthorized subjects and objects. This class of mandatory access control policies also constrains what actions subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the information system has control. Otherwise, the access control policy can be circumvented. This enforcement typically is provided via an implementation that meets the reference monitor concept (see AC-25). The policy is bounded by the information system boundary (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect). The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-6). Trusted subjects are only given the minimum privileges relative to the above policy necessary for satisfying organizational mission/business needs. The control is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes a policy regarding access to sensitive/classified information and some users of the information system are not authorized access to all sensitive/classified information resident in the information system. This control can operate in conjunction with AC-3 (4). A subject that is constrained in its operation by policies governed by this control is still able to operate under the less rigorous constraints of AC-3 (4), but policies governed by this control take precedence over the less rigorous constraints of AC-3 (4). For example, while a mandatory access control policy imposes a constraint preventing a subject from passing information to another subject operating at a different sensitivity label, AC-3 (4) permits the subject to pass the information to any subject with the same sensitivity label as the subject. Related controls: AC-25, SC-11. |
The information system enforces [Assignment: organization-defined mandatory access control policies] over all subjects and objects where the policy specifies that:
(a) The policy is uniformly enforced across all subjects and objects within the boundary of the information system;
(b) A subject that has been granted access to information is constrained from doing any of the following;
(1) Passing the information to unauthorized subjects or objects;
(2) Granting its privileges to other subjects;
(3) Changing one or more security attributes on subjects, objects, the information system, or information system components;
(4) Choosing the security attributes and attribute values to be associated with newly created or modified objects; or
(5) Changing the rules governing access control; and
(c) [Assignment: Organized-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints. |
| CCI-002160 |
The mandatory access control policy specifies that a subject that has been granted access to information is constrained from changing the rules governing access control. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce the mandatory access control policies defined in AC-3 (3), CCI 2153 which specifies that a subject that has been granted access to information is constrained from changing the rules governing access control.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2160. |
The organization being inspected/assessed configures the information system to enforce the mandatory access control policies defined in AC-3 (3), CCI 2153 which specifies that a subject that has been granted access to information is constrained from changing the rules governing access control.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2160. |
Access Enforcement | Mandatory Access Control |
AC-3 (3) |
AC-3(3).8 |
Mandatory access control as defined in this control enhancement is synonymous with nondiscretionary access control, and is not constrained only to certain historical uses (e.g., implementations using the Bell-LaPadula Model). The above class of mandatory access control policies constrains what actions subjects can take with information obtained from data objects for which they have already been granted access, thus preventing the subjects from passing the information to unauthorized subjects and objects. This class of mandatory access control policies also constrains what actions subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the information system has control. Otherwise, the access control policy can be circumvented. This enforcement typically is provided via an implementation that meets the reference monitor concept (see AC-25). The policy is bounded by the information system boundary (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect). The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-6). Trusted subjects are only given the minimum privileges relative to the above policy necessary for satisfying organizational mission/business needs. The control is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes a policy regarding access to sensitive/classified information and some users of the information system are not authorized access to all sensitive/classified information resident in the information system. This control can operate in conjunction with AC-3 (4). A subject that is constrained in its operation by policies governed by this control is still able to operate under the less rigorous constraints of AC-3 (4), but policies governed by this control take precedence over the less rigorous constraints of AC-3 (4). For example, while a mandatory access control policy imposes a constraint preventing a subject from passing information to another subject operating at a different sensitivity label, AC-3 (4) permits the subject to pass the information to any subject with the same sensitivity label as the subject. Related controls: AC-25, SC-11. |
The information system enforces [Assignment: organization-defined mandatory access control policies] over all subjects and objects where the policy specifies that:
(a) The policy is uniformly enforced across all subjects and objects within the boundary of the information system;
(b) A subject that has been granted access to information is constrained from doing any of the following;
(1) Passing the information to unauthorized subjects or objects;
(2) Granting its privileges to other subjects;
(3) Changing one or more security attributes on subjects, objects, the information system, or information system components;
(4) Choosing the security attributes and attribute values to be associated with newly created or modified objects; or
(5) Changing the rules governing access control; and
(c) [Assignment: Organized-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints. |
| CCI-002161 |
The organization defines subjects which may explicitly be granted organization-defined privileges such that they are not limited by some or all of the mandatory access control constraints. |
The organization conducting the inspection/assessment obtains and examines the documented subjects to ensure they have been defined.
DoD has determined that the subjects are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents subjects which may explicitly be granted organization-defined privileges such that they are not limited by some or all of the mandatory access control constraints.
DoD has determined that the subjects are not appropriate to define at the Enterprise level. |
Access Enforcement | Mandatory Access Control |
AC-3 (3) |
AC-3(3).9 |
Mandatory access control as defined in this control enhancement is synonymous with nondiscretionary access control, and is not constrained only to certain historical uses (e.g., implementations using the Bell-LaPadula Model). The above class of mandatory access control policies constrains what actions subjects can take with information obtained from data objects for which they have already been granted access, thus preventing the subjects from passing the information to unauthorized subjects and objects. This class of mandatory access control policies also constrains what actions subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the information system has control. Otherwise, the access control policy can be circumvented. This enforcement typically is provided via an implementation that meets the reference monitor concept (see AC-25). The policy is bounded by the information system boundary (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect). The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-6). Trusted subjects are only given the minimum privileges relative to the above policy necessary for satisfying organizational mission/business needs. The control is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes a policy regarding access to sensitive/classified information and some users of the information system are not authorized access to all sensitive/classified information resident in the information system. This control can operate in conjunction with AC-3 (4). A subject that is constrained in its operation by policies governed by this control is still able to operate under the less rigorous constraints of AC-3 (4), but policies governed by this control take precedence over the less rigorous constraints of AC-3 (4). For example, while a mandatory access control policy imposes a constraint preventing a subject from passing information to another subject operating at a different sensitivity label, AC-3 (4) permits the subject to pass the information to any subject with the same sensitivity label as the subject. Related controls: AC-25, SC-11. |
The information system enforces [Assignment: organization-defined mandatory access control policies] over all subjects and objects where the policy specifies that:
(a) The policy is uniformly enforced across all subjects and objects within the boundary of the information system;
(b) A subject that has been granted access to information is constrained from doing any of the following;
(1) Passing the information to unauthorized subjects or objects;
(2) Granting its privileges to other subjects;
(3) Changing one or more security attributes on subjects, objects, the information system, or information system components;
(4) Choosing the security attributes and attribute values to be associated with newly created or modified objects; or
(5) Changing the rules governing access control; and
(c) [Assignment: Organized-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints. |
| CCI-002162 |
The organization defines the privileges that may explicitly be granted to organization-defined subjects such that they are not limited by some or all of the mandatory access control constraints. |
The organization conducting the inspection/assessment obtains and examines the documented privileges to ensure they have been defined.
DoD has determined the privileges are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the privileges that may explicitly be granted to organization-defined subjects such that they are not limited by some or all of the mandatory access control constraints.
DoD has determined the privileges are not appropriate to define at the Enterprise level. |
Access Enforcement | Mandatory Access Control |
AC-3 (3) |
AC-3(3).10 |
Mandatory access control as defined in this control enhancement is synonymous with nondiscretionary access control, and is not constrained only to certain historical uses (e.g., implementations using the Bell-LaPadula Model). The above class of mandatory access control policies constrains what actions subjects can take with information obtained from data objects for which they have already been granted access, thus preventing the subjects from passing the information to unauthorized subjects and objects. This class of mandatory access control policies also constrains what actions subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the information system has control. Otherwise, the access control policy can be circumvented. This enforcement typically is provided via an implementation that meets the reference monitor concept (see AC-25). The policy is bounded by the information system boundary (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect). The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-6). Trusted subjects are only given the minimum privileges relative to the above policy necessary for satisfying organizational mission/business needs. The control is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes a policy regarding access to sensitive/classified information and some users of the information system are not authorized access to all sensitive/classified information resident in the information system. This control can operate in conjunction with AC-3 (4). A subject that is constrained in its operation by policies governed by this control is still able to operate under the less rigorous constraints of AC-3 (4), but policies governed by this control take precedence over the less rigorous constraints of AC-3 (4). For example, while a mandatory access control policy imposes a constraint preventing a subject from passing information to another subject operating at a different sensitivity label, AC-3 (4) permits the subject to pass the information to any subject with the same sensitivity label as the subject. Related controls: AC-25, SC-11. |
The information system enforces [Assignment: organization-defined mandatory access control policies] over all subjects and objects where the policy specifies that:
(a) The policy is uniformly enforced across all subjects and objects within the boundary of the information system;
(b) A subject that has been granted access to information is constrained from doing any of the following;
(1) Passing the information to unauthorized subjects or objects;
(2) Granting its privileges to other subjects;
(3) Changing one or more security attributes on subjects, objects, the information system, or information system components;
(4) Choosing the security attributes and attribute values to be associated with newly created or modified objects; or
(5) Changing the rules governing access control; and
(c) [Assignment: Organized-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints. |
| CCI-002163 |
The organization defines the discretionary access control policies the information system is to enforce over subjects and objects. |
The organization conducting the inspection/assessment obtains and examines the documented access control policies to ensure they have been defined.
DoD has determined that the discretionary access control policies are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the discretionary access control policies the information system is to enforce over subjects and objects.
DoD has determined that the discretionary access control policies are not appropriate to define at the Enterprise level. |
Access Enforcement | Discretionary Access Control |
AC-3 (4) |
AC-3(4).1 |
When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. This control enhancement can operate in conjunction with AC-3 (3). A subject that is constrained in its operation by policies governed by AC-3 (3) is still able to operate under the less rigorous constraints of this control enhancement. Thus, while AC-3 (3) imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, AC-3 (4) permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside of the control of the information system, additional means may be required to ensure that the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. |
The information system enforces [Assignment: organization-defined discretionary access control policies] over defined subjects and objects where the policy specifies that a subject that has been granted access to information can do one or more of the following:
(a) Pass the information to any other subjects or objects;
(b) Grant its privileges to other subjects;
(c) Change security attributes on subjects, objects, the information system, or the information system's components;
(d) Choose the security attributes to be associated with newly created or revised objects; or
(e) Change the rules governing access control. |
| CCI-002164 |
The organization specifies in the discretionary access control policies that a subject that has been granted access to information can do one or more of the following: pass the information to any other subjects or objects; grant its privileges to other subjects; change security attributes on subjects, objects, the information system, or the information system^s components; choose the security attributes to be associated with newly created or revised objects; and/or change the rules governing access control. |
The organization conducting the inspection/assessment obtains and examines the documented discretionary access control policies to ensure the organization being inspected/assessed specifies that a subject which has been granted access to information can do one or more of the following: pass the information to any other subjects or objects; grant its privileges to other subjects; change security attributes on subjects, objects, the information system, or the information system's components; choose the security attributes to be associated with newly created or revised objects; and/or change the rules governing access control. |
The organization being inspected/assessed documents the discretionary access control policies that a subject which has been granted access to information can do one or more of the following: pass the information to any other subjects or objects; grant its privileges to other subjects; change security attributes on subjects, objects, the information system, or the information system's components; choose the security attributes to be associated with newly created or revised objects; and/or change the rules governing access control. |
Access Enforcement | Discretionary Access Control |
AC-3 (4) |
AC-3(4).2 |
When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. This control enhancement can operate in conjunction with AC-3 (3). A subject that is constrained in its operation by policies governed by AC-3 (3) is still able to operate under the less rigorous constraints of this control enhancement. Thus, while AC-3 (3) imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, AC-3 (4) permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside of the control of the information system, additional means may be required to ensure that the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. |
The information system enforces [Assignment: organization-defined discretionary access control policies] over defined subjects and objects where the policy specifies that a subject that has been granted access to information can do one or more of the following:
(a) Pass the information to any other subjects or objects;
(b) Grant its privileges to other subjects;
(c) Change security attributes on subjects, objects, the information system, or the information system's components;
(d) Choose the security attributes to be associated with newly created or revised objects; or
(e) Change the rules governing access control. |
| CCI-002165 |
The information system enforces organization-defined discretionary access control policies over defined subjects and objects. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce the discretionary access control policies defined in AC-3 (4), CCI 2163 over defined subjects and objects.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2165. |
The organization being inspected/assessed configures the information system to enforce the discretionary access control policies defined in AC-3 (4), CCI 2163 over defined subjects and objects.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2165. |
Access Enforcement | Discretionary Access Control |
AC-3 (4) |
AC-3(4).3 |
When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. This control enhancement can operate in conjunction with AC-3 (3). A subject that is constrained in its operation by policies governed by AC-3 (3) is still able to operate under the less rigorous constraints of this control enhancement. Thus, while AC-3 (3) imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, AC-3 (4) permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside of the control of the information system, additional means may be required to ensure that the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. |
The information system enforces [Assignment: organization-defined discretionary access control policies] over defined subjects and objects where the policy specifies that a subject that has been granted access to information can do one or more of the following:
(a) Pass the information to any other subjects or objects;
(b) Grant its privileges to other subjects;
(c) Change security attributes on subjects, objects, the information system, or the information system's components;
(d) Choose the security attributes to be associated with newly created or revised objects; or
(e) Change the rules governing access control. |
| CCI-002166 |
The organization defines the role-based access control policies the information system is to enforce over all subjects and objects. |
The organization conducting the inspection/assessment obtains and examines the documented role-based access control policies to ensure the organization being inspected/assessed defines the role-based access control policies the information system is to enforce over all subjects and objects. |
The organization being inspected/assessed defines and documents the role-based access control policies the information system is to enforce over all subjects and objects. |
Access Enforcement | Role-Based Access Control |
AC-3 (7) |
AC-3(7).1 |
Role-based access control (RBAC) is an access control policy that restricts information system access to authorized users. Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organization-defined roles. When users are assigned to the organizational roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every user (which can be a significant number of individuals for mid- to large-size organizations) but are instead acquired through role assignments. RBAC can be implemented either as a mandatory or discretionary form of access control. For organizations implementing RBAC with mandatory access controls, the requirements in AC-3 (3) define the scope of the subjects and objects covered by the policy. |
The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon [Assignment: organization-defined roles and users authorized to assume such roles]. |
| CCI-002167 |
The organization defines the subjects over which the information system will enforce a role-based access control policy. |
The organization conducting the inspection/assessment obtains and examines the documented subjects to ensure the organization being inspected/assessed defines the subjects over which the information system will enforce a role-based access control policy. |
The organization being inspected/assessed defines and documents the subjects over which the information system will enforce a role-based access control policy. |
Access Enforcement | Role-Based Access Control |
AC-3 (7) |
AC-3(7).2 |
Role-based access control (RBAC) is an access control policy that restricts information system access to authorized users. Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organization-defined roles. When users are assigned to the organizational roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every user (which can be a significant number of individuals for mid- to large-size organizations) but are instead acquired through role assignments. RBAC can be implemented either as a mandatory or discretionary form of access control. For organizations implementing RBAC with mandatory access controls, the requirements in AC-3 (3) define the scope of the subjects and objects covered by the policy. |
The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon [Assignment: organization-defined roles and users authorized to assume such roles]. |
| CCI-002168 |
The organization defines the objects over which the information system will enforce a role-based access control policy. |
The organization conducting the inspection/assessment obtains and examines the documented objects to ensure the organization being inspected/assessed defines the objects over which the information system will enforce a role-based access control policy. |
The organization being inspected/assessed defines and documents the objects over which the information system will enforce a role-based access control policy. |
Access Enforcement | Role-Based Access Control |
AC-3 (7) |
AC-3(7).3 |
Role-based access control (RBAC) is an access control policy that restricts information system access to authorized users. Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organization-defined roles. When users are assigned to the organizational roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every user (which can be a significant number of individuals for mid- to large-size organizations) but are instead acquired through role assignments. RBAC can be implemented either as a mandatory or discretionary form of access control. For organizations implementing RBAC with mandatory access controls, the requirements in AC-3 (3) define the scope of the subjects and objects covered by the policy. |
The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon [Assignment: organization-defined roles and users authorized to assume such roles]. |
| CCI-002169 |
The information system enforces a role-based access control policy over defined subjects and objects. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce a roles-based access control policy over defined subjects and objects.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2169. |
The organization being inspected/assessed configures the information system to enforce a roles-based access control policy over defined subjects and objects.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2169. |
Access Enforcement | Role-Based Access Control |
AC-3 (7) |
AC-3(7).4 |
Role-based access control (RBAC) is an access control policy that restricts information system access to authorized users. Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organization-defined roles. When users are assigned to the organizational roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every user (which can be a significant number of individuals for mid- to large-size organizations) but are instead acquired through role assignments. RBAC can be implemented either as a mandatory or discretionary form of access control. For organizations implementing RBAC with mandatory access controls, the requirements in AC-3 (3) define the scope of the subjects and objects covered by the policy. |
The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon [Assignment: organization-defined roles and users authorized to assume such roles]. |
| CCI-002170 |
The information system controls access based upon organization-defined roles and users authorized to assume such roles. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to control access based upon the roles and users defined in AC-3 (7), CCIs 2173 and 2174 authorized to assume such roles.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2170. |
The organization being inspected/assessed configures the information system to control access based upon the roles and users defined in AC-3 (7), CCIs 2173 and 2174 authorized to assume such roles.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2170. |
Access Enforcement | Role-Based Access Control |
AC-3 (7) |
AC-3(7).5 |
Role-based access control (RBAC) is an access control policy that restricts information system access to authorized users. Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organization-defined roles. When users are assigned to the organizational roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every user (which can be a significant number of individuals for mid- to large-size organizations) but are instead acquired through role assignments. RBAC can be implemented either as a mandatory or discretionary form of access control. For organizations implementing RBAC with mandatory access controls, the requirements in AC-3 (3) define the scope of the subjects and objects covered by the policy. |
The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon [Assignment: organization-defined roles and users authorized to assume such roles]. |
| CCI-002171 |
The information system enforces a role-based access control policy over organization-defined subjects. |
|
|
|
|
|
|
|
| CCI-002172 |
The information system enforces a role-based access control policy over organization-defined objects. |
|
|
|
|
|
|
|
| CCI-002173 |
The organization defines the roles for which the information system will control access based upon the organization-defined role-based access control policy. |
The organization conducting the inspection/assessment obtains and examines the documented roles to ensure the organization being inspected/assessed defines the roles the information system will control access based upon the organization-defined role-based access control policy.
DoD has determined the roles are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the roles the information system will control access based upon the organization-defined role-based access control policy.
DoD has determined the roles are not appropriate to define at the Enterprise level. |
Access Enforcement | Role-Based Access Control |
AC-3 (7) |
AC-3(7).6 |
Role-based access control (RBAC) is an access control policy that restricts information system access to authorized users. Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organization-defined roles. When users are assigned to the organizational roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every user (which can be a significant number of individuals for mid- to large-size organizations) but are instead acquired through role assignments. RBAC can be implemented either as a mandatory or discretionary form of access control. For organizations implementing RBAC with mandatory access controls, the requirements in AC-3 (3) define the scope of the subjects and objects covered by the policy. |
The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon [Assignment: organization-defined roles and users authorized to assume such roles]. |
| CCI-002174 |
The organization defines the users for which the information system will control access based upon the organization-defined role-based access control policy. |
The organization conducting the inspection/assessment obtains and examines the documented roles to ensure the organization being inspected/assessed defines the users the information system will control access based upon the organization-defined role-based access control policy.
DoD has determined the users are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the users the information system will control access based upon the organization-defined role-based access control policy.
DoD has determined the users are not appropriate to define at the Enterprise level. |
Access Enforcement | Role-Based Access Control |
AC-3 (7) |
AC-3(7).7 |
Role-based access control (RBAC) is an access control policy that restricts information system access to authorized users. Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organization-defined roles. When users are assigned to the organizational roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every user (which can be a significant number of individuals for mid- to large-size organizations) but are instead acquired through role assignments. RBAC can be implemented either as a mandatory or discretionary form of access control. For organizations implementing RBAC with mandatory access controls, the requirements in AC-3 (3) define the scope of the subjects and objects covered by the policy. |
The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon [Assignment: organization-defined roles and users authorized to assume such roles]. |
| CCI-002175 |
The information system controls access based upon organization-defined roles authorized to assume such roles, employing the organization-defined role-based access control policy. |
|
|
|
|
|
|
|
| CCI-002176 |
The information system controls access based upon organization-defined users authorized to assume such roles, employing the organization-defined role-based access control policy. |
|
|
|
|
|
|
|
| CCI-002177 |
The organization defines the rules which will govern the timing of revocation of access authorizations. |
The organization conducting the inspection/assessment obtains and examines the documented rules to ensure the organization being inspected/assessed defines the rules which will govern the timing of revocation of access authorizations.
DoD has determined the rules are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the rules which will govern the timing of revocation of access authorizations.
DoD has determined the rules are not appropriate to define at the Enterprise level. |
Access Enforcement | Revocation Of Access Authorizations |
AC-3 (8) |
AC-3(8).1 |
Revocation of access rules may differ based on the types of access revoked. For example, if a subject (i.e., user or process) is removed from a group, access may not be revoked until the next time the object (e.g., file) is opened or until the next time the subject attempts a new access to the object. Revocation based on changes to security labels may take effect immediately. Organizations can provide alternative approaches on how to make revocations immediate if information systems cannot provide such capability and immediate revocation is necessary. |
The information system enforces the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations]. |
| CCI-002178 |
The information system enforces the revocation of access authorizations resulting from changes to the security attributes of subjects based on organization-defined rules governing the timing of revocations of access authorizations. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce the revocation of access authorizations resulting from changes to the security attributes of subjects based on the rules defined in AC-3 (8), CCI 2177 governing the timing of revocations of access authorizations.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2178. |
The organization being inspected/assessed configures the information system to enforce the revocation of access authorizations resulting from changes to the security attributes of subjects based on the rules defined in AC-3 (8), CCI 2177 governing the timing of revocations of access authorizations.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2178. |
Access Enforcement | Revocation Of Access Authorizations |
AC-3 (8) |
AC-3(8).2 |
Revocation of access rules may differ based on the types of access revoked. For example, if a subject (i.e., user or process) is removed from a group, access may not be revoked until the next time the object (e.g., file) is opened or until the next time the subject attempts a new access to the object. Revocation based on changes to security labels may take effect immediately. Organizations can provide alternative approaches on how to make revocations immediate if information systems cannot provide such capability and immediate revocation is necessary. |
The information system enforces the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations]. |
| CCI-002179 |
The information system enforces the revocation of access authorizations resulting from changes to the security attributes of objects based on organization-defined rules governing the timing of revocations of access authorizations. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce the revocation of access authorizations resulting from changes to the security attributes of objects based on the rules defined in AC-3 (8), CCI 2177 governing the timing of revocations of access authorizations.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2179. |
The organization being inspected/assessed configures the information system to enforce the revocation of access authorizations resulting from changes to the security attributes of objects based on the rules defined in AC-3 (8), CCI 2177 governing the timing of revocations of access authorizations.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2179. |
Access Enforcement | Revocation Of Access Authorizations |
AC-3 (8) |
AC-3(8).3 |
Revocation of access rules may differ based on the types of access revoked. For example, if a subject (i.e., user or process) is removed from a group, access may not be revoked until the next time the object (e.g., file) is opened or until the next time the subject attempts a new access to the object. Revocation based on changes to security labels may take effect immediately. Organizations can provide alternative approaches on how to make revocations immediate if information systems cannot provide such capability and immediate revocation is necessary. |
The information system enforces the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations]. |
| CCI-002180 |
The organization defines the security safeguards the organization-defined information system or system component is to provide to protect information released outside the established system boundary. |
The organization conducting the inspection/assessment obtains and examines the documented security safeguards to ensure the organization being inspected/assessed defines the security safeguards the organization-defined information system or system component is to provide to protect information released outside the established system boundary.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security safeguards the organization-defined information system or system component is to provide to protect information released outside the established system boundary.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
Access Enforcement | Controlled Release |
AC-3 (9) |
AC-3(9).1 |
Information systems can only protect organizational information within the confines of established system boundaries. Additional security safeguards may be needed to ensure that such information is adequately protected once it is passed beyond the established information system boundaries. Examples of information leaving the system boundary include transmitting information to an external information system or printing the information on one of its printers. In cases where the information system is unable to make a determination of the adequacy of the protections provided by entities outside its boundary, as a mitigating control, organizations determine procedurally whether the external information systems are providing adequate security. The means used to determine the adequacy of the security provided by external information systems include, for example, conducting inspections or periodic testing, establishing agreements between the organization and its counterpart organizations, or some other process. The means used by external entities to protect the information received need not be the same as those used by the organization, but the means employed are sufficient to provide consistent adjudication of the security policy to protect the information. This control enhancement requires information systems to employ technical or procedural means to validate the information prior to releasing it to external systems. For example, if the information system passes information to another system controlled by another organization, technical means are employed to validate that the security attributes associated with the exported information are appropriate for the receiving system. Alternatively, if the information system passes information to a printer in organization-controlled space, procedural means can be employed to ensure that only appropriately authorized individuals gain access to the printer. This control enhancement is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes policy regarding access to the information, and that policy applies beyond the realm of a particular information system or organization. |
The information system does not release information outside of the established system boundary unless:
(a) The receiving [Assignment: organization-defined information system or system component] provides [Assignment: organization-defined security safeguards]; and
(b) [Assignment: organization-defined security safeguards] are used to validate the appropriateness of the information designated for release. |
| CCI-002181 |
The organization defines information systems or system components that are to provide organization-defined security safeguards to protect information received outside the established system boundary. |
The organization conducting the inspection/assessment obtains and examines the documented information systems or system components to ensure the organization being inspected/assessed defines the information systems or system components that are to provide organization-defined security safeguards to protect information received outside the established system boundary.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information systems or system components that are to provide organization-defined security safeguards to protect information received outside the established system boundary.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
Access Enforcement | Controlled Release |
AC-3 (9) |
AC-3(9).2 |
Information systems can only protect organizational information within the confines of established system boundaries. Additional security safeguards may be needed to ensure that such information is adequately protected once it is passed beyond the established information system boundaries. Examples of information leaving the system boundary include transmitting information to an external information system or printing the information on one of its printers. In cases where the information system is unable to make a determination of the adequacy of the protections provided by entities outside its boundary, as a mitigating control, organizations determine procedurally whether the external information systems are providing adequate security. The means used to determine the adequacy of the security provided by external information systems include, for example, conducting inspections or periodic testing, establishing agreements between the organization and its counterpart organizations, or some other process. The means used by external entities to protect the information received need not be the same as those used by the organization, but the means employed are sufficient to provide consistent adjudication of the security policy to protect the information. This control enhancement requires information systems to employ technical or procedural means to validate the information prior to releasing it to external systems. For example, if the information system passes information to another system controlled by another organization, technical means are employed to validate that the security attributes associated with the exported information are appropriate for the receiving system. Alternatively, if the information system passes information to a printer in organization-controlled space, procedural means can be employed to ensure that only appropriately authorized individuals gain access to the printer. This control enhancement is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes policy regarding access to the information, and that policy applies beyond the realm of a particular information system or organization. |
The information system does not release information outside of the established system boundary unless:
(a) The receiving [Assignment: organization-defined information system or system component] provides [Assignment: organization-defined security safeguards]; and
(b) [Assignment: organization-defined security safeguards] are used to validate the appropriateness of the information designated for release. |
| CCI-002182 |
The information system does not release information outside of the established system boundary unless the receiving organization-defined information system or system component provides organization-defined security safeguards. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to not release information outside of the established system boundary unless the receiving information system or system component defined in AC-3 (9), CCI 2181 provides security safeguards defined in AC-3 (9), CCI 2180.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2182. |
The organization being inspected/assessed configures the information system to not release information outside of the established system boundary unless the receiving information system or system component defined in AC-3 (9), CCI 2181 provides security safeguards defined in AC-3 (9), CCI 2180.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2182. |
Access Enforcement | Controlled Release |
AC-3 (9) |
AC-3(9).3 |
Information systems can only protect organizational information within the confines of established system boundaries. Additional security safeguards may be needed to ensure that such information is adequately protected once it is passed beyond the established information system boundaries. Examples of information leaving the system boundary include transmitting information to an external information system or printing the information on one of its printers. In cases where the information system is unable to make a determination of the adequacy of the protections provided by entities outside its boundary, as a mitigating control, organizations determine procedurally whether the external information systems are providing adequate security. The means used to determine the adequacy of the security provided by external information systems include, for example, conducting inspections or periodic testing, establishing agreements between the organization and its counterpart organizations, or some other process. The means used by external entities to protect the information received need not be the same as those used by the organization, but the means employed are sufficient to provide consistent adjudication of the security policy to protect the information. This control enhancement requires information systems to employ technical or procedural means to validate the information prior to releasing it to external systems. For example, if the information system passes information to another system controlled by another organization, technical means are employed to validate that the security attributes associated with the exported information are appropriate for the receiving system. Alternatively, if the information system passes information to a printer in organization-controlled space, procedural means can be employed to ensure that only appropriately authorized individuals gain access to the printer. This control enhancement is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes policy regarding access to the information, and that policy applies beyond the realm of a particular information system or organization. |
The information system does not release information outside of the established system boundary unless:
(a) The receiving [Assignment: organization-defined information system or system component] provides [Assignment: organization-defined security safeguards]; and
(b) [Assignment: organization-defined security safeguards] are used to validate the appropriateness of the information designated for release. |
| CCI-002183 |
The organization defines the security safeguards to be used to validate the appropriateness of the information designated for release. |
The organization conducting the inspection/assessment obtains and examines the documented security safeguards to ensure the organization being inspected/assessed defines the security safeguards to be used to validate the appropriateness of the information designated for release.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security safeguards to be used to validate the appropriateness of the information designated for release.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
Access Enforcement | Controlled Release |
AC-3 (9) |
AC-3(9).4 |
Information systems can only protect organizational information within the confines of established system boundaries. Additional security safeguards may be needed to ensure that such information is adequately protected once it is passed beyond the established information system boundaries. Examples of information leaving the system boundary include transmitting information to an external information system or printing the information on one of its printers. In cases where the information system is unable to make a determination of the adequacy of the protections provided by entities outside its boundary, as a mitigating control, organizations determine procedurally whether the external information systems are providing adequate security. The means used to determine the adequacy of the security provided by external information systems include, for example, conducting inspections or periodic testing, establishing agreements between the organization and its counterpart organizations, or some other process. The means used by external entities to protect the information received need not be the same as those used by the organization, but the means employed are sufficient to provide consistent adjudication of the security policy to protect the information. This control enhancement requires information systems to employ technical or procedural means to validate the information prior to releasing it to external systems. For example, if the information system passes information to another system controlled by another organization, technical means are employed to validate that the security attributes associated with the exported information are appropriate for the receiving system. Alternatively, if the information system passes information to a printer in organization-controlled space, procedural means can be employed to ensure that only appropriately authorized individuals gain access to the printer. This control enhancement is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes policy regarding access to the information, and that policy applies beyond the realm of a particular information system or organization. |
The information system does not release information outside of the established system boundary unless:
(a) The receiving [Assignment: organization-defined information system or system component] provides [Assignment: organization-defined security safeguards]; and
(b) [Assignment: organization-defined security safeguards] are used to validate the appropriateness of the information designated for release. |
| CCI-002184 |
The information system does not release information outside of the established system boundary unless organization-defined security safeguards are used to validate the appropriateness of the information designated for release. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to not release information outside of the established system boundary unless security safeguards defined in AC-3 (9), CCI 2183 are used to validate the appropriateness of the information designated for release.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2184. |
The organization being inspected/assessed configures the information system to not release information outside of the established system boundary unless security safeguards defined in AC-3 (9), CCI 2183 are used to validate the appropriateness of the information designated for release.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2184. |
Access Enforcement | Controlled Release |
AC-3 (9) |
AC-3(9).5 |
Information systems can only protect organizational information within the confines of established system boundaries. Additional security safeguards may be needed to ensure that such information is adequately protected once it is passed beyond the established information system boundaries. Examples of information leaving the system boundary include transmitting information to an external information system or printing the information on one of its printers. In cases where the information system is unable to make a determination of the adequacy of the protections provided by entities outside its boundary, as a mitigating control, organizations determine procedurally whether the external information systems are providing adequate security. The means used to determine the adequacy of the security provided by external information systems include, for example, conducting inspections or periodic testing, establishing agreements between the organization and its counterpart organizations, or some other process. The means used by external entities to protect the information received need not be the same as those used by the organization, but the means employed are sufficient to provide consistent adjudication of the security policy to protect the information. This control enhancement requires information systems to employ technical or procedural means to validate the information prior to releasing it to external systems. For example, if the information system passes information to another system controlled by another organization, technical means are employed to validate that the security attributes associated with the exported information are appropriate for the receiving system. Alternatively, if the information system passes information to a printer in organization-controlled space, procedural means can be employed to ensure that only appropriately authorized individuals gain access to the printer. This control enhancement is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes policy regarding access to the information, and that policy applies beyond the realm of a particular information system or organization. |
The information system does not release information outside of the established system boundary unless:
(a) The receiving [Assignment: organization-defined information system or system component] provides [Assignment: organization-defined security safeguards]; and
(b) [Assignment: organization-defined security safeguards] are used to validate the appropriateness of the information designated for release. |
| CCI-002185 |
The organization defines the conditions on which it will employ an audited override of automated access control mechanisms. |
The organization conducting the inspection/assessment obtains and examines the documented conditions to ensure the organization being inspected/assessed defines the conditions in which it will employ an audited override of automated access control mechanisms.
DoD has determined the conditions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the conditions in which it will employ an audited override of automated access control mechanisms.
DoD has determined the conditions are not appropriate to define at the Enterprise level. |
Access Enforcement | Audited Override Of Access Control Mechanisms |
AC-3 (10) |
AC-3(10).1 |
Related controls: AU-2, AU-6. |
The organization employs an audited override of automated access control mechanisms under [Assignment: organization-defined conditions]. |
| CCI-002186 |
The organization employs an audited override of automated access control mechanisms under organization-defined conditions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to employ an audited override of automated access control mechanisms under conditions defined in AC-3 (10), CCI 2185.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2186. |
The organization being inspected/assessed configures the information system to employ an audited override of automated access control mechanisms under conditions defined in AC-3 (10), CCI 2185.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2186. |
Access Enforcement | Audited Override Of Access Control Mechanisms |
AC-3 (10) |
AC-3(10).2 |
Related controls: AU-2, AU-6. |
The organization employs an audited override of automated access control mechanisms under [Assignment: organization-defined conditions]. |
| CCI-003014 |
The information system enforces organization-defined mandatory access control policies over all subjects and objects. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce mandatory access control policies defined in AC-3 (3), CCI 2153 over all subjects and objects.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 3014. |
The organization being inspected/assessed configures the information system to enforce mandatory access control policies defined in AC-3 (3), CCI 2153 over all subjects and objects.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 3014. |
Access Enforcement | Mandatory Access Control |
AC-3 (3) |
AC-3(3).11 |
Mandatory access control as defined in this control enhancement is synonymous with nondiscretionary access control, and is not constrained only to certain historical uses (e.g., implementations using the Bell-LaPadula Model). The above class of mandatory access control policies constrains what actions subjects can take with information obtained from data objects for which they have already been granted access, thus preventing the subjects from passing the information to unauthorized subjects and objects. This class of mandatory access control policies also constrains what actions subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the information system has control. Otherwise, the access control policy can be circumvented. This enforcement typically is provided via an implementation that meets the reference monitor concept (see AC-25). The policy is bounded by the information system boundary (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect). The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-6). Trusted subjects are only given the minimum privileges relative to the above policy necessary for satisfying organizational mission/business needs. The control is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes a policy regarding access to sensitive/classified information and some users of the information system are not authorized access to all sensitive/classified information resident in the information system. This control can operate in conjunction with AC-3 (4). A subject that is constrained in its operation by policies governed by this control is still able to operate under the less rigorous constraints of AC-3 (4), but policies governed by this control take precedence over the less rigorous constraints of AC-3 (4). For example, while a mandatory access control policy imposes a constraint preventing a subject from passing information to another subject operating at a different sensitivity label, AC-3 (4) permits the subject to pass the information to any subject with the same sensitivity label as the subject. Related controls: AC-25, SC-11. |
The information system enforces [Assignment: organization-defined mandatory access control policies] over all subjects and objects where the policy specifies that:
(a) The policy is uniformly enforced across all subjects and objects within the boundary of the information system;
(b) A subject that has been granted access to information is constrained from doing any of the following;
(1) Passing the information to unauthorized subjects or objects;
(2) Granting its privileges to other subjects;
(3) Changing one or more security attributes on subjects, objects, the information system, or information system components;
(4) Choosing the security attributes and attribute values to be associated with newly created or modified objects; or
(5) Changing the rules governing access control; and
(c) [Assignment: Organized-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints. |
| CCI-003015 |
The mandatory access control policy specifies that organization-defined subjects may explicitly be granted organization-defined privileges such that they are not limited by some or all of the mandatory access control constraints. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to explicitly grant privileges defined in AC-3 (3), CCI 2162 such that they are not limited by some or all of the mandatory access control constraints.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 3015. |
The organization being inspected/assessed configures the information system to explicitly grant privileges defined in AC-3 (3), CCI 2162 such that they are not limited by some or all of the mandatory access control constraints.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 3015. |
Access Enforcement | Mandatory Access Control |
AC-3 (3) |
AC-3(3).12 |
Mandatory access control as defined in this control enhancement is synonymous with nondiscretionary access control, and is not constrained only to certain historical uses (e.g., implementations using the Bell-LaPadula Model). The above class of mandatory access control policies constrains what actions subjects can take with information obtained from data objects for which they have already been granted access, thus preventing the subjects from passing the information to unauthorized subjects and objects. This class of mandatory access control policies also constrains what actions subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the information system has control. Otherwise, the access control policy can be circumvented. This enforcement typically is provided via an implementation that meets the reference monitor concept (see AC-25). The policy is bounded by the information system boundary (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect). The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-6). Trusted subjects are only given the minimum privileges relative to the above policy necessary for satisfying organizational mission/business needs. The control is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes a policy regarding access to sensitive/classified information and some users of the information system are not authorized access to all sensitive/classified information resident in the information system. This control can operate in conjunction with AC-3 (4). A subject that is constrained in its operation by policies governed by this control is still able to operate under the less rigorous constraints of AC-3 (4), but policies governed by this control take precedence over the less rigorous constraints of AC-3 (4). For example, while a mandatory access control policy imposes a constraint preventing a subject from passing information to another subject operating at a different sensitivity label, AC-3 (4) permits the subject to pass the information to any subject with the same sensitivity label as the subject. Related controls: AC-25, SC-11. |
The information system enforces [Assignment: organization-defined mandatory access control policies] over all subjects and objects where the policy specifies that:
(a) The policy is uniformly enforced across all subjects and objects within the boundary of the information system;
(b) A subject that has been granted access to information is constrained from doing any of the following;
(1) Passing the information to unauthorized subjects or objects;
(2) Granting its privileges to other subjects;
(3) Changing one or more security attributes on subjects, objects, the information system, or information system components;
(4) Choosing the security attributes and attribute values to be associated with newly created or modified objects; or
(5) Changing the rules governing access control; and
(c) [Assignment: Organized-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints. |
| CCI-002187 |
The organization defines the security attributes to be used to enforce organization-defined information flow control policies. |
The organization conducting the inspection/assessment obtains and examines the documented security attributes to ensure the organization being inspected/assessed defines the security attributes to be used to enforce organization-defined information flow control policies.
DoD has determined the security attributes are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security attributes to be used to enforce organization-defined information flow control policies.
DoD has determined the security attributes are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Object Security Attributes |
AC-4 (1) |
AC-4(1).1 |
Information flow enforcement mechanisms compare security attributes associated with information (data content and data structure) and source/destination objects, and respond appropriately (e.g., block, quarantine, alert administrator) when the mechanisms encounter information flows not explicitly allowed by information flow policies. For example, an information object labeled Secret would be allowed to flow to a destination object labeled Secret, but an information object labeled Top Secret would not be allowed to flow to a destination object labeled Secret. Security attributes can also include, for example, source and destination addresses employed in traffic filter firewalls. Flow enforcement using explicit security attributes can be used, for example, to control the release of certain types of information. Related control: AC-16. |
The information system uses [Assignment: organization-defined security attributes] associated with [Assignment: organization-defined information, source, and destination objects] to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.
|
| CCI-002188 |
The organization defines the information, source, and destination objects with which the organization-defined security attributes are to be associated. |
The organization conducting the inspection/assessment obtains and examines the documented information, source, and destination objects to ensure the organization being inspected/assessed defines the information, source and destination objects with which the organization-defined security attributes are to be associated.
DoD has determined the information, source and destination objects are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information, source and destination objects with which the organization-defined security attributes are to be associated.
DoD has determined the information, source and destination objects are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Object Security Attributes |
AC-4 (1) |
AC-4(1).2 |
Information flow enforcement mechanisms compare security attributes associated with information (data content and data structure) and source/destination objects, and respond appropriately (e.g., block, quarantine, alert administrator) when the mechanisms encounter information flows not explicitly allowed by information flow policies. For example, an information object labeled Secret would be allowed to flow to a destination object labeled Secret, but an information object labeled Top Secret would not be allowed to flow to a destination object labeled Secret. Security attributes can also include, for example, source and destination addresses employed in traffic filter firewalls. Flow enforcement using explicit security attributes can be used, for example, to control the release of certain types of information. Related control: AC-16. |
The information system uses [Assignment: organization-defined security attributes] associated with [Assignment: organization-defined information, source, and destination objects] to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.
|
| CCI-002189 |
The organization defines the information flow control policies to be enforced for flow control decisions. |
The organization conducting the inspection/assessment obtains and examines the documented information flow control policies to ensure the organization being inspected/assessed defines the information flow control policies to be enforced for flow control decisions.
DoD has determined the information flow control policies are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information flow control policies to be enforced for flow control decisions.
DoD has determined the information flow control policies are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Object Security Attributes |
AC-4 (1) |
AC-4(1).3 |
Information flow enforcement mechanisms compare security attributes associated with information (data content and data structure) and source/destination objects, and respond appropriately (e.g., block, quarantine, alert administrator) when the mechanisms encounter information flows not explicitly allowed by information flow policies. For example, an information object labeled Secret would be allowed to flow to a destination object labeled Secret, but an information object labeled Top Secret would not be allowed to flow to a destination object labeled Secret. Security attributes can also include, for example, source and destination addresses employed in traffic filter firewalls. Flow enforcement using explicit security attributes can be used, for example, to control the release of certain types of information. Related control: AC-16. |
The information system uses [Assignment: organization-defined security attributes] associated with [Assignment: organization-defined information, source, and destination objects] to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.
|
| CCI-002190 |
The information system uses organization-defined security attributes associated with organization-defined information, source, and destination objects to enforce organization-defined information flow control policies as a basis for flow control decisions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to use the security attributes defined in AC-4 (1), CCI 287 associated with the information, source, and destination objects defined in AC-4 (1), CCI 2188 to enforce information flow control policies defined in AC-4 (1), CCI 2189 as a basis for flow control decisions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2190. |
The organization being inspected/assessed configures the information system to use the security attributes defined in AC-4 (1), CCI 287 associated with the information, source, and destination objects defined in AC-4 (1), CCI 2188 to enforce information flow control policies defined in AC-4 (1), CCI 2189 as a basis for flow control decisions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2190. |
Information Flow Enforcement | Object Security Attributes |
AC-4 (1) |
AC-4(1).4 |
Information flow enforcement mechanisms compare security attributes associated with information (data content and data structure) and source/destination objects, and respond appropriately (e.g., block, quarantine, alert administrator) when the mechanisms encounter information flows not explicitly allowed by information flow policies. For example, an information object labeled Secret would be allowed to flow to a destination object labeled Secret, but an information object labeled Top Secret would not be allowed to flow to a destination object labeled Secret. Security attributes can also include, for example, source and destination addresses employed in traffic filter firewalls. Flow enforcement using explicit security attributes can be used, for example, to control the release of certain types of information. Related control: AC-16. |
The information system uses [Assignment: organization-defined security attributes] associated with [Assignment: organization-defined information, source, and destination objects] to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.
|
| CCI-002191 |
The organization defines the information flow control policies to be enforced by the information system using protected processing domains. |
The organization conducting the inspection/assessment obtains and examines the information flow control policies to ensure the organization being inspected/assessed defines the information flow control policies to be enforced by the information system using protected processing domains.
DoD has determined the information flow control policies are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information flow control policies to be enforced by the information system using protected processing domains.
DoD has determined the information flow control policies are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Processing Domains |
AC-4 (2) |
AC-4(2).2 |
Within information systems, protected processing domains are processing spaces that have controlled interactions with other processing spaces, thus enabling control of information flows between these spaces and to/from data/information objects. A protected processing domain can be provided, for example, by implementing domain and type enforcement. In domain and type enforcement, information system processes are assigned to domains; information is identified by types; and information flows are controlled based on allowed information accesses (determined by domain and type), allowed signaling among domains, and allowed process transitions to other domains. |
The information system uses protected processing domains to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.
|
| CCI-002192 |
The organization defines the policies the information system is to enforce to achieve dynamic information flow control. |
The organization conducting the inspection/assessment obtains and examines the documented policies to ensure the organization being inspected/assessed defines the policies the information system is to enforce to achieve dynamic information flow control.
DoD has determined the policies are not appropriate to define at the Enterprise level |
The organization being inspected/assessed defines and documents the policies the information system is to enforce to achieve dynamic information flow control.
The policies shall address dynamic reconfiguration of data flow based upon predefined rules.
DoD has determined the policies are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Dynamic Information Flow Control |
AC-4 (3) |
AC-4(3).2 |
Organizational policies regarding dynamic information flow control include, for example, allowing or disallowing information flows based on changing conditions or mission/operational considerations. Changing conditions include, for example, changes in organizational risk tolerance due to changes in the immediacy of mission/business needs, changes in the threat environment, and detection of potentially harmful or adverse events. Related control: SI-4. |
The information system enforces dynamic information flow control based on [Assignment: organization-defined policies]. |
| CCI-002193 |
The organization defines procedures or methods to be employed by the information system to prevent encrypted information from bypassing content-checking mechanisms, such as decrypting the information, blocking the flow of the encrypted information, and/or terminating communications sessions attempting to pass encrypted information. |
The organization conducting the inspection/assessment obtains and examines the documented mechanism to ensure the organization being inspected/assessed selects or defines the mechanism to prevent encrypted information from bypassing content-checking mechanisms.
DoD has determined the procedures or methods are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed selects or defines, and documents the mechanism to prevent encrypted information from bypassing content-checking mechanisms, such as decrypting the information, blocking the flow of the encrypted information, and/or terminating communications sessions attempting to pass encrypted information. Alternatively, the organization may define their own procedure or method.
DoD has determined the procedures or methods are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Content Check Encrypted Information |
AC-4 (4) |
AC-4(4).2 |
Related control: SI-4. |
The information system prevents encrypted information from bypassing content-checking mechanisms by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method]]. |
| CCI-002194 |
The organization defines the metadata the information system uses to enforce information flow control. |
The organization conducting the inspection/assessment obtains and examines the documented metadata to ensure the organization being inspected/assessed defines the metadata the information system uses to enforce information flow control.
DoD has determined the metadata is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the metadata the information system uses to enforce information flow control.
DoD has determined the metadata is not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Metadata |
AC-4 (6) |
AC-4(6).2 |
Metadata is information used to describe the characteristics of data. Metadata can include structural metadata describing data structures (e.g., data format, syntax, and semantics) or descriptive metadata describing data contents (e.g., age, location, telephone number). Enforcing allowed information flows based on metadata enables simpler and more effective flow control. Organizations consider the trustworthiness of metadata with regard to data accuracy (i.e., knowledge that the metadata values are correct with respect to the data), data integrity (i.e., protecting against unauthorized changes to metadata tags), and the binding of metadata to the data payload (i.e., ensuring sufficiently strong binding techniques with appropriate levels of assurance). Related controls: AC-16, SI-7. |
The information system enforces information flow control based on [Assignment: organization-defined metadata].
|
| CCI-002195 |
The organization defines the information flows against which the organization-defined security policy filters are to be enforced. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the information flows as all information flows. |
DoD has defined the information flows as all information flows. |
Information Flow Enforcement | Security Policy Filters |
AC-4 (8) |
AC-4(8).3 |
Organization-defined security policy filters can address data structures and content. For example, security policy filters for data structures can check for maximum file lengths, maximum field sizes, and data/file types (for structured and unstructured data). Security policy filters for data content can check for specific words (e.g., dirty/clean word filters), enumerated values or data value ranges, and hidden content. Structured data permits the interpretation of data content by applications. Unstructured data typically refers to digital information without a particular data structure or with a data structure that does not facilitate the development of rule sets to address the particular sensitivity of the information conveyed by the data or the associated flow enforcement decisions. Unstructured data consists of: (i) bitmap objects that are inherently non language-based (i.e., image, video, or audio files); and (ii) textual objects that are based on written or printed languages (e.g., commercial off-the-shelf word processing documents, spreadsheets, or emails). Organizations can implement more than one security policy filter to meet information flow control objectives (e.g., employing clean word lists in conjunction with dirty word lists may help to reduce false positives). |
The information system enforces information flow control using [Assignment: organization-defined security policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]. |
| CCI-002196 |
The organization defines the information flows for which the information system will enforce the use of human reviews under organization-defined conditions. |
The organization conducting the inspection/assessment obtains and examines the documented information flows to ensure the organization being inspected/assessed defines the information flows for which the information system will enforce the use of human reviews under organization-defined conditions.
DoD has determined the information flows are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information flows for which the information system will enforce the use of human reviews under organization-defined conditions.
DoD has determined the information flows are not appropriate to define at the Enterprise level |
Information Flow Enforcement | Human Reviews |
AC-4 (9) |
AC-4(9).1 |
Organizations define security policy filters for all situations where automated flow control decisions are possible. When a fully automated flow control decision is not possible, then a human review may be employed in lieu of, or as a complement to, automated security policy filtering. Human reviews may also be employed as deemed necessary by organizations. |
The information system enforces the use of human reviews for [Assignment: organization-defined information flows] under the following conditions: [Assignment: organization-defined conditions]. |
| CCI-002197 |
The organization defines the conditions which will require the use of human reviews of organization-defined information flows. |
The organization conducting the inspection/assessment obtains and examines the documented conditions to ensure the organization being inspected/assessed defines the conditions which will require the use of human reviews of organization-defined information flows.
DoD has determined the conditions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the conditions which will require the use of human reviews of organization-defined information flows.
DoD has determined the conditions are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Human Reviews |
AC-4 (9) |
AC-4(9).2 |
Organizations define security policy filters for all situations where automated flow control decisions are possible. When a fully automated flow control decision is not possible, then a human review may be employed in lieu of, or as a complement to, automated security policy filtering. Human reviews may also be employed as deemed necessary by organizations. |
The information system enforces the use of human reviews for [Assignment: organization-defined information flows] under the following conditions: [Assignment: organization-defined conditions]. |
| CCI-002198 |
The information system enforces the use of human reviews for organization-defined information flows under organization-defined conditions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce the use of human reviews for information flows defined in AC-4 (9), CCI 2196 under conditions defined in AC-4 (9), CCI 2197.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2198. |
The organization being inspected/assessed configures the information system to enforce the use of human reviews for information flows defined in AC-4 (9), CCI 2196 under conditions defined in AC-4 (9), CCI 2197.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2198. |
Information Flow Enforcement | Human Reviews |
AC-4 (9) |
AC-4(9).3 |
Organizations define security policy filters for all situations where automated flow control decisions are possible. When a fully automated flow control decision is not possible, then a human review may be employed in lieu of, or as a complement to, automated security policy filtering. Human reviews may also be employed as deemed necessary by organizations. |
The information system enforces the use of human reviews for [Assignment: organization-defined information flows] under the following conditions: [Assignment: organization-defined conditions]. |
| CCI-002199 |
The organization defines the conditions under which the information system provides the capability for privileged administrators to enable/disable organization-defined security policy filters. |
The organization conducting the inspection/assessment obtains and examines the documented conditions to ensure the organization being inspected/assessed defines the conditions under which the information system provides the capability for privileged administrators to enable/disable organization-defined security policy filters.
DoD has determined the conditions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the conditions under which the information system provides the capability for privileged administrators to enable/disable organization-defined security policy filters.
DoD has determined the conditions are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Enable/Disable Security Policy Filters |
AC-4 (10) |
AC-4(10).3 |
For example, as allowed by the information system authorization, administrators can enable security policy filters to accommodate approved data types. |
The information system provides the capability for privileged administrators to enable/disable [Assignment: organization-defined security policy filters] under the following conditions: [Assignment: organization-defined conditions]. |
| CCI-002200 |
The organization defines the data type identifiers to be used to validate data being transferred between different security domains. |
The organization conducting the inspection/assessment obtains and examines the documented data type identifiers to ensure the organization being inspected/assessed defines the data type identifiers to be used to validate data being transferred between different security domains.
DoD has determined the data type identifiers are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the data type identifiers to be used to validate data being transferred between different security domains.
DoD has determined the data type identifiers are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Data Type Identifiers |
AC-4 (12) |
AC-4(12).1 |
Data type identifiers include, for example, filenames, file types, file signatures/tokens, and multiple internal file signatures/tokens. Information systems may allow transfer of data only if compliant with data type format specifications. |
The information system, when transferring information between different security domains, uses [Assignment: organization-defined data type identifiers] to validate data essential for information flow decisions. |
| CCI-002201 |
The information system, when transferring information between different security domains, uses organization-defined data type identifiers to validate data essential for information flow decisions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to use data type identifiers defined in AC-4 (12), CCI 2200 to validate data essential for information flow decisions when transferring information between different security domains.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2201. |
The organization being inspected/assessed configures the information system to use data type identifiers defined in AC-4 (12), CCI 2200 to validate data essential for information flow decisions when transferring information between different security domains.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2201. |
Information Flow Enforcement | Data Type Identifiers |
AC-4 (12) |
AC-4(12).2 |
Data type identifiers include, for example, filenames, file types, file signatures/tokens, and multiple internal file signatures/tokens. Information systems may allow transfer of data only if compliant with data type format specifications. |
The information system, when transferring information between different security domains, uses [Assignment: organization-defined data type identifiers] to validate data essential for information flow decisions. |
| CCI-002202 |
The organization defines the policy-relevant subcomponents into which information being transferred between different security domains is to be decomposed for submission to policy enforcement mechanisms. |
The organization conducting the inspection/assessment obtains and examines the documented policy-relevant subcomponents to ensure the organization being inspected/assessed defines the policy relevant subcomponents into which information being transferred between different security domains is to be decomposed into for submission to policy enforcement mechanisms.
DoD has determined the policy-relevant subcomponents are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the policy relevant subcomponents into which information being transferred between different security domains is to be decomposed into for submission to policy enforcement mechanisms.
DoD has determined the policy-relevant subcomponents are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Decomposition Into Policy-Relevant Subcomponents |
AC-4 (13) |
AC-4(13).2 |
Policy enforcement mechanisms apply filtering, inspection, and/or sanitization rules to the policy-relevant subcomponents of information to facilitate flow enforcement prior to transferring such information to different security domains. Parsing transfer files facilitates policy decisions on source, destination, certificates, classification, attachments, and other security-related component differentiators. |
The information system, when transferring information between different security domains, decomposes information into [Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms. |
| CCI-002203 |
The organization defines the unsanctioned information the information system is to examine when transferring information between different security domains. |
The organization conducting the inspection/assessment obtains and examines the documented unsanctioned information to ensure the organization being inspected/assessed defines the unsanctioned information for which the information system is to examine when transferring information between different security domains.
DoD has determined the unsanctioned information is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the unsanctioned information for which the information system is to examine when transferring information between different security domains.
DoD has determined the unsanctioned information is not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Detection Of Unsanctioned Information |
AC-4 (15) |
AC-4(15).3 |
Detection of unsanctioned information includes, for example, checking all information to be transferred for malicious code and dirty words. Related control: SI-3. |
The information system, when transferring information between different security domains, examines the information for the presence of [Assignment: organized-defined unsanctioned information] and prohibits the transfer of such information in accordance with the [Assignment: organization-defined security policy]. |
| CCI-002204 |
The organization defines a security policy which prohibits the transfer of unsanctioned information between different security domains. |
The organization conducting the inspection/assessment obtains and examines the documented security policy to ensure the organization being inspected/assessed defines security policy which prohibits the transfer of unsanctioned information between different security domains.
DoD has determined the security policy is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents security policy which prohibits the transfer of unsanctioned information between different security domains.
DoD has determined the security policy is not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Detection Of Unsanctioned Information |
AC-4 (15) |
AC-4(15).4 |
Detection of unsanctioned information includes, for example, checking all information to be transferred for malicious code and dirty words. Related control: SI-3. |
The information system, when transferring information between different security domains, examines the information for the presence of [Assignment: organized-defined unsanctioned information] and prohibits the transfer of such information in accordance with the [Assignment: organization-defined security policy]. |
| CCI-002205 |
The information system uniquely identifies and authenticates source by organization, system, application, and/or individual for information transfer. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to uniquely identify and authenticate source by organization, system, application, and/or individual for information transfer.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2205. |
The organization being inspected/assessed configures the information system to uniquely identify and authenticate source by organization, system, application, and/or individual for information transfer.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2205. |
Information Flow Enforcement | Domain Authentication |
AC-4 (17) |
AC-4(17).1 |
Attribution is a critical component of a security concept of operations. The ability to identify source and destination points for information flowing in information systems, allows the forensic reconstruction of events when required, and encourages policy compliance by attributing policy violations to specific organizations/individuals. Successful domain authentication requires that information system labels distinguish among systems, organizations, and individuals involved in preparing, sending, receiving, or disseminating information. Related controls: IA-2, IA-3, IA-4, IA-5. |
The information system uniquely identifies and authenticates source and destination points by [Selection (one or more): organization, system, application, individual] for information transfer. |
| CCI-002206 |
The information system uniquely authenticates source by organization, system, application, and/or individual for information transfer. |
|
|
|
|
|
|
|
| CCI-002207 |
The information system uniquely identifies and authenticates destination by organization, system, application, and/or individual for information transfer. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to uniquely identify and authenticate destination by organization, system, application, and/or individual for information transfer.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2207. |
The organization being inspected/assessed configures the information system to uniquely and authenticate identify destination by organization, system, application, and/or individual for information transfer.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2207. |
Information Flow Enforcement | Domain Authentication |
AC-4 (17) |
AC-4(17).2 |
Attribution is a critical component of a security concept of operations. The ability to identify source and destination points for information flowing in information systems, allows the forensic reconstruction of events when required, and encourages policy compliance by attributing policy violations to specific organizations/individuals. Successful domain authentication requires that information system labels distinguish among systems, organizations, and individuals involved in preparing, sending, receiving, or disseminating information. Related controls: IA-2, IA-3, IA-4, IA-5. |
The information system uniquely identifies and authenticates source and destination points by [Selection (one or more): organization, system, application, individual] for information transfer. |
| CCI-002208 |
The information system uniquely authenticates destination by organization, system, application, and/or individual for information transfer. |
|
|
|
|
|
|
|
| CCI-002209 |
The organization defines the techniques to be used to bind security attributes to information. |
The organization conducting the inspection/assessment obtains and examines the documented techniques to ensure the organization being inspected/assessed defines the techniques to be used to bind security attributes to information.
DoD has determined the techniques are not appropriate to define at the Enterprise level |
The organization being inspected/assessed defines and documents the techniques to be used to bind security attributes to information.
DoD has determined the techniques are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Security Attribute Binding |
AC-4 (18) |
AC-4(18).1 |
Binding techniques implemented by information systems affect the strength of security attribute binding to information. Binding strength and the assurance associated with binding techniques play an important part in the trust organizations have in the information flow enforcement process. The binding techniques affect the number and degree of additional reviews required by organizations. Related controls: AC-16, SC-16. |
The information system binds security attributes to information using [Assignment: organization-defined binding techniques] to facilitate information flow policy enforcement. |
| CCI-002210 |
The information system binds security attributes to information using organization-defined binding techniques to facilitate information flow policy enforcement. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to bind security attributes to information using binding techniques defined in AC-4 (18), CCI 2209 to facilitate information flow policy enforcement.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2210. |
The organization being inspected/assessed configures the information system to bind security attributes to information using binding techniques defined in AC-4 (18), CCI 2209 to facilitate information flow policy enforcement.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2210. |
Information Flow Enforcement | Security Attribute Binding |
AC-4 (18) |
AC-4(18).2 |
Binding techniques implemented by information systems affect the strength of security attribute binding to information. Binding strength and the assurance associated with binding techniques play an important part in the trust organizations have in the information flow enforcement process. The binding techniques affect the number and degree of additional reviews required by organizations. Related controls: AC-16, SC-16. |
The information system binds security attributes to information using [Assignment: organization-defined binding techniques] to facilitate information flow policy enforcement. |
| CCI-002211 |
The information system, when transferring information between different security domains, applies the same security policy filtering to metadata as it applies to data payloads. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to apply the same security policy filtering to metadata as it applies to data payloads when transferring information between different security domains.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2211. |
The organization being inspected/assessed configures the information system to apply the same security policy filtering to metadata as it applies to data payloads when transferring information between different security domains.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2211. |
Information Flow Enforcement | Validation Of Metadata |
AC-4 (19) |
AC-4(19).1 |
This control enhancement requires the validation of metadata and the data to which the metadata applies. Some organizations distinguish between metadata and data payloads (i.e., only the data to which the metadata is bound). Other organizations do not make such distinctions, considering metadata and the data to which the metadata applies as part of the payload. All information (including metadata and the data to which the metadata applies) is subject to filtering and inspection. |
The information system, when transferring information between different security domains, applies the same security policy filtering to metadata as it applies to data payloads. |
| CCI-002212 |
The organization defines the solutions in approved configurations to be employed to control the flow of organization-defined information across security domains. |
The organization conducting the inspection/assessment obtains and examines the documented solutions to ensure the organization being inspected/assessed defines the solutions in approved configurations to be employed to control the flow of information defined in AC-4 (20), CCI 2213 across security domains.
DoD has determined the solutions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the solutions in approved configurations to be employed to control the flow of information defined in AC-4 (20), CCI 2213 across security domains.
DoD has determined the solutions are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Approved Solutions |
AC-4 (20) |
AC-4(20).1 |
Organizations define approved solutions and configurations in cross-domain policies and guidance in accordance with the types of information flows across classification boundaries. The Unified Cross Domain Management Office (UCDMO) provides a baseline listing of approved cross-domain solutions. |
The organization employs [Assignment: organization-defined solutions in approved configurations] to control the flow of [Assignment: organization-defined information] across security domains. |
| CCI-002213 |
The organization defines the information to be subjected to flow control across security domains. |
The organization conducting the inspection/assessment obtains and examines the documented information to ensure the organization being inspected/assessed defines the information to be subjected to flow control across security domains.
DoD has determined the information is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information to be subjected to flow control across security domains.
DoD has determined the information is not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Approved Solutions |
AC-4 (20) |
AC-4(20).2 |
Organizations define approved solutions and configurations in cross-domain policies and guidance in accordance with the types of information flows across classification boundaries. The Unified Cross Domain Management Office (UCDMO) provides a baseline listing of approved cross-domain solutions. |
The organization employs [Assignment: organization-defined solutions in approved configurations] to control the flow of [Assignment: organization-defined information] across security domains. |
| CCI-002214 |
The organization employs organization-defined solutions in approved configurations to control the flow of organization-defined information across security domains. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed employs solutions defined in AC-4 (20), CCI 2212 in approved configurations to control the flow of information defined in AC-4 (20), CCI 2213 across security domains. |
The organization being inspected/assessed documents and implements solutions defined in AC-4 (20), CCI 2212 in approved configurations to control the flow of information defined in AC-4 (20), CCI 2213 across security domains. |
Information Flow Enforcement | Approved Solutions |
AC-4 (20) |
AC-4(20).3 |
Organizations define approved solutions and configurations in cross-domain policies and guidance in accordance with the types of information flows across classification boundaries. The Unified Cross Domain Management Office (UCDMO) provides a baseline listing of approved cross-domain solutions. |
The organization employs [Assignment: organization-defined solutions in approved configurations] to control the flow of [Assignment: organization-defined information] across security domains. |
| CCI-002215 |
The organization defines the mechanisms and/or techniques to be used to logically or physically separate information flows. |
The organization conducting the inspection/assessment obtains and examines the documented mechanisms to ensure the organization being inspected/assessed defines the mechanisms and/or techniques to be used to logically or physically separate information flows.
DoD has determined the mechanisms are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the mechanisms and/or techniques to be used to logically or physically separate information flows.
DoD has determined the mechanisms are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Physical/Logical Separation Of Information Flows |
AC-4 (21) |
AC-4(21).1 |
Enforcing the separation of information flows by type can enhance protection by ensuring that information is not commingled while in transit and by enabling flow control by transmission paths perhaps not otherwise achievable. Types of separable information include, for example, inbound and outbound communications traffic, service requests and responses, and information of differing security categories. |
The information system separates information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]. |
| CCI-002216 |
The organization defines the types of information required to accomplish logical or physical separation of information flows. |
The organization conducting the inspection/assessment obtains and examines the documented types of information to ensure the organization being inspected/assessed defines the types of information required to accomplish logical or physical separation of information flows.
DoD has determined the types of information are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the types of information required to accomplish logical or physical separation of information flows.
DoD has determined the types of information are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Physical/Logical Separation Of Information Flows |
AC-4 (21) |
AC-4(21).2 |
Enforcing the separation of information flows by type can enhance protection by ensuring that information is not commingled while in transit and by enabling flow control by transmission paths perhaps not otherwise achievable. Types of separable information include, for example, inbound and outbound communications traffic, service requests and responses, and information of differing security categories. |
The information system separates information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]. |
| CCI-002217 |
The information system separates information flows logically or physically using organization-defined mechanisms and/or techniques to accomplish organization-defined required separations by types of information. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to separate information flows logically or physically using mechanisms and/or techniques defined in AC-4 (21), CCI 2215 to accomplish required separations by types of information defined in AC-4 (21), CCI 2216.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2217. |
The organization being inspected/assessed configures the information system to separate information flows logically or physically using mechanisms and/or techniques defined in AC-4 (21), CCI 2215 to accomplish required separations by types of information defined in AC-4 (21), CCI 2216.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2217. |
Information Flow Enforcement | Physical/Logical Separation Of Information Flows |
AC-4 (21) |
AC-4(21).3 |
Enforcing the separation of information flows by type can enhance protection by ensuring that information is not commingled while in transit and by enabling flow control by transmission paths perhaps not otherwise achievable. Types of separable information include, for example, inbound and outbound communications traffic, service requests and responses, and information of differing security categories. |
The information system separates information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]. |
| CCI-002218 |
The information system provides access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow between the different security domains. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow between the different security domains.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2218. |
The organization being inspected/assessed configures the information system to provide access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow between the different security domains.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2218. |
Information Flow Enforcement | Access Only |
AC-4 (22) |
AC-4(22).1 |
The information system, for example, provides a desktop for users to access each connected security domain without providing any mechanisms to allow transfer of information between the different security domains. |
The information system provides access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow between the different security domains. |
| CCI-002219 |
The organization defines the duties of individuals that are to be separated. |
The organization conducting the inspection/assessment obtains and examines the documented duties to ensure the organization being inspected/assessed defines the duties of individuals that are to be separated.
DoD has determined the duties are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the duties of individuals that are to be separated.
DoD has determined the duties are not appropriate to define at the Enterprise level. |
Separation Of Duties |
AC-5 |
AC-5.2 |
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions. Related controls: AC-3, AC-6, PE-3, PE-4, PS-2. |
The organization:
a. Separates [Assignment: organization-defined duties of individuals];
b. Documents separation of duties of individuals; and
c. Defines information system access authorizations to support separation of duties. |
| CCI-002220 |
The organization defines information system access authorizations to support separation of duties. |
The organization conducting the inspection/assessment obtains and examines the documented information system access authorizations to ensure the organization being inspected/assessed defines information system access authorizations to support separation of duties. |
The organization being inspected/assessed defines and documents the information system access authorizations to support separation of duties. |
Separation Of Duties |
AC-5 |
AC-5.4 |
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions. Related controls: AC-3, AC-6, PE-3, PE-4, PS-2. |
The organization:
a. Separates [Assignment: organization-defined duties of individuals];
b. Documents separation of duties of individuals; and
c. Defines information system access authorizations to support separation of duties. |
| CCI-002221 |
The organization defines the security-relevant information for which access must be explicitly authorized. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the security-relevant information as all security-relevant information not publicly available. |
DoD has defined the security-relevant information as all security-relevant information not publicly available. |
Least Privilege | Authorize Access To Security Functions |
AC-6 (1) |
AC-6(1).2 |
Security functions include, for example, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Security-relevant information includes, for example, filtering rules for routers/firewalls, cryptographic key management information, configuration parameters for security services, and access control lists. Explicitly authorized personnel include, for example, security administrators, system and network administrators, system security officers, system maintenance personnel, system programmers, and other privileged users. Related controls: AC-17, AC-18, AC-19. |
The organization explicitly authorizes access to [Assignment: organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information]. |
| CCI-002222 |
The organization explicitly authorizes access to organization-defined security functions. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed explicitly authorizes access to all functions not publicly accessible.
DoD has defined the security functions as all functions not publicly accessible. |
The organization being inspected/assessed documents and implements a process to explicitly authorize access to all functions not publicly accessible.
Explicit authorization can be in the form of an acceptable use policy signed by the user at the time of access being granted.
DoD has defined the security functions as all functions not publicly accessible. |
Least Privilege | Authorize Access To Security Functions |
AC-6 (1) |
AC-6(1).3 |
Security functions include, for example, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Security-relevant information includes, for example, filtering rules for routers/firewalls, cryptographic key management information, configuration parameters for security services, and access control lists. Explicitly authorized personnel include, for example, security administrators, system and network administrators, system security officers, system maintenance personnel, system programmers, and other privileged users. Related controls: AC-17, AC-18, AC-19. |
The organization explicitly authorizes access to [Assignment: organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information]. |
| CCI-002223 |
The organization explicitly authorizes access to organization-defined security-relevant information. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed explicitly authorizes access to all security-relevant information not publicly available.
DoD has defined the security-relevant information as all security-relevant information not publicly available. |
The organization being inspected/assessed documents and implements a process to explicitly authorize access to all security-relevant information not publicly available.
Explicit authorization can be in the form of an acceptable use policy signed by the user at the time of access being granted.
DoD has defined the security-relevant information as all security-relevant information not publicly available. |
Least Privilege | Authorize Access To Security Functions |
AC-6 (1) |
AC-6(1).4 |
Security functions include, for example, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Security-relevant information includes, for example, filtering rules for routers/firewalls, cryptographic key management information, configuration parameters for security services, and access control lists. Explicitly authorized personnel include, for example, security administrators, system and network administrators, system security officers, system maintenance personnel, system programmers, and other privileged users. Related controls: AC-17, AC-18, AC-19. |
The organization explicitly authorizes access to [Assignment: organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information]. |
| CCI-002224 |
The organization defines the compelling operational needs that must be met in order to be authorized network access to organization-defined privileged commands. |
The organization conducting the inspection/assessment obtains and examines the documented compelling operational needs to ensure the organization being inspected/assessed defines the compelling operational needs that must be met in order to be authorized network access to organization-defined privileged commands.
DoD has determined the compelling operational needs are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the compelling operational needs that must be met in order to be authorized network access to organization-defined privileged commands.
DoD has determined the compelling operational needs are not appropriate to define at the Enterprise level. |
Least Privilege | Network Access To Privileged Commands |
AC-6 (3) |
AC-6(3).4 |
Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device). Related control: AC-17. |
The organization authorizes network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and documents the rationale for such access in the security plan for the information system. |
| CCI-002225 |
The information system provides separate processing domains to enable finer-grained allocation of user privileges. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide separate processing domains to enable finer-grained allocation of user privileges.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2225. |
The organization being inspected/assessed configures the information system to provide separate processing domains to enable finer-grained allocation of user privileges.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2225. |
Least Privilege | Separate Processing Domains |
AC-6 (4) |
AC-6(4).1 |
Providing separate processing domains for finer-grained allocation of user privileges includes, for example: (i) using virtualization techniques to allow additional privileges within a virtual machine while restricting privileges to other virtual machines or to the underlying actual machine; (ii) employing hardware and/or software domain separation mechanisms; and (iii) implementing separate physical domains. Related controls: AC-4, SC-3, SC-30, SC-32. |
The information system provides separate processing domains to enable finer-grained allocation of user privileges. |
| CCI-002226 |
The organization defines the personnel or roles to whom privileged accounts are to be restricted on the information system. |
The organization conducting the inspection/assessment obtains and examines the documented personnel or roles to ensure the organization being inspected/assessed defines the personnel or roles to whom privileged accounts are to be restricted on the information system.
DoD has determined the personnel and roles are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the personnel or roles to whom privileged accounts are to be restricted on the information system.
DoD has determined the personnel and roles are not appropriate to define at the Enterprise level. |
Least Privilege | Privileged Accounts |
AC-6 (5) |
AC-6(5).1 |
Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information/functions. Organizations may differentiate in the application of this control enhancement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control information system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk. Related control: CM-6. |
The organization restricts privileged accounts on the information system to [Assignment: organization-defined personnel or roles]. |
| CCI-002227 |
The organization restricts privileged accounts on the information system to organization-defined personnel or roles. |
The organization conducting the inspection/assessment obtains and examines a sampling of information system access authorizations to ensure the organization being inspected/assessed implements a process to only provide privileged accounts on the information system to personnel or roles defined in AC-6 (5), CCI 2226. |
The organization being inspected/assessed implements a process to only provide privileged accounts on the information system to personnel or roles defined in AC-6 (5), CCI 2226. |
Least Privilege | Privileged Accounts |
AC-6 (5) |
AC-6(5).2 |
Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information/functions. Organizations may differentiate in the application of this control enhancement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control information system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk. Related control: CM-6. |
The organization restricts privileged accounts on the information system to [Assignment: organization-defined personnel or roles]. |
| CCI-002228 |
The organization defines the frequency on which it conducts reviews of the privileges assigned to organization-defined roles or classes of users. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at a minimum, annually. |
DoD has defined the frequency as at a minimum, annually. |
Least Privilege | Review Of User Privileges |
AC-6 (7) |
AC-6(7).1 |
The need for certain assigned user privileges may change over time reflecting changes in organizational missions/business function, environments of operation, technologies, or threat. Periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions. Related control: CA-7. |
The organization:
(a) Reviews [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and
(b) Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs. |
| CCI-002229 |
The organization defines the roles or classes of users that are to have their privileges reviewed on an organization-defined frequency. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the roles or classes of users as all users. |
DoD has defined the roles or classes of users as all users. |
Least Privilege | Review Of User Privileges |
AC-6 (7) |
AC-6(7).2 |
The need for certain assigned user privileges may change over time reflecting changes in organizational missions/business function, environments of operation, technologies, or threat. Periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions. Related control: CA-7. |
The organization:
(a) Reviews [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and
(b) Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs. |
| CCI-002230 |
The organization reviews the privileges assigned to organization-defined roles or classes of users on an organization-defined frequency to validate the need for such privileges. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of reviews to ensure the organization being inspected/assessed reviews the privileges assigned to all users at a minimum, annually. to validate the need for such privileges.
DoD has defined the roles or classes of users as all users.
DoD has defined the frequency as at a minimum, annually. |
The organization being inspected/assessed documents and implements a process to review the privileges assigned to all users at a minimum, annually to validate the need for such privileges.
The organization must maintain an audit trail of reviews.
DoD has defined the roles or classes of users as all users.
DoD has defined the frequency as at a minimum, annually. |
Least Privilege | Review Of User Privileges |
AC-6 (7) |
AC-6(7).3 |
The need for certain assigned user privileges may change over time reflecting changes in organizational missions/business function, environments of operation, technologies, or threat. Periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions. Related control: CA-7. |
The organization:
(a) Reviews [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and
(b) Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs. |
| CCI-002231 |
The organization reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed employs full-device encryption or container encryption to protect the integrity of information on mobile devices defined in AC-19 (5), CCI 2329. |
The organization being inspected/assessed documents and implements a process for full-device encryption or container encryption to protect the integrity of information on mobile devices defined in AC-19 (5), CCI 2329. |
Access Control For Mobile Devices | Full Device/ Container-Based Encryption |
AC-19 (5) |
AC-19(5).1 |
Container-based encryption provides a more fine-grained approach to the encryption of data/information on mobile devices, including for example, encrypting selected data structures such as files, records, or fields. Related controls: MP-5, SC-13, SC-28. |
The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. |
| CCI-002232 |
The organization defines software that is restricted from executing at a higher privilege than users executing the software. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the software as any software except software explicitly documented. |
DoD has defined the software as any software except software explicitly documented. |
Least Privilege | Privilege Levels For Code Execution |
AC-6 (8) |
AC-6(8).1 |
In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by organizations. |
The information system prevents [Assignment: organization-defined software] from executing at higher privilege levels than users executing the software. |
| CCI-002233 |
The information system prevents organization-defined software from executing at higher privilege levels than users executing the software. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prevent any software except software explicitly documented from executing at higher privilege levels than users executing the software.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2233.
DoD has defined the software as any software except software explicitly documented. |
The organization being inspected/assessed configures the information system to any software except software explicitly documented from executing at higher privilege levels than users executing the software.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2233.
DoD has defined the software as any software except software explicitly documented. |
Least Privilege | Privilege Levels For Code Execution |
AC-6 (8) |
AC-6(8).2 |
In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by organizations. |
The information system prevents [Assignment: organization-defined software] from executing at higher privilege levels than users executing the software. |
| CCI-002234 |
The information system audits the execution of privileged functions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to audit the execution of privileged functions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2234. |
The organization being inspected/assessed configures the information system to audit the execution of privileged functions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2234. |
Least Privilege | Auditing Use Of Privileged Functions |
AC-6 (9) |
AC-6(9).1 |
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat (APT). Related control: AU-2. |
The information system audits the execution of privileged functions. |
| CCI-002235 |
The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2235. |
The organization being inspected/assessed configures the information system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2235. |
Least Privilege | Prohibit Non-Privileged Users From Executing Privileged Functions |
AC-6 (10) |
AC-6(10).1 |
Privileged functions include, for example, establishing information system accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. |
The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. |
| CCI-002236 |
The organization defines the time period the information system will automatically lock the account or node when the maximum number of unsuccessful logon attempts is exceeded. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as until released by an administrator. |
DoD has defined the time period as until released by an administrator. |
Unsuccessful Login Attempts |
AC-7 |
AC-7.4 |
This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels. Related controls: AC-2, AC-9, AC-14, IA-5. |
The information system:
a. Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and
b. Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded. |
| CCI-002237 |
The organization defines the delay algorithm to be employed by the information system to delay the next logon prompt when the maximum number of unsuccessful logon attempts is exceeded. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the delay algorithm as a minimum of 5 seconds. |
DoD has defined the delay algorithm as a minimum of 5 seconds. |
Unsuccessful Login Attempts |
AC-7 |
AC-7.5 |
This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels. Related controls: AC-2, AC-9, AC-14, IA-5. |
The information system:
a. Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and
b. Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded. |
| CCI-002238 |
The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to automatically lock the account or node until the locked account is released by an administrator and delays the next login prompt for a minimum of 5 seconds when the maximum number of unsuccessful attempts is exceeded.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2238.
DoD has defined the delay algorithm as a minimum of 5 seconds.
DoD has defined the time period as until released by an administrator. |
The organization being inspected/assessed configures the information system to automatically lock the account or node until the locked account is released by an administrator and delays the next login prompt for a minimum of 5 seconds when the maximum number of unsuccessful attempts is exceeded.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2238.
DoD has defined the delay algorithm as a minimum of 5 seconds.
DoD has defined the time period as until released by an administrator. |
Unsuccessful Login Attempts |
AC-7 |
AC-7.6 |
This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels. Related controls: AC-2, AC-9, AC-14, IA-5. |
The information system:
a. Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and
b. Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded. |
| CCI-002239 |
The organization defines the mobile devices that are to be purged/wiped by the information system after an organization-defined number of consecutive, unsuccessful device logon attempts. |
The organization conducting the inspection/assessment obtains and examines the documented mobile devices to ensure the organization being inspected/assessed defines the mobile devices that are to be purged/wiped by the information system after an organization-defined number of consecutive, unsuccessful device logon attempts.
DoD has determined the mobile devices are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the mobile devices that are to be purged/wiped by the information system after an organization-defined number of consecutive, unsuccessful device logon attempts.
Mobile devices may be defined in terms of manufacturer and model name.
DoD has determined the mobile devices are not appropriate to define at the Enterprise level. |
Unsuccessful Login Attempts | Purge/ Wipe Mobile Devices |
AC-7 (2) |
AC-7(2).1 |
This control enhancement applies only to mobile devices for which a logon occurs (e.g., personal digital assistants, smart phones, tablets). The logon is to the mobile device, not to any one account on the device. Therefore, successful logons to any accounts on mobile devices reset the unsuccessful logon count to zero. Organizations define information to be purged/wiped carefully in order to avoid over purging/wiping which may result in devices becoming unusable. Purging/wiping may be unnecessary if the information on the device is protected with sufficiently strong encryption mechanisms. Related controls: AC-19, MP-5, MP-6, SC-13. |
The information system purges/wipes information from [Assignment: organization-defined mobile devices] based on [Assignment: organization-defined purging/wiping requirements/techniques] after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts. |
| CCI-002240 |
The organization defines the purging/wiping requirements/techniques to be used by the information system on organization-defined mobile devices after an organization-defined number of consecutive, unsuccessful device logon attempts. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the purging/wiping requirements/techniques as requirements and techniques identified in NIST SP 800-88, "Guidelines for Media Sanitization." |
DoD has defined the purging/wiping requirements/techniques as requirements and techniques identified in NIST SP 800-88, "Guidelines for Media Sanitization." |
Unsuccessful Login Attempts | Purge/ Wipe Mobile Devices |
AC-7 (2) |
AC-7(2).2 |
This control enhancement applies only to mobile devices for which a logon occurs (e.g., personal digital assistants, smart phones, tablets). The logon is to the mobile device, not to any one account on the device. Therefore, successful logons to any accounts on mobile devices reset the unsuccessful logon count to zero. Organizations define information to be purged/wiped carefully in order to avoid over purging/wiping which may result in devices becoming unusable. Purging/wiping may be unnecessary if the information on the device is protected with sufficiently strong encryption mechanisms. Related controls: AC-19, MP-5, MP-6, SC-13. |
The information system purges/wipes information from [Assignment: organization-defined mobile devices] based on [Assignment: organization-defined purging/wiping requirements/techniques] after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts. |
| CCI-002241 |
The organization defines the number of consecutive, unsuccessful device logon attempts after which the information system will purge/wipe organization-defined mobile devices. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the number as 10. |
DoD has defined the number as 10. |
Unsuccessful Login Attempts | Purge/ Wipe Mobile Devices |
AC-7 (2) |
AC-7(2).3 |
This control enhancement applies only to mobile devices for which a logon occurs (e.g., personal digital assistants, smart phones, tablets). The logon is to the mobile device, not to any one account on the device. Therefore, successful logons to any accounts on mobile devices reset the unsuccessful logon count to zero. Organizations define information to be purged/wiped carefully in order to avoid over purging/wiping which may result in devices becoming unusable. Purging/wiping may be unnecessary if the information on the device is protected with sufficiently strong encryption mechanisms. Related controls: AC-19, MP-5, MP-6, SC-13. |
The information system purges/wipes information from [Assignment: organization-defined mobile devices] based on [Assignment: organization-defined purging/wiping requirements/techniques] after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts. |
| CCI-002242 |
The information system purges/wipes information from organization-defined mobile devices based on organization-defined purging/wiping requirements/techniques after an organization-defined number of consecutive, unsuccessful device logon attempts. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to purge/wipe information from mobile devices defined in AC-7 (2), CCI 2239 based on requirements and techniques identified in NIST SP 800-88, "Guidelines for Media Sanitization" after 10 consecutive, unsuccessful device logon attempts.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2242.
DoD has defined the number as 10.
DoD has defined the purging/wiping requirements/techniques as requirements and techniques identified in NIST SP 800-88, "Guidelines for Media Sanitization." |
The organization being inspected/assessed configures the information system to purge/wipe information from mobile devices defined in AC-7 (2), CCI 2239 based on requirements and techniques identified in NIST SP 800-88, "Guidelines for Media Sanitization" after 10 consecutive, unsuccessful device logon attempts.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the
STIG/SRG guidance that pertains to CCI 2242.
DoD has defined the number as 10.
DoD has defined the purging/wiping requirements/techniques as requirements and techniques identified in NIST SP 800-88, "Guidelines for Media Sanitization." |
Unsuccessful Login Attempts | Purge/ Wipe Mobile Devices |
AC-7 (2) |
AC-7(2).4 |
This control enhancement applies only to mobile devices for which a logon occurs (e.g., personal digital assistants, smart phones, tablets). The logon is to the mobile device, not to any one account on the device. Therefore, successful logons to any accounts on mobile devices reset the unsuccessful logon count to zero. Organizations define information to be purged/wiped carefully in order to avoid over purging/wiping which may result in devices becoming unusable. Purging/wiping may be unnecessary if the information on the device is protected with sufficiently strong encryption mechanisms. Related controls: AC-19, MP-5, MP-6, SC-13. |
The information system purges/wipes information from [Assignment: organization-defined mobile devices] based on [Assignment: organization-defined purging/wiping requirements/techniques] after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts. |
| CCI-002243 |
The organization-defined information system use notification message or banner is to state that users are accessing a U.S. Government information system. |
DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems – Standard Consent Banner and User Agreement," March 2013 meets the DoD requirements the information system use notification message or banner.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DTM 08-060. |
DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems – Standard Consent Banner and User Agreement," March 2013 meets the DoD requirements the information system use notification message or banner.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DTM 08-060. |
System Use Notification |
AC-8 |
AC-8.3 |
System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content. |
The information system:
a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
c. For publicly accessible systems:
1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Includes a description of the authorized uses of the system. |
| CCI-002244 |
The organization-defined information system use notification message or banner is to state that information system usage may be monitored, recorded, and subject to audit. |
DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems – Standard Consent Banner and User Agreement," March 2013 meets the DoD requirements the information system use notification message or banner.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DTM 08-060. |
DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems – Standard Consent Banner and User Agreement," March 2013 meets the DoD requirements the information system use notification message or banner.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DTM 08-060. |
System Use Notification |
AC-8 |
AC-8.4 |
System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content. |
The information system:
a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
c. For publicly accessible systems:
1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Includes a description of the authorized uses of the system. |
| CCI-002245 |
The organization-defined information system use notification message or banner is to state that unauthorized use of the information system is prohibited and subject to criminal and civil penalties. |
DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems – Standard Consent Banner and User Agreement," March 2013 meets the DoD requirements the information system use notification message or banner.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DTM 08-060. |
DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems – Standard Consent Banner and User Agreement," March 2013 meets the DoD requirements the information system use notification message or banner.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DTM 08-060. |
System Use Notification |
AC-8 |
AC-8.5 |
System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content. |
The information system:
a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
c. For publicly accessible systems:
1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Includes a description of the authorized uses of the system. |
| CCI-002246 |
The organization-defined information system use notification message or banner is to state that use of the information system indicates consent to monitoring and recording. |
DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems – Standard Consent Banner and User Agreement," March 2013 meets the DoD requirements the information system use notification message or banner.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DTM 08-060. |
DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems – Standard Consent Banner and User Agreement," March 2013 meets the DoD requirements the information system use notification message or banner.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DTM 08-060. |
System Use Notification |
AC-8 |
AC-8.6 |
System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content. |
The information system:
a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
c. For publicly accessible systems:
1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Includes a description of the authorized uses of the system. |
| CCI-002247 |
The organization defines the use notification message or banner the information system displays to users before granting access to the system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the use notification message or banner as the content of DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems – Standard Consent Banner and User Agreement," March 2013. |
DoD has defined the use notification message or banner as the content of DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems – Standard Consent Banner and User Agreement," March 2013. |
System Use Notification |
AC-8 |
AC-8.2 |
System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content. |
The information system:
a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
c. For publicly accessible systems:
1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Includes a description of the authorized uses of the system. |
| CCI-002248 |
The organization defines the conditions of use which are to be displayed to users of the information system before granting further access. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the conditions as the content of DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems – Standard Consent Banner and User Agreement," March 2013. |
DoD has defined the conditions as the content of DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems – Standard Consent Banner and User Agreement," March 2013. |
System Use Notification |
AC-8 |
AC-8.9 |
System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content. |
The information system:
a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
c. For publicly accessible systems:
1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Includes a description of the authorized uses of the system. |
| CCI-002249 |
The organization defines the information, in addition to the date and time of the last logon (access), to be included in the notification to the user upon successful logon (access). |
The organization conducting the inspection/assessment obtains and examines the documented information to ensure the organization being inspected/assessed defines the information, in addition to the date and time of the last logon (access) to be included in the notification to the user upon successful logon (access).
DoD has determined the information is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information, in addition to the date and time of the last logon (access) to be included in the notification to the user upon successful logon (access).
DoD has determined the information is not appropriate to define at the Enterprise level. |
Previous Logon Notification | Additional Logon Information |
AC-9 (4) |
AC-9(4).1 |
This control enhancement permits organizations to specify additional information to be provided to users upon logon including, for example, the location of last logon. User location is defined as that information which can be determined by information systems, for example, IP addresses from which network logons occurred, device identifiers, or notifications of local logons. |
The information system notifies the user, upon successful logon (access), of the following additional information: [Assignment: organization-defined information to be included in addition to the date and time of the last logon (access)]. |
| CCI-002250 |
The information system notifies the user, upon successful logon (access), of the organization-defined information to be included in addition to the date and time of the last logon (access). |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to notify the user, upon successful logon (access), of the information defined in AC-9 (4), CCI 2249 to be included in addition to the date and time of the last logon (access).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2250. |
The organization being inspected/assessed configures the information system to notify the user, upon successful logon (access), of the information defined in AC-9 (4), CCI 2249 to be included in addition to the date and time of the last logon (access).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2250.
|
Previous Logon Notification | Additional Logon Information |
AC-9 (4) |
AC-9(4).2 |
This control enhancement permits organizations to specify additional information to be provided to users upon logon including, for example, the location of last logon. User location is defined as that information which can be determined by information systems, for example, IP addresses from which network logons occurred, device identifiers, or notifications of local logons. |
The information system notifies the user, upon successful logon (access), of the following additional information: [Assignment: organization-defined information to be included in addition to the date and time of the last logon (access)]. |
| CCI-002251 |
The information system notifies the user, upon successful logon (access), of the date and time of the last logon (access). |
|
|
|
|
|
|
|
| CCI-002252 |
The organization defines the accounts and/or account types for which the information system will limit the number of concurrent sessions. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the account types and/or accounts as all account types and/or accounts. |
DoD has defined the account types and/or accounts as all account types and/or accounts. |
Concurrent Session Control |
AC-10 |
AC-10.3 |
Organizations may define the maximum number of concurrent sessions for information system accounts globally, by account type (e.g., privileged user, non-privileged user, domain, specific application), by account, or a combination. For example, organizations may limit the number of concurrent sessions for system administrators or individuals working in particularly sensitive domains or mission-critical applications. This control addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. |
The information system limits the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number]. |
| CCI-002253 |
The organization defines the account types for which the information system will limit the number of concurrent sessions. |
|
|
|
|
|
|
|
| CCI-002255 |
The organization defines the user actions that can be performed on the information system without identification and authentication. |
|
|
|
|
|
|
|
| CCI-002256 |
The organization defines security attributes having organization-defined types of security attribute values which are associated with information in storage. |
The organization conducting the inspection/assessment obtains and examines the documented security attributes to ensure the organization being inspected/assessed defines security attributes having organization-defined types of security attribute values which are associated with information in storage.
DoD has determined the security attributes are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security attributes having organization-defined types of security attribute values which are associated with information in storage.
DoD has determined the security attributes are not appropriate to define at the Enterprise level. |
Security Attributes |
AC-16 |
AC-16.1 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002257 |
The organization defines security attributes having organization-defined types of security attribute values which are associated with information in process. |
The organization conducting the inspection/assessment obtains and examines the documented security attributes to ensure the organization being inspected/assessed defines security attributes having organization-defined types of security attribute values process.
DoD has determined the security attributes are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security attributes having organization-defined types of security attribute values which are associated with information in process.
DoD has determined the security attributes are not appropriate to define at the Enterprise level. |
Security Attributes |
AC-16 |
AC-16.2 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002258 |
The organization defines security attributes, having organization-defined types of security attribute values, which are associated with information in transmission. |
The organization conducting the inspection/assessment obtains and examines the documented security attributes to ensure the organization being inspected/assessed defines security attributes having organization-defined types of security attribute values which are associated with information in transmission.
DoD has determined the security attributes are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security attributes having organization-defined types of security attribute values which are associated with information in transmission.
DoD has determined the security attributes are not appropriate to define at the Enterprise level. |
Security Attributes |
AC-16 |
AC-16.3 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002259 |
The organization defines security attribute values associated with organization-defined types of security attributes for information in storage. |
The organization conducting the inspection/assessment obtains and examines the documented security attribute values to ensure the organization being inspected/assessed defines security attribute values associated with organization-defined types of security attributes for information in storage.
DoD has determined the security attribute values are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security attributes values associated with organization-defined types of security attributes for information in storage.
DoD has determined the security attribute values are not appropriate to define at the Enterprise level. |
Security Attributes |
AC-16 |
AC-16.4 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002260 |
The organization defines security attribute values associated with organization-defined types of security attributes for information in process. |
The organization conducting the inspection/assessment obtains and examines the documented security attribute values to ensure the organization being inspected/assessed defines security attribute values associated with organization-defined types of security attributes for information in process.
DoD has determined the security attribute values are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security attributes values associated with organization-defined types of security attributes for information in process.
DoD has determined the security attribute values are not appropriate to define at the Enterprise level. |
Security Attributes |
AC-16 |
AC-16.5 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002261 |
The organization defines security attribute values associated with organization-defined types of security attributes for information in transmission. |
The organization conducting the inspection/assessment obtains and examines the documented security attribute values to ensure the organization being inspected/assessed defines security attribute values associated with organization-defined types of security attributes for information in transmission.
DoD has determined the security attribute values are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security attributes values associated with organization-defined types of security attributes for information in transmission.
DoD has determined the security attribute values are not appropriate to define at the Enterprise level. |
Security Attributes |
AC-16 |
AC-16.6 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002262 |
The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in storage. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide the means to associate types of security attributes in defined in AC-16, CCI 2256 having security attribute values defined in AC-16, CCI 2259 with information in storage.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2262. |
The organization being inspected/assessed configures the information system to provide the means to associate types of security attributes in defined in AC-16, CCI 2256 having security attribute values defined in AC-16, CCI 2259 with information in storage.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2262. |
Security Attributes |
AC-16 |
AC-16.7 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002263 |
The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in process. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide the means to associate types of security attributes in defined in AC-16, CCI 2257 having security attribute values defined in AC-16, CCI 2260 with information in process.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2263. |
The organization being inspected/assessed configures the information system to provide the means to associate types of security attributes in defined in AC-16, CCI 2257 having security attribute values defined in AC-16, CCI 2260 with information in process.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2263. |
Security Attributes |
AC-16 |
AC-16.8 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002264 |
The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in transmission. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide the means to associate types of security attributes in defined in AC-16, CCI 2258 having security attribute values defined in AC-16, CCI 2261 with information in transmission.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2264. |
The organization being inspected/assessed configures the information system to provide the means to associate types of security attributes in defined in AC-16, CCI 2258 having security attribute values defined in AC-16, CCI 2261 with information in transmission.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2264. |
Security Attributes |
AC-16 |
AC-16.9 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002265 |
The organization ensures that the security attribute associations are made with the information. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed ensures that the security attribute associations are made with the information. |
The organization being inspected/assessed documents and implements a process to ensure that the security attribute associations are made with the information. |
Security Attributes |
AC-16 |
AC-16.10 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002266 |
The organization ensures that the security attribute associations are retained with the information. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed ensures that the security attribute associations are retained with the information. |
The organization being inspected/assessed documents and implements a process to ensure that the security attribute associations are retained with the information. |
Security Attributes |
AC-16 |
AC-16.11 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002267 |
The organization defines the security attributes that are permitted for organization-defined information systems. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the security attributes as the security attributes defined in AC-16, CCIs 2256-2258. |
DoD has defined the security attributes as the security attributes defined in AC-16, CCIs 2256-2258. |
Security Attributes |
AC-16 |
AC-16.12 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002268 |
The organization defines the information systems for which permitted organization-defined attributes are to be established. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the information systems as all information systems. |
DoD has defined the information systems as all information systems. |
Security Attributes |
AC-16 |
AC-16.13 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002269 |
The organization establishes the permitted organization-defined security attributes for organization-defined information systems. |
The organization conducting the inspection/assessment obtains and examines the documented list of permitted security attributes to ensure the organization being inspected/assessed has established the list of permitted security attributes for all information systems as a subset of the security attributes defined in AC-16, CCI 2267.
DoD has defined the information systems as all information systems. |
The organization being inspected/assessed establishes and documents the permitted security attributes for all information systems as a subset of the security attributes defined in AC-16, CCI 2267.
DoD has defined the information systems as all information systems. |
Security Attributes |
AC-16 |
AC-16.14 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002270 |
The organization defines the values or ranges permitted for each of the established security attributes. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the values or ranges as the values defined in AC-16, CCIs 2259-2261. |
DoD has defined the values or ranges as the values defined in AC-16, CCIs 2259-2261. |
Security Attributes |
AC-16 |
AC-16.15 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002271 |
The organization determines the permitted organization-defined values or ranges for each of the established security attributes. |
The organization conducting the inspection/assessment obtains and examines the documented permitted values or ranges to ensure the organization being inspected/assessed has established the permitted values or ranges for each of the established security attributes as a subset of the values or ranges defined in AC-16, CCI 2270. |
The organization being inspected/assessed
establishes and documents the permitted values or ranges for each of the established security attributes as a subset of the values or ranges defined in AC-16, CCI 2270. |
Security Attributes |
AC-16 |
AC-16.16 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002272 |
The information system dynamically associates security attributes with organization-defined objects in accordance with organization-defined security policies as information is created and combined. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to dynamically associates security attributes with the objects defined in AC-16 (1), CCI 2275 in accordance with the security policies defined in AC-16 (1), CCI 2273 as information is created and combined.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2272. |
The organization being inspected/assessed configures the information system to dynamically associates security attributes with the objects defined in AC-16 (1), CCI 2275 in accordance with the security policies defined in AC-16 (1), CCI 2273 as information is created and combined.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2272. |
Security Attributes | Dynamic Attribute Association |
AC-16 (1) |
AC-16(1).2 |
Dynamic association of security attributes is appropriate whenever the security characteristics of information changes over time. Security attributes may change, for example, due to information aggregation issues (i.e., the security characteristics of individual information elements are different from the combined elements), changes in individual access authorizations (i.e., privileges), and changes in the security category of information. Related control: AC-4. |
The information system dynamically associates security attributes with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies] as information is created and combined. |
| CCI-002273 |
The organization defines the security policies the information system is to adhere to when dynamically associating security attributes with organization-defined subjects and objects. |
The organization conducting the inspection/assessment obtains and examines the documented security policies to ensure the organization being inspected/assessed defines the security policies the information system is to adhere to when dynamically associating security attributes with organization-defined subjects and objects.
DoD has determined the security policies are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security policies the information system is to adhere to when dynamically associating security attributes with organization-defined subjects and objects.
DoD has determined the security policies are not appropriate to define at the Enterprise level. |
Security Attributes | Dynamic Attribute Association |
AC-16 (1) |
AC-16(1).3 |
Dynamic association of security attributes is appropriate whenever the security characteristics of information changes over time. Security attributes may change, for example, due to information aggregation issues (i.e., the security characteristics of individual information elements are different from the combined elements), changes in individual access authorizations (i.e., privileges), and changes in the security category of information. Related control: AC-4. |
The information system dynamically associates security attributes with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies] as information is created and combined. |
| CCI-002274 |
The organization defines the subjects with which the information system is to dynamically associate security attributes as information is created and combined. |
The organization conducting the inspection/assessment obtains and examines the documented objects to ensure the organization being inspected/assessed defines the subjects the information system is to dynamically associate security attributes to as information is created and combined.
DoD has determined the subjects are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the subjects the information system is to dynamically associate security attributes to as information is created and combined.
DoD has determined the subjects are not appropriate to define at the Enterprise level. |
Security Attributes | Dynamic Attribute Association |
AC-16 (1) |
AC-16(1).4 |
Dynamic association of security attributes is appropriate whenever the security characteristics of information changes over time. Security attributes may change, for example, due to information aggregation issues (i.e., the security characteristics of individual information elements are different from the combined elements), changes in individual access authorizations (i.e., privileges), and changes in the security category of information. Related control: AC-4. |
The information system dynamically associates security attributes with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies] as information is created and combined. |
| CCI-002275 |
The organization defines the objects with which the information system is to dynamically associate security attributes as information is created and combined. |
The organization conducting the inspection/assessment obtains and examines the documented objects to ensure the organization being inspected/assessed defines the objects the information system is to dynamically associate security attributes to as information is created and combined.
DoD has determined the objects are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the objects the information system is to dynamically associate security attributes to as information is created and combined.
DoD has determined the objects are not appropriate to define at the Enterprise level. |
Security Attributes | Dynamic Attribute Association |
AC-16 (1) |
AC-16(1).5 |
Dynamic association of security attributes is appropriate whenever the security characteristics of information changes over time. Security attributes may change, for example, due to information aggregation issues (i.e., the security characteristics of individual information elements are different from the combined elements), changes in individual access authorizations (i.e., privileges), and changes in the security category of information. Related control: AC-4. |
The information system dynamically associates security attributes with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies] as information is created and combined. |
| CCI-002276 |
The organization identifies the individuals authorized to define the value of associated security attributes. |
The organization conducting the inspection/assessment obtains and examines the documented individuals to ensure the organization being inspected/assessed identifies the individuals authorized to define the value of associated security attributes. |
The organization being inspected/assessed identifies and documents the individuals authorized to define the value of associated security attributes. |
Security Attributes | Attribute Value Changes By Authorized Individuals |
AC-16 (2) |
AC-16(2).3 |
The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information. Therefore, it is important for information systems to be able to limit the ability to create or modify security attributes to authorized individuals. Related controls: AC-6, AU-2. |
The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security attributes. |
| CCI-002277 |
The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define the value of associated security attributes. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide authorized individuals (or processes acting on behalf of individuals) the capability to define the value of associated security attributes.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2277. |
The organization being inspected/assessed configures the information system to provide authorized individuals (or processes acting on behalf of individuals) the capability to define the value of associated security attributes.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2277. |
Security Attributes | Attribute Value Changes By Authorized Individuals |
AC-16 (2) |
AC-16(2).4 |
The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information. Therefore, it is important for information systems to be able to limit the ability to create or modify security attributes to authorized individuals. Related controls: AC-6, AU-2. |
The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security attributes. |
| CCI-002278 |
The organization defines security attributes for which the association and integrity to organization-defined subjects and objects is maintained by the information system. |
The organization conducting the inspection/assessment obtains and examines the documented security attributes to ensure the organization being inspected/assessed defines the security attributes for which the association and integrity to organization-defined subjects and objects is maintained by the information system.
DoD has determined the security attributes are not appropriate to define at the Enterprise level. |
he organization being inspected/assessed defines and documents the security attributes for which the association and integrity to organization-defined subjects and objects is maintained by the information system
DoD has determined the security attributes are not appropriate to define at the Enterprise level. |
Security Attributes | Maintenance Of Attribute Associations By Information System |
AC-16 (3) |
AC-16(3).1 |
Maintaining the association and integrity of security attributes to subjects and objects with sufficient assurance helps to ensure that the attribute associations can be used as the basis of automated policy actions. Automated policy actions include, for example, access control decisions or information flow control decisions. |
The information system maintains the association and integrity of [Assignment: organization-defined security attributes] to [Assignment: organization-defined subjects and objects]. |
| CCI-002279 |
The organization defines subjects for which the association and integrity of organization-defined security attributes is maintained by the information system. |
The organization conducting the inspection/assessment obtains and examines the documented subjects to ensure the organization being inspected/assessed defines the subjects for which the association and integrity of organization-defined security attributes is maintained by the information system.
DoD has determined the subjects are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the subjects for which the association and integrity of organization-defined security attributes is maintained by the information system.
DoD has determined the subjects are not appropriate to define at the Enterprise level. |
Security Attributes | Maintenance Of Attribute Associations By Information System |
AC-16 (3) |
AC-16(3).2 |
Maintaining the association and integrity of security attributes to subjects and objects with sufficient assurance helps to ensure that the attribute associations can be used as the basis of automated policy actions. Automated policy actions include, for example, access control decisions or information flow control decisions. |
The information system maintains the association and integrity of [Assignment: organization-defined security attributes] to [Assignment: organization-defined subjects and objects]. |
| CCI-002280 |
The organization defines objects for which the association and integrity of organization-defined security attributes is maintained by the information system. |
The organization conducting the inspection/assessment obtains and examines the documented subjects to ensure the organization being inspected/assessed defines the objects for which the association and integrity of organization-defined security attributes is maintained by the information system.
DoD has determined the objects are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the objects for which the association and integrity of organization-defined security attributes is maintained by the information system.
DoD has determined the objects are not appropriate to define at the Enterprise level. |
Security Attributes | Maintenance Of Attribute Associations By Information System |
AC-16 (3) |
AC-16(3).3 |
Maintaining the association and integrity of security attributes to subjects and objects with sufficient assurance helps to ensure that the attribute associations can be used as the basis of automated policy actions. Automated policy actions include, for example, access control decisions or information flow control decisions. |
The information system maintains the association and integrity of [Assignment: organization-defined security attributes] to [Assignment: organization-defined subjects and objects]. |
| CCI-002281 |
The information system maintains the association of organization-defined security attributes to organization-defined subjects. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to maintain the association of the security attributes defined in AC-16 (3), CCI 2278 to subjects defined in AC-16 (3), CCI 2280
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2281. |
The organization being inspected/assessed configures the information system to maintain the association of the security attributes defined in AC-16 (3), CCI 2278 to subjects defined in AC-16 (3), CCI 2279.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2281. |
Security Attributes | Maintenance Of Attribute Associations By Information System |
AC-16 (3) |
AC-16(3).4 |
Maintaining the association and integrity of security attributes to subjects and objects with sufficient assurance helps to ensure that the attribute associations can be used as the basis of automated policy actions. Automated policy actions include, for example, access control decisions or information flow control decisions. |
The information system maintains the association and integrity of [Assignment: organization-defined security attributes] to [Assignment: organization-defined subjects and objects]. |
| CCI-002282 |
The information system maintains the association of organization-defined security attributes to organization-defined objects. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to maintain the association of the security attributes defined in AC-16 (3), CCI 2278 to objects defined in AC-16 (3), CCI 2280
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2282. |
The organization being inspected/assessed configures the information system to maintain the association of the security attributes defined in AC-16 (3), CCI 2278 to objects defined in AC-16 (3), CCI 2280.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2282. |
Security Attributes | Maintenance Of Attribute Associations By Information System |
AC-16 (3) |
AC-16(3).5 |
Maintaining the association and integrity of security attributes to subjects and objects with sufficient assurance helps to ensure that the attribute associations can be used as the basis of automated policy actions. Automated policy actions include, for example, access control decisions or information flow control decisions. |
The information system maintains the association and integrity of [Assignment: organization-defined security attributes] to [Assignment: organization-defined subjects and objects]. |
| CCI-002283 |
The information system maintains the integrity of organization-defined security attributes associated with organization-defined subjects. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to maintain the integrity of the security attributes defined in AC-16 (3), CCI 2278 to subjects defined in AC-16 (3), CCI 2279.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2283. |
The organization being inspected/assessed configures the information system to maintain the integrity of the security attributes defined in AC-16 (3), CCI 2278 to subjects defined in AC-16 (3), CCI 2279.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2283. |
Security Attributes | Maintenance Of Attribute Associations By Information System |
AC-16 (3) |
AC-16(3).6 |
Maintaining the association and integrity of security attributes to subjects and objects with sufficient assurance helps to ensure that the attribute associations can be used as the basis of automated policy actions. Automated policy actions include, for example, access control decisions or information flow control decisions. |
The information system maintains the association and integrity of [Assignment: organization-defined security attributes] to [Assignment: organization-defined subjects and objects]. |
| CCI-002284 |
The information system maintains the integrity of organization-defined security attributes associated with organization-defined objects. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information to maintain the integrity of the security attributes defined in AC-16 (3), CCI 2278 to objects defined in AC-16 (3), CCI 2280.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2284. |
The organization being inspected/assessed configures the information system to maintain the integrity of the security attributes defined in AC-16 (3), CCI 2278 to objects defined in AC-16 (3), CCI 2280.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2284. |
Security Attributes | Maintenance Of Attribute Associations By Information System |
AC-16 (3) |
AC-16(3).7 |
Maintaining the association and integrity of security attributes to subjects and objects with sufficient assurance helps to ensure that the attribute associations can be used as the basis of automated policy actions. Automated policy actions include, for example, access control decisions or information flow control decisions. |
The information system maintains the association and integrity of [Assignment: organization-defined security attributes] to [Assignment: organization-defined subjects and objects]. |
| CCI-002285 |
The organization identifies individuals (or processes acting on behalf of individuals) authorized to associate organization-defined security attributes with organization-defined subjects. |
The organization conducting the inspection/assessment obtains and examines the documented individuals to ensure the organization being inspected/assessed identifies individuals (or processes acting on behalf of individuals) authorized to associate security attributes defined in AC-16 (4), CCI 2288 with subjects defined in AC-16 (4), CCI 2286. |
The organization being inspected/assessed identifies and documents individuals (or processes acting on behalf of individuals) authorized to associate security attributes defined in AC-16 (4), CCI 2288 with subjects defined in AC-16 (4), CCI 2286. |
Security Attributes | Association Of Attributes By Authorized Individuals |
AC-16 (4) |
AC-16(4).2 |
The support provided by information systems can vary to include: (i) prompting users to select specific security attributes to be associated with specific information objects; (ii) employing automated mechanisms for categorizing information with appropriate attributes based on defined policies; or (iii) ensuring that the combination of selected security attributes selected is valid. Organizations consider the creation, deletion, or modification of security attributes when defining auditable events. |
The information system supports the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals). |
| CCI-002286 |
The organization defines the subjects with which organization-defined security attributes may be associated by authorized individuals (or processes acting on behalf of individuals). |
The organization conducting the inspection/assessment obtains and examines the documented objects to ensure the organization being inspected/assessed defines the subjects with which organization-defined security attributes may be associated by authorized individuals (or processes acting on behalf of individuals).
DoD has defined the subjects as not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the subjects with which organization-defined security attributes may be associated by authorized individuals (or processes acting on behalf of individuals).
DoD has defined the subjects as not appropriate to define at the Enterprise level. |
Security Attributes | Association Of Attributes By Authorized Individuals |
AC-16 (4) |
AC-16(4).3 |
The support provided by information systems can vary to include: (i) prompting users to select specific security attributes to be associated with specific information objects; (ii) employing automated mechanisms for categorizing information with appropriate attributes based on defined policies; or (iii) ensuring that the combination of selected security attributes selected is valid. Organizations consider the creation, deletion, or modification of security attributes when defining auditable events. |
The information system supports the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals). |
| CCI-002287 |
The organization defines the objects with which organization-defined security attributes may be associated by authorized individuals (or processes acting on behalf of individuals). |
The organization conducting the inspection/assessment obtains and examines the documented objects to ensure the organization being inspected/assessed defines the objects with which organization-defined security attributes may be associated by authorized individuals (or processes acting on behalf of individuals).
DoD has defined the objects as not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the objects with which organization-defined security attributes may be associated by authorized individuals (or processes acting on behalf of individuals).
DoD has defined the objects as not appropriate to define at the Enterprise level. |
Security Attributes | Association Of Attributes By Authorized Individuals |
AC-16 (4) |
AC-16(4).4 |
The support provided by information systems can vary to include: (i) prompting users to select specific security attributes to be associated with specific information objects; (ii) employing automated mechanisms for categorizing information with appropriate attributes based on defined policies; or (iii) ensuring that the combination of selected security attributes selected is valid. Organizations consider the creation, deletion, or modification of security attributes when defining auditable events. |
The information system supports the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals). |
| CCI-002288 |
The organization defines the security attributes authorized individuals (or processes acting on behalf of individuals) are permitted to associate with organization-defined subjects and objects. |
The organization conducting the inspection/assessment obtains and examines the documented security attributes to ensure the organization being inspected/assessed defines the security attributes authorized individuals (or processes acting on behalf of individuals) are permitted to associate with organization-defined subjects and objects.
DoD has defined the security attributes as not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security attributes authorized individuals (or processes acting on behalf of individuals) are permitted to associate with organization-defined subjects and objects.
DoD has defined the security attributes as not appropriate to define at the Enterprise level. |
Security Attributes | Association Of Attributes By Authorized Individuals |
AC-16 (4) |
AC-16(4).5 |
The support provided by information systems can vary to include: (i) prompting users to select specific security attributes to be associated with specific information objects; (ii) employing automated mechanisms for categorizing information with appropriate attributes based on defined policies; or (iii) ensuring that the combination of selected security attributes selected is valid. Organizations consider the creation, deletion, or modification of security attributes when defining auditable events. |
The information system supports the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals). |
| CCI-002289 |
The information system supports the association of organization-defined security attributes with organization-defined subjects by authorized individuals (or processes acting on behalf of individuals). |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to support the association of security attributes defined in AC-16 (4), CCI 2288 with the subjects defined in AC-16 (4), CCI 2286 by authorized individuals (or processes acting on behalf of individuals).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2289. |
The organization being inspected/assessed configures the information system to support the association of security attributes defined in AC-16 (4), CCI 2288 with the subjects defined in AC-16 (4), CCI 2286 by authorized individuals (or processes acting on behalf of individuals).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2289. |
Security Attributes | Association Of Attributes By Authorized Individuals |
AC-16 (4) |
AC-16(4).6 |
The support provided by information systems can vary to include: (i) prompting users to select specific security attributes to be associated with specific information objects; (ii) employing automated mechanisms for categorizing information with appropriate attributes based on defined policies; or (iii) ensuring that the combination of selected security attributes selected is valid. Organizations consider the creation, deletion, or modification of security attributes when defining auditable events. |
The information system supports the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals). |
| CCI-002290 |
The information system supports the association of organization-defined security attributes with organization-defined objects by authorized individuals (or processes acting on behalf of individuals). |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to support the association of security attributes defined in AC-16 (4), CCI 2288 with the objects defined in AC-16 (4), CCI 2287 by authorized individuals (or processes acting on behalf of individuals).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2290. |
The organization being inspected/assessed configures the information system to support the association of security attributes defined in AC-16 (4), CCI 2288 with the objects defined in AC-16 (4), CCI 2287 by authorized individuals (or processes acting on behalf of individuals).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2290. |
Security Attributes | Association Of Attributes By Authorized Individuals |
AC-16 (4) |
AC-16(4).7 |
The support provided by information systems can vary to include: (i) prompting users to select specific security attributes to be associated with specific information objects; (ii) employing automated mechanisms for categorizing information with appropriate attributes based on defined policies; or (iii) ensuring that the combination of selected security attributes selected is valid. Organizations consider the creation, deletion, or modification of security attributes when defining auditable events. |
The information system supports the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals). |
| CCI-002291 |
The organization defines the security policies to be followed by personnel when associating organization-defined security attributes with organization-defined subjects and objects. |
The organization conducting the inspection/assessment obtains and examines the documented security policies to ensure the organization being inspected/assessed defines the security policies to be followed by personnel when associating organization-defined security attributes with organization-defined subjects and objects.
DoD has determined the security policies are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security policies to be followed by personnel when associating organization-defined security attributes with organization-defined subjects and objects.
DoD has determined the security policies are not appropriate to define at the Enterprise level. |
Security Attributes | Maintenance Of Attribute Association By Organization |
AC-16 (6) |
AC-16(6).1 |
This control enhancement requires individual users (as opposed to the information system) to maintain associations of security attributes with subjects and objects. |
The organization allows personnel to associate, and maintain the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies]. |
| CCI-002292 |
The organization defines the security attributes which are to be associated with organization-defined subjects and objects. |
The organization conducting the inspection/assessment obtains and examines the documented security attributes to ensure the organization being inspected/assessed defines the security attributes which are to be associated with organization-defined subjects and objects.
DoD has determined the security attributes are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security attributes which are to be associated with organization-defined subjects and objects.
DoD has determined the security attributes are not appropriate to define at the Enterprise level. |
Security Attributes | Maintenance Of Attribute Association By Organization |
AC-16 (6) |
AC-16(6).2 |
This control enhancement requires individual users (as opposed to the information system) to maintain associations of security attributes with subjects and objects. |
The organization allows personnel to associate, and maintain the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies]. |
| CCI-002293 |
The organization defines the subjects to be associated, and that association maintained, with organization-defined security attributes in accordance with organization-defined security policies. |
The organization conducting the inspection/assessment obtains and examines the documented subjects to ensure the organization being inspected/assessed defines the subjects to be associated, and that association maintained, with organization-defined security attributes in accordance with organization-defined security policies.
DoD has determined the subjects are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the subjects to be associated, and that association maintained, with organization-defined security attributes in accordance with organization-defined security policies.
DoD has determined the subjects are not appropriate to define at the Enterprise level. |
Security Attributes | Maintenance Of Attribute Association By Organization |
AC-16 (6) |
AC-16(6).3 |
This control enhancement requires individual users (as opposed to the information system) to maintain associations of security attributes with subjects and objects. |
The organization allows personnel to associate, and maintain the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies]. |
| CCI-002294 |
The organization defines the objects to be associated, and that association maintained, with organization-defined security attributes in accordance with organization-defined security policies. |
The organization conducting the inspection/assessment obtains and examines the documented objects to ensure the organization being inspected/assessed defines the objects to be associated, and that association maintained, with organization-defined security attributes in accordance with organization-defined security policies.
DoD has determined the objects are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the objects to be associated, and that association maintained, with organization-defined security attributes in accordance with organization-defined security policies.
DoD has determined the objects are not appropriate to define at the Enterprise level. |
Security Attributes | Maintenance Of Attribute Association By Organization |
AC-16 (6) |
AC-16(6).4 |
This control enhancement requires individual users (as opposed to the information system) to maintain associations of security attributes with subjects and objects. |
The organization allows personnel to associate, and maintain the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies]. |
| CCI-002295 |
The organization allows personnel to associate organization-defined security attributes with organization-defined subjects in accordance with organization-defined security policies. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed requires personnel to associate security attributes defined in AC-16 (6), CCI 2292 with subjects defined in AC-16 (6), CCI 2293 in accordance with security policies defined in AC-16 (6), CCI 2291. |
The organization being inspected/assessed
documents and implements a process requiring personnel to associate security attributes defined in AC-16 (6), CCI 2292 with subjects defined in AC-16 (6), CCI 2293 in accordance with security policies defined in AC-16 (6), CCI 2291. |
Security Attributes | Maintenance Of Attribute Association By Organization |
AC-16 (6) |
AC-16(6).5 |
This control enhancement requires individual users (as opposed to the information system) to maintain associations of security attributes with subjects and objects. |
The organization allows personnel to associate, and maintain the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies]. |
| CCI-002296 |
The organization allows personnel to associate organization-defined security attributes with organization-defined objects in accordance with organization-defined security policies. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed requires personnel to associate security attributes defined in AC-16 (6), CCI 2292 with objects defined in AC-16 (6), CCI 2294 in accordance with security policies defined in AC-16 (6), CCI 2291. |
The organization being inspected/assessed
documents and implements a process requiring personnel to associate security attributes defined in AC-16 (6), CCI 2292 with objects defined in AC-16 (6), CCI 2294 in accordance with security policies defined in AC-16 (6), CCI 2291. |
Security Attributes | Maintenance Of Attribute Association By Organization |
AC-16 (6) |
AC-16(6).6 |
This control enhancement requires individual users (as opposed to the information system) to maintain associations of security attributes with subjects and objects. |
The organization allows personnel to associate, and maintain the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies]. |
| CCI-002297 |
The organization allows personnel to maintain the association of organization-defined security attributes with organization-defined subjects in accordance with organization-defined security policies. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed requires personnel to maintain the association of security attributes defined in AC-16 (6), CCI 2292 with subjects defined in AC-16 (6), CCI 2293 in accordance with security policies defined in AC-16 (6), CCI 2291. |
The organization being inspected/assessed
documents and implements a process requiring personnel to maintain the association of security attributes defined in AC-16 (6), CCI 2292 with subjects defined in AC-16 (6), CCI 2293 in accordance with security policies defined in AC-16 (6), CCI 2291. |
Security Attributes | Maintenance Of Attribute Association By Organization |
AC-16 (6) |
AC-16(6).7 |
This control enhancement requires individual users (as opposed to the information system) to maintain associations of security attributes with subjects and objects. |
The organization allows personnel to associate, and maintain the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies]. |
| CCI-002298 |
The organization allows personnel to maintain the association of organization-defined security attributes with organization-defined objects in accordance with organization-defined security policies. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed requires personnel to maintain the association of security attributes defined in AC-16 (6), CCI 2292 with objects defined in AC-16 (6), CCI 2294 in accordance with security policies defined in AC-16 (6), CCI 2291. |
The organization being inspected/assessed
documents and implements a process requiring personnel to maintain the association of security attributes defined in AC-16 (6), CCI 2292 with objects defined in AC-16 (6), CCI 2294 in accordance with security policies defined in AC-16 (6), CCI 2291. |
Security Attributes | Maintenance Of Attribute Association By Organization |
AC-16 (6) |
AC-16(6).8 |
This control enhancement requires individual users (as opposed to the information system) to maintain associations of security attributes with subjects and objects. |
The organization allows personnel to associate, and maintain the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies]. |
| CCI-002299 |
The organization provides a consistent interpretation of security attributes transmitted between distributed information system components. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed provides a consistent interpretation of security attributes transmitted between distributed information system components. |
The organization being inspected/assessed documents and implements a process to provide a consistent interpretation of security attributes transmitted between distributed information system components. |
Security Attributes | Consistent Attribute Interpretation |
AC-16 (7) |
AC-16(7).1 |
In order to enforce security policies across multiple components in distributed information systems (e.g., distributed database management systems, cloud-based systems, and service-oriented architectures), organizations provide a consistent interpretation of security attributes that are used in access enforcement and flow enforcement decisions. Organizations establish agreements and processes to ensure that all distributed information system components implement security attributes with consistent interpretations in automated access/flow enforcement actions. |
The organization provides a consistent interpretation of security attributes transmitted between distributed information system components. |
| CCI-002300 |
The organization defines the techniques or technologies to be implemented when associating security attributes with information. |
The organization conducting the inspection/assessment obtains and examines the documented techniques and technologies to ensure the organization being inspected/assessed defines the techniques or technologies to be implemented when associating security attributes with information.
DoD has determined the technique or technologies are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the techniques or technologies to be implemented when associating security attributes with information.
DoD has determined the technique or technologies are not appropriate to define at the Enterprise level. |
Security Attributes | Association Techniques/ Technologies |
AC-16 (8) |
AC-16(8).1 |
The association (i.e., binding) of security attributes to information within information systems is of significant importance with regard to conducting automated access enforcement and flow enforcement actions. The association of such security attributes can be accomplished with technologies/techniques providing different levels of assurance. For example, information systems can cryptographically bind security attributes to information using digital signatures with the supporting cryptographic keys protected by hardware devices (sometimes known as hardware roots of trust). |
The information system implements [Assignment: organization-defined techniques or technologies] with [Assignment: organization-defined level of assurance] in associating security attributes to information. |
| CCI-002301 |
The organization defines the level of assurance to be provided when implementing organization-defined techniques or technologies in associating security attributes to information. |
The organization conducting the inspection/assessment obtains and examines the documented level of assurance to ensure the organization being inspected/assessed defines the level of assurance to be provided when implementing organization-defined techniques or technologies in associating security attributes to information.
DoD has determined the level of assurance is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the level of assurance to be provided when implementing organization-defined techniques or technologies in associating security attributes to information.
DoD has determined the level of assurance is not appropriate to define at the Enterprise level. |
Security Attributes | Association Techniques/ Technologies |
AC-16 (8) |
AC-16(8).2 |
The association (i.e., binding) of security attributes to information within information systems is of significant importance with regard to conducting automated access enforcement and flow enforcement actions. The association of such security attributes can be accomplished with technologies/techniques providing different levels of assurance. For example, information systems can cryptographically bind security attributes to information using digital signatures with the supporting cryptographic keys protected by hardware devices (sometimes known as hardware roots of trust). |
The information system implements [Assignment: organization-defined techniques or technologies] with [Assignment: organization-defined level of assurance] in associating security attributes to information. |
| CCI-002302 |
The information system implements organization-defined techniques or technologies with an organization-defined level of assurance in associating security attributes to information. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement the techniques or technologies defined in AC-16 (8), CCI 2300 with the level of assurance defined in AC-16 (8), CCI 2301 in associating security attributes to information.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2302. |
The organization being inspected/assessed configures the information system to implement the techniques or technologies defined in AC-16 (8), CCI 2300 with the level of assurance defined in AC-16 (8), CCI 2301 in associating security attributes to information.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2302. |
Security Attributes | Association Techniques/ Technologies |
AC-16 (8) |
AC-16(8).3 |
The association (i.e., binding) of security attributes to information within information systems is of significant importance with regard to conducting automated access enforcement and flow enforcement actions. The association of such security attributes can be accomplished with technologies/techniques providing different levels of assurance. For example, information systems can cryptographically bind security attributes to information using digital signatures with the supporting cryptographic keys protected by hardware devices (sometimes known as hardware roots of trust). |
The information system implements [Assignment: organization-defined techniques or technologies] with [Assignment: organization-defined level of assurance] in associating security attributes to information. |
| CCI-002303 |
The organization defines the techniques or procedures to be employed to validate re-grading mechanisms. |
The organization conducting the inspection/assessment obtains and examines the documented techniques or procedures to ensure the organization being inspected/assessed defines the techniques or procedures to be employed to validate re-grading mechanisms.
DoD has determined the techniques or procedures are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the techniques or procedures to be employed to validate re-grading mechanisms.
DoD has determined the techniques or procedures are not appropriate to define at the Enterprise level. |
Security Attributes | Attribute Reassignment |
AC-16 (9) |
AC-16(9).1 |
Validated re-grading mechanisms are employed by organizations to provide the requisite levels of assurance for security attribute reassignment activities. The validation is facilitated by ensuring that re-grading mechanisms are single purpose and of limited function. Since security attribute reassignments can affect security policy enforcement actions (e.g., access/flow enforcement decisions), using trustworthy re-grading mechanisms is necessary to ensure that such mechanisms perform in a consistent/correct mode of operation. |
The organization ensures that security attributes associated with information are reassigned only via re-grading mechanisms validated using [Assignment: organization-defined techniques or procedures]. |
| CCI-002304 |
The organization ensures security attributes associated with information are reassigned only via re-grading mechanisms validated using organization-defined techniques or procedures. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed ensures security attributes associated with information are reassigned only via re-grading mechanisms validated using techniques or procedures defined in AC-16 (9), CCI 2303. |
The organization being inspected/assessed documents and implements a process to ensure security attributes associated with information are reassigned only via re-grading mechanisms validated using techniques or procedures defined in AC-16 (9), CCI 2303. |
Security Attributes | Attribute Reassignment |
AC-16 (9) |
AC-16(9).2 |
Validated re-grading mechanisms are employed by organizations to provide the requisite levels of assurance for security attribute reassignment activities. The validation is facilitated by ensuring that re-grading mechanisms are single purpose and of limited function. Since security attribute reassignments can affect security policy enforcement actions (e.g., access/flow enforcement decisions), using trustworthy re-grading mechanisms is necessary to ensure that such mechanisms perform in a consistent/correct mode of operation. |
The organization ensures that security attributes associated with information are reassigned only via re-grading mechanisms validated using [Assignment: organization-defined techniques or procedures]. |
| CCI-002305 |
The organization identifies individuals authorized to define or change the type and value of security attributes available for association with subjects and objects. |
The organization conducting the inspection/assessment obtains and examines the documented individuals to ensure the organization being inspected/assessed identifies individuals authorized to define or change the type and value of security attributes available for association with subjects and objects. |
The organization being inspected/assessed identifies and documents individuals authorized to define or change the type and value of security attributes available for association with subjects and objects. |
Security Attributes | Attribute Configuration By Authorized Individuals |
AC-16 (10) |
AC-16(10).1 |
The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information. Therefore, it is important for information systems to be able to limit the ability to create or modify security attributes to authorized individuals only. |
The information system provides authorized individuals the capability to define or change the type and value of security attributes available for association with subjects and objects. |
| CCI-002306 |
The information system provides authorized individuals the capability to define or change the type of security attributes available for association with subjects. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide authorized individuals the capability to define or change the type of security attributes available for association with subjects.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2306. |
The organization being inspected/assessed configures the information system to provide authorized individuals the capability to define or change the type of security attributes available for association with subjects.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2306. |
Security Attributes | Attribute Configuration By Authorized Individuals |
AC-16 (10) |
AC-16(10).2 |
The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information. Therefore, it is important for information systems to be able to limit the ability to create or modify security attributes to authorized individuals only. |
The information system provides authorized individuals the capability to define or change the type and value of security attributes available for association with subjects and objects. |
| CCI-002307 |
The information system provides authorized individuals the capability to define or change the value of security attributes available for association with subjects. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide authorized individuals the capability to define or change the value of security attributes available for association with subjects.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2307. |
The organization being inspected/assessed configures the information system to provide authorized individuals the capability to define or change the value of security attributes available for association with subjects.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2307. |
Security Attributes | Attribute Configuration By Authorized Individuals |
AC-16 (10) |
AC-16(10).3 |
The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information. Therefore, it is important for information systems to be able to limit the ability to create or modify security attributes to authorized individuals only. |
The information system provides authorized individuals the capability to define or change the type and value of security attributes available for association with subjects and objects. |
| CCI-002308 |
The information system provides authorized individuals the capability to define or change the type of security attributes available for association with objects. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide authorized individuals the capability to define or change the type of security attributes available for association with objects.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2308. |
The organization being inspected/assessed configures the information system to provide authorized individuals the capability to define or change the type of security attributes available for association with objects.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2308. |
Security Attributes | Attribute Configuration By Authorized Individuals |
AC-16 (10) |
AC-16(10).4 |
The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information. Therefore, it is important for information systems to be able to limit the ability to create or modify security attributes to authorized individuals only. |
The information system provides authorized individuals the capability to define or change the type and value of security attributes available for association with subjects and objects. |
| CCI-002309 |
The information system provides authorized individuals the capability to define or change the value of security attributes available for association with objects. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide authorized individuals the capability to define or change the value of security attributes available for association with objects.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2309. |
The organization being inspected/assessed configures the information system to provide authorized individuals the capability to define or change the value of security attributes available for association with objects.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2309. |
Security Attributes | Attribute Configuration By Authorized Individuals |
AC-16 (10) |
AC-16(10).5 |
The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information. Therefore, it is important for information systems to be able to limit the ability to create or modify security attributes to authorized individuals only. |
The information system provides authorized individuals the capability to define or change the type and value of security attributes available for association with subjects and objects. |
| CCI-002310 |
The organization establishes and documents usage restrictions for each type of remote access allowed. |
The organization conducting the inspection/assessment obtains and examines the documented usage restrictions to ensure the organization being inspected/assessed establishes and documents usage restrictions for each type of remote access allowed. |
The organization being inspected/assessed establishes and documents usage restrictions for each type of remote access allowed. |
Remote Access |
AC-17 |
AC-17.2 |
Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4. |
The organization:
a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
b. Authorizes remote access to the information system prior to allowing such connections. |
| CCI-002311 |
The organization establishes and documents configuration/connection requirements for each type of remote access allowed. |
The organization conducting the inspection/assessment obtains and examines the documented requirements to ensure the organization being inspected/assessed establishes and documents configuration/connection requirements for each type of remote access allowed. |
The organization being inspected/assessed establishes and documents configuration/connection requirements for each type of remote access allowed. |
Remote Access |
AC-17 |
AC-17.3 |
Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4. |
The organization:
a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
b. Authorizes remote access to the information system prior to allowing such connections. |
| CCI-002312 |
The organization establishes and documents implementation guidance for each type of remote access allowed. |
The organization conducting the inspection/assessment obtains and examines the documented implementation guidance to ensure the organization being inspected/assessed establishes and documents implementation guidance for each type of remote access allowed. |
The organization being inspected/assessed establishes and documents implementation guidance for each type of remote access allowed. |
Remote Access |
AC-17 |
AC-17.4 |
Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4. |
The organization:
a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
b. Authorizes remote access to the information system prior to allowing such connections. |
| CCI-002313 |
The information system controls remote access methods. |
|
|
|
|
|
|
|
| CCI-002314 |
The information system controls remote access methods. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to control remote access methods.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2314. |
The organization being inspected/assessed configures the information system to control remote access methods.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2314. |
Remote Access | Automated Monitoring / Control |
AC-17 (1) |
AC-17(1).2 |
Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). Related controls: AU-2, AU-12. |
The information system monitors and controls remote access methods. |
| CCI-002315 |
The organization defines the number of managed network access control points through which the information system routes all remote access. |
The organization conducting the inspection/assessment obtains and examines the documented number to ensure the organization being inspected/assessed defines the number of managed network access control points through which the information system routes all remote access.
DoD has determined the number is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the number of managed network access control points through which the information system routes all remote access.
DoD has determined the number is not appropriate to define at the Enterprise level. |
Remote Access | Managed Access Control Points |
AC-17 (3) |
AC-17(3).3 |
Limiting the number of access control points for remote accesses reduces the attack surface for organizations. Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections. Related control: SC-7. |
The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points. |
| CCI-002316 |
The organization authorizes access to security-relevant information via remote access only for organization-defined needs. |
The organization conducting the inspection/assessment obtains and examines the audit trail of authorizations to ensure the organization being inspected/assessed authorizes the access to security-relevant information via remote access only for needs defined in AC-17 (4), CCI 2318. |
The organization being inspected/assessed authorizes the access to security-relevant information via remote access only for needs defined in AC-17 (4), CCI 2318.
The organization being inspected/assessed maintains an audit trail of authorizations. |
Remote Access | Privileged Commands/ Access |
AC-17 (4) |
AC-17(4).2 |
Related control: AC-6. |
The organization:
(a) Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and
(b) Documents the rationale for such access in the security plan for the information system. |
| CCI-002317 |
The organization defines the operational needs for when the execution of privileged commands via remote access is to be authorized. |
The organization conducting the inspection/assessment obtains and examines the documented operational needs to ensure the organization being inspected/assessed defines the operational needs when the execution of privileged commands via remote access is to be authorized.
DoD has determined the operational needs are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the operational needs when the execution of privileged commands via remote access is to be authorized.
DoD has determined the operational needs are not appropriate to define at the Enterprise level. |
Remote Access | Privileged Commands/ Access |
AC-17 (4) |
AC-17(4).3 |
Related control: AC-6. |
The organization:
(a) Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and
(b) Documents the rationale for such access in the security plan for the information system. |
| CCI-002318 |
The organization defines the operational needs for when access to security-relevant information via remote access is to be authorized. |
The organization conducting the inspection/assessment obtains and examines the documented operational needs to ensure the organization being inspected/assessed defines the operational needs when access to security-relevant information via remote access is to be authorized.
DoD has determined the operational needs are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the operational needs when access to security-relevant information via remote access is to be authorized.
DoD has determined the operational needs are not appropriate to define at the Enterprise level. |
Remote Access | Privileged Commands/ Access |
AC-17 (4) |
AC-17(4).4 |
Related control: AC-6. |
The organization:
(a) Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and
(b) Documents the rationale for such access in the security plan for the information system. |
| CCI-002319 |
The organization documents in the security plan for the information system the rationale for authorization of the execution of privilege commands via remote access. |
The organization conducting the inspection/assessment obtains and examines the security plan to ensure the organization being inspected/assessed documents in the security plan for the information system the rationale for authorization of the execution of privilege commands via remote access. |
The organization being inspected/assessed documents in the security plan for the information system the rationale for authorization of the execution of privilege commands via remote access. |
Remote Access | Privileged Commands/ Access |
AC-17 (4) |
AC-17(4).5 |
Related control: AC-6. |
The organization:
(a) Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and
(b) Documents the rationale for such access in the security plan for the information system. |
| CCI-002320 |
The organization documents in the security plan for the information system the rationale for authorization of access to security-relevant information via remote access. |
The organization conducting the inspection/assessment obtains and examines the security plan to ensure the organization being inspected/assessed documents in the security plan for the information system the rationale for authorization of access to security-relevant information via remote access. |
The organization being inspected/assessed documents in the security plan for the information system the rationale for authorization of access to security-relevant information via remote access. |
Remote Access | Privileged Commands/ Access |
AC-17 (4) |
AC-17(4).6 |
Related control: AC-6. |
The organization:
(a) Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and
(b) Documents the rationale for such access in the security plan for the information system. |
| CCI-002321 |
The organization defines the time period within which it disconnects or disables remote access to the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as immediately. |
DoD has defined the time period as immediately. |
Remote Access | Disconnect/ Disable Access |
AC-17 (9) |
AC-17(9).1 |
This control enhancement requires organizations to have the capability to rapidly disconnect current users remotely accessing the information system and/or disable further remote access. The speed of disconnect or disablement varies based on the criticality of missions/business functions and the need to eliminate immediate or future remote access to organizational information systems. |
The organization provides the capability to expeditiously disconnect or disable remote access to the information system within [Assignment: organization-defined time period]. |
| CCI-002322 |
The organization provides the capability to expeditiously disconnect or disable remote access to the information system within the organization-defined time period. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide the capability to expeditiously disconnect or disable remote access to the information system immediately.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2322.
DoD has defined the time period as immediately. |
The organization being inspected/assessed configures the information system to provide the capability to expeditiously disconnect or disable remote access to the information system immediately.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2322.
DoD has defined the time period as immediately. |
Remote Access | Disconnect/ Disable Access |
AC-17 (9) |
AC-17(9).2 |
This control enhancement requires organizations to have the capability to rapidly disconnect current users remotely accessing the information system and/or disable further remote access. The speed of disconnect or disablement varies based on the criticality of missions/business functions and the need to eliminate immediate or future remote access to organizational information systems. |
The organization provides the capability to expeditiously disconnect or disable remote access to the information system within [Assignment: organization-defined time period]. |
| CCI-002323 |
The organization establishes configuration/connection requirements for wireless access. |
The organization conducting the inspection/assessment obtains and examines the documented configuration/connection requirements to ensure the organization being inspected/assessed establishes configuration/connection requirements for wireless access. |
The organization being inspected/assessed establishes and documents configuration/connection requirements for wireless access. |
Wireless Access |
AC-18 |
AC-18.3 |
Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication. Related controls: AC-2, AC-3, AC-17, AC-19, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, PL-4, SI-4. |
The organization:
a. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and
b. Authorizes wireless access to the information system prior to allowing such connections. |
| CCI-002324 |
The organization identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities. |
The organization conducting the inspection/assessment obtains and examines the audit trail of authorizations to ensure the organization being inspected/assessed identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities. |
The organization being inspected/assessed identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities.
The organization must maintain an audit trail of authorizations. |
Wireless Access | Restrict Configurations By Users |
AC-18 (4) |
AC-18(4).1 |
Organizational authorizations to allow selected users to configure wireless networking capability are enforced in part, by the access enforcement mechanisms employed within organizational information systems. Related controls: AC-3, SC-15. |
The organization identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities. |
| CCI-002325 |
The organization establishes configuration requirements for organization-controlled mobile devices. |
DoD is automatically compliant with this CCI because existing STIGs establish configuration requirements for approved mobile devices. |
DoD is automatically compliant with this CCI because existing STIGs establish configuration requirements for approved mobile devices. |
Access Control For Mobile Devices |
AC-19 |
AC-19.3 |
A mobile device is a computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, E-readers, and tablets. Mobile devices are typically associated with a single individual and the device is usually in close proximity to the individual; however, the degree of proximity can vary depending upon on the form factor and size of the device. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of desktop systems, depending upon the nature and intended purpose of the device. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different classes/types of such devices. Usage restrictions and specific implementation guidance for mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the need to provide adequate security for mobile devices goes beyond the requirements in this control. Many safeguards and countermeasures for mobile devices are reflected in other security controls in the catalog allocated in the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some degree of overlap in the requirements articulated by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled. Related controls: AC-3, AC-7, AC-18, AC-20, CA-9, CM-2, IA-2, IA-3, MP-2, MP-4, MP-5, PL-4, SC-7, SC-43, SI-3, SI-4. |
The organization:
a. Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and
b. Authorizes the connection of mobile devices to organizational information systems. |
| CCI-002326 |
The organization establishes connection requirements for organization-controlled mobile devices. |
The organization conducting the inspection/assessment obtains and examines the documented connection requirements to ensure the organization being inspected/assessed establishes connection requirements for organization controlled mobile devices. |
The organization being inspected/assessed establishes and documents connection requirements for organization controlled mobile devices. |
Access Control For Mobile Devices |
AC-19 |
AC-19.4 |
A mobile device is a computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, E-readers, and tablets. Mobile devices are typically associated with a single individual and the device is usually in close proximity to the individual; however, the degree of proximity can vary depending upon on the form factor and size of the device. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of desktop systems, depending upon the nature and intended purpose of the device. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different classes/types of such devices. Usage restrictions and specific implementation guidance for mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the need to provide adequate security for mobile devices goes beyond the requirements in this control. Many safeguards and countermeasures for mobile devices are reflected in other security controls in the catalog allocated in the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some degree of overlap in the requirements articulated by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled. Related controls: AC-3, AC-7, AC-18, AC-20, CA-9, CM-2, IA-2, IA-3, MP-2, MP-4, MP-5, PL-4, SC-7, SC-43, SI-3, SI-4. |
The organization:
a. Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and
b. Authorizes the connection of mobile devices to organizational information systems. |
| CCI-002327 |
The organization defines the security policies which restrict the connection of classified mobile devices to classified information systems. |
The organization conducting the inspection/assessment obtains and examines the documented security policies to ensure the organization being inspected/assessed defines the security policies which restrict the connection of classified mobile devices to classified information systems.
DoD has determined the security policies are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security policies which restrict the connection of classified mobile devices to classified information systems.
DoD has determined the security policies are not appropriate to define at the Enterprise level. |
Access Control For Mobile Devices | Restrictions For Classified Information |
AC-19 (4) |
AC-19(4).8 |
Related controls: CA-6, IR-4. |
The organization:
(a) Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and
(b) Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information:
(1) Connection of unclassified mobile devices to classified information systems is prohibited;
(2) Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official;
(3) Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and
(4) Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed.
(c) Restricts the connection of classified mobile devices to classified information systems in accordance with [Assignment: organization-defined security policies]. |
| CCI-002328 |
The organization restricts the connection of classified mobile devices to classified information systems in accordance with organization-defined security policies. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed restricts the connection of classified mobile devices to classified information systems in accordance with the security policies defined in AC-19 (4), CCI 2327. |
The organization being inspected/assessed documents and implements a process to restrict the connection of classified mobile devices to classified information systems in accordance with the security policies defined in AC-19 (4), CCI 2327. |
Access Control For Mobile Devices | Restrictions For Classified Information |
AC-19 (4) |
AC-19(4).9 |
Related controls: CA-6, IR-4. |
The organization:
(a) Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and
(b) Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information:
(1) Connection of unclassified mobile devices to classified information systems is prohibited;
(2) Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official;
(3) Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and
(4) Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed.
(c) Restricts the connection of classified mobile devices to classified information systems in accordance with [Assignment: organization-defined security policies]. |
| CCI-002329 |
The organization defines the mobile devices that are to employ full-device or container encryption to protect the confidentiality and integrity of the information on the device. |
The organization conducting the inspection/assessment obtains and examines the documented mobile devices to ensure the organization being inspected/assessed defines the mobile devices that are to employ full-device or container encryption to protect the confidentiality and integrity of the information on device.
DoD has determined the mobile devices are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the mobile devices that are to employ full-device or container encryption to protect the confidentiality and integrity of the information on device.
DoD has determined the mobile devices are not appropriate to define at the Enterprise level. |
Access Control For Mobile Devices | Full Device/ Container-Based Encryption |
AC-19 (5) |
AC-19(5).2 |
Container-based encryption provides a more fine-grained approach to the encryption of data/information on mobile devices, including for example, encrypting selected data structures such as files, records, or fields. Related controls: MP-5, SC-13, SC-28. |
The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. |
| CCI-002330 |
The organization employs full-device encryption or container encryption to protect the confidentiality of information on organization-defined mobile devices. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed employs full-device encryption or container encryption to protect the confidentiality of information on mobile devices defined in AC-19 (5), CCI 2329. |
The organization being inspected/assessed documents and implements a process for full-device encryption or container encryption to protect the confidentiality of information on mobile devices defined in AC-19 (5), CCI 2329.
|
Access Control For Mobile Devices | Full Device/ Container-Based Encryption |
AC-19 (5) |
AC-19(5).3 |
Container-based encryption provides a more fine-grained approach to the encryption of data/information on mobile devices, including for example, encrypting selected data structures such as files, records, or fields. Related controls: MP-5, SC-13, SC-28. |
The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. |
| CCI-002331 |
The organization employs full-device encryption or container encryption to protect the integrity of information on organization-defined mobile devices. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs. |
The organization being inspected/assessed documents and implements a process to reassign or remove privileges, if necessary, to correctly reflect organizational mission/business needs. |
Least Privilege | Review Of User Privileges |
AC-6 (7) |
AC-6(7).4 |
The need for certain assigned user privileges may change over time reflecting changes in organizational missions/business function, environments of operation, technologies, or threat. Periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions. Related control: CA-7. |
The organization:
(a) Reviews [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and
(b) Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs. |
| CCI-002332 |
The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to process, store, or transmit organization-controlled information using the external information systems. |
The organization conducting the inspection/assessment obtains and examines the documented terms and conditions to ensure the organization being inspected/assessed establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to process, store or transmit organization-controlled information using the external information systems. |
The organization being inspected/assessed establishes and documents the terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to process, store or transmit organization-controlled information using the external information systems. |
Use Of External Information Systems |
AC-20 |
AC-20.2 |
External information systems are information systems or components of information systems that are outside of the authorization boundary established by organizations and for which organizations typically have no direct supervision and authority over the application of required security controls or the assessment of control effectiveness. External information systems include, for example: (i) personally owned information systems/devices (e.g., notebook computers, smart phones, tablets, personal digital assistants); (ii) privately owned computing and communications devices resident in commercial or public facilities (e.g., hotels, train stations, convention centers, shopping malls, or airports); (iii) information systems owned or controlled by nonfederal governmental organizations; and (iv) federal information systems that are not owned by, operated by, or under the direct supervision and authority of organizations. This control also addresses the use of external information systems for the processing, storage, or transmission of organizational information, including, for example, accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational information systems.
For some external information systems (i.e., information systems operated by other federal agencies, including organizations subordinate to those agencies), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Information systems within these organizations would not be considered external. These situations occur when, for example, there are pre-existing sharing/trust agreements (either implicit or explicit) established between federal agencies or organizations subordinate to those agencies, or when such trust agreements are specified by applicable laws, Executive Orders, directives, or policies. Authorized individuals include, for example, organizational personnel, contractors, or other individuals with authorized access to organizational information systems and over which organizations have the authority to impose rules of behavior with regard to system access. Restrictions that organizations impose on authorized individuals need not be uniform, as those restrictions may vary depending upon the trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.
This control does not apply to the use of external information systems to access public interfaces to organizational information systems (e.g., individuals accessing federal information through www.usa.gov). Organizations establish terms and conditions for the use of external information systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: types of applications that can be accessed on organizational information systems from external information systems; and the highest security category of information that can be processed, stored, or transmitted on external information systems. If terms and conditions with the owners of external information systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems. Related controls: AC-3, AC-17, AC-19, CA-3, PL-4, SA-9. |
The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:
a. Access the information system from external information systems; and
b. Process, store, or transmit organization-controlled information using external information systems. |
| CCI-002333 |
The organization permits authorized individuals to use an external information system to access the information system only when the organization verifies the implementation of required security controls on the external system as specified in the organization^s information security policy and security plan. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed permits authorized individuals to use an external information system to access the information system only when the organization verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan. |
The organization being inspected/assessed documents and implements a process to permit authorized individuals to use an external information system to access the information system only when the organization verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan. |
Use Of External Information Systems | Limits On Authorized Use |
AC-20 (1) |
AC-20(1).1 |
This control enhancement recognizes that there are circumstances where individuals using external information systems (e.g., contractors, coalition partners) need to access organizational information systems. In those situations, organizations need confidence that the external information systems contain the necessary security safeguards (i.e., security controls), so as not to compromise, damage, or otherwise harm organizational information systems. Verification that the required security controls have been implemented can be achieved, for example, by third-party, independent assessments, attestations, or other means, depending on the confidence level required by organizations. Related control: CA-2. |
The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:
(a) Verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan; or
(b) Retains approved information system connection or processing agreements with the organizational entity hosting the external information system. |
| CCI-002334 |
The organization permits authorized individuals to use an external information system to process organization-controlled information only when the organization verifies the implementation of required security controls on the external system as specified in the organization^s information security policy and security plan. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed permits authorized individuals to use an external information system to process organization-controlled information only when the organization verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan. |
The organization being inspected/assessed documents and implements a process to permit authorized individuals to use an external information system to process organization-controlled information only when the organization verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan. |
Use Of External Information Systems | Limits On Authorized Use |
AC-20 (1) |
AC-20(1).2 |
This control enhancement recognizes that there are circumstances where individuals using external information systems (e.g., contractors, coalition partners) need to access organizational information systems. In those situations, organizations need confidence that the external information systems contain the necessary security safeguards (i.e., security controls), so as not to compromise, damage, or otherwise harm organizational information systems. Verification that the required security controls have been implemented can be achieved, for example, by third-party, independent assessments, attestations, or other means, depending on the confidence level required by organizations. Related control: CA-2. |
The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:
(a) Verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan; or
(b) Retains approved information system connection or processing agreements with the organizational entity hosting the external information system. |
| CCI-002335 |
The organization permits authorized individuals to use an external information system to store organization-controlled information only when the organization verifies the implementation of required security controls on the external system as specified in the organization^s information security policy and security plan. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed permits authorized individuals to use an external information system to store organization-controlled information only when the organization verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan. |
The organization being inspected/assessed documents and implements a process to permit authorized individuals to use an external information system to store organization-controlled information only when the organization verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan. |
Use Of External Information Systems | Limits On Authorized Use |
AC-20 (1) |
AC-20(1).3 |
This control enhancement recognizes that there are circumstances where individuals using external information systems (e.g., contractors, coalition partners) need to access organizational information systems. In those situations, organizations need confidence that the external information systems contain the necessary security safeguards (i.e., security controls), so as not to compromise, damage, or otherwise harm organizational information systems. Verification that the required security controls have been implemented can be achieved, for example, by third-party, independent assessments, attestations, or other means, depending on the confidence level required by organizations. Related control: CA-2. |
The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:
(a) Verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan; or
(b) Retains approved information system connection or processing agreements with the organizational entity hosting the external information system. |
| CCI-002336 |
The organization permits authorized individuals to use an external information system to transmit organization-controlled information only when the organization verifies the implementation of required security controls on the external system as specified in the organization^s information security policy and security plan. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed permits authorized individuals to use an external information system to transmit organization-controlled information only when the organization verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan. |
The organization being inspected/assessed documents and implements a process to permit authorized individuals to use an external information system to transmit organization-controlled information only when the organization verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan. |
Use Of External Information Systems | Limits On Authorized Use |
AC-20 (1) |
AC-20(1).4 |
This control enhancement recognizes that there are circumstances where individuals using external information systems (e.g., contractors, coalition partners) need to access organizational information systems. In those situations, organizations need confidence that the external information systems contain the necessary security safeguards (i.e., security controls), so as not to compromise, damage, or otherwise harm organizational information systems. Verification that the required security controls have been implemented can be achieved, for example, by third-party, independent assessments, attestations, or other means, depending on the confidence level required by organizations. Related control: CA-2. |
The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:
(a) Verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan; or
(b) Retains approved information system connection or processing agreements with the organizational entity hosting the external information system. |
| CCI-002337 |
The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization retains approved information system connection or processing agreements with the organizational entity hosting the external information system. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization retains approved information system connection or processing agreements with the organizational entity hosting the external information system. |
The organization being inspected/assessed documents and implements a process to permit authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization retains approved information system connection or processing agreements with the organizational entity hosting the external information system. |
Use Of External Information Systems | Limits On Authorized Use |
AC-20 (1) |
AC-20(1).5 |
This control enhancement recognizes that there are circumstances where individuals using external information systems (e.g., contractors, coalition partners) need to access organizational information systems. In those situations, organizations need confidence that the external information systems contain the necessary security safeguards (i.e., security controls), so as not to compromise, damage, or otherwise harm organizational information systems. Verification that the required security controls have been implemented can be achieved, for example, by third-party, independent assessments, attestations, or other means, depending on the confidence level required by organizations. Related control: CA-2. |
The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:
(a) Verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan; or
(b) Retains approved information system connection or processing agreements with the organizational entity hosting the external information system. |
| CCI-002338 |
The organization restricts or prohibits the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed restricts or prohibits the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information. |
The organization being inspected/assessed documents and implements a process to restrict or prohibit the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information. |
Use Of External Information Systems | Non-Organizationally Owned Systems / Components / Devices |
AC-20 (3) |
AC-20(3).1 |
Non-organizationally owned devices include devices owned by other organizations (e.g., federal/state agencies, contractors) and personally owned devices. There are risks to using non-organizationally owned devices. In some cases, the risk is sufficiently high as to prohibit such use. In other cases, it may be such that the use of non-organizationally owned devices is allowed but restricted in some way. Restrictions include, for example: (i) requiring the implementation of organization-approved security controls prior to authorizing such connections; (ii) limiting access to certain types of information, services, or applications; (iii) using virtualization techniques to limit processing and storage activities to servers or other system components provisioned by the organization; and (iv) agreeing to terms and conditions for usage. For personally owned devices, organizations consult with the Office of the General Counsel regarding legal issues associated with using such devices in operational environments, including, for example, requirements for conducting forensic analyses during investigations after an incident. |
The organization [Selection: restricts; prohibits] the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information. |
| CCI-002339 |
The organization defines the network accessible storage devices that are to be prohibited from being used in external information systems. |
The organization conducting the inspection/assessment obtains and examines the documented network accessible storage devices to ensure the organization being inspected/assessed defines the network accessible storage devices that are to be prohibited from being used in external information systems.
DoD has determined the network accessible storage devices are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the network accessible storage devices that are to be prohibited from being used in external information systems.
DoD has determined the network accessible storage devices are not appropriate to define at the Enterprise level. |
Use Of External Information Systems | Network Accessible Storage Devices |
AC-20 (4) |
AC-20(4).1 |
Network accessible storage devices in external information systems include, for example, online storage devices in public, hybrid, or community cloud-based systems. |
The organization prohibits the use of [Assignment: organization-defined network accessible storage devices] in external information systems. |
| CCI-002340 |
The organization prohibits the use of organization-defined network accessible storage devices in external information systems. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed prohibits the use of network accessible storage devices defined in AC-20 (4), CCI 2339 in external information systems. |
The organization being inspected/assessed documents and implements a process to prohibit the use of network accessible storage devices defined in AC-20 (4), CCI 2339 in external information systems. |
Use Of External Information Systems | Network Accessible Storage Devices |
AC-20 (4) |
AC-20(4).2 |
Network accessible storage devices in external information systems include, for example, online storage devices in public, hybrid, or community cloud-based systems. |
The organization prohibits the use of [Assignment: organization-defined network accessible storage devices] in external information systems. |
| CCI-002341 |
The organization defines the information sharing restrictions to be enforced by the information system for information search and retrieval services. |
The organization conducting the inspection/assessment obtains and examines the documented information sharing restrictions to ensure the organization being inspected/assessed defines the information sharing restrictions to be enforced by the information system for information search and retrieval services.
DoD has determined the information sharing restrictions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information sharing restrictions to be enforced by the information system for information search and retrieval services.
DoD has determined the information sharing restrictions are not appropriate to define at the Enterprise level. |
Information Sharing | Information Search And Retrieval |
AC-21 (2) |
AC-21(2).1 |
|
The information system implements information search and retrieval services that enforce [Assignment: organization-defined information sharing restrictions]. |
| CCI-002342 |
The information system implements information search and retrieval services that enforce organization-defined information sharing restrictions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement information search and retrieval services that enforce information sharing restrictions defined in AC-21 (2), CCI 2341.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2342. |
The organization being inspected/assessed configures the information system to configure the information system to implement information search and retrieval services that enforce information sharing restrictions defined in AC-21 (2), CCI 2341.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2342. |
Information Sharing | Information Search And Retrieval |
AC-21 (2) |
AC-21(2).2 |
|
The information system implements information search and retrieval services that enforce [Assignment: organization-defined information sharing restrictions]. |
| CCI-002343 |
The organization defines the data mining prevention techniques to be employed to adequately protect organization-defined data storage objects against data mining. |
The organization conducting the inspection/assessment obtains and examines the documented data mining prevention techniques to ensure the organization being inspected/assessed defines the data mining prevention techniques to be employed to adequately protect organization-defined data storage objects against data mining.
DoD has determined the data mining prevention techniques are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the data mining prevention techniques to be employed to adequately protect organization-defined data storage objects against data mining.
DoD has determined the data mining prevention techniques are not appropriate to define at the Enterprise level. |
Data Mining Protection |
AC-23 |
AC-23.1 |
Data storage objects include, for example, databases, database records, and database fields. Data mining prevention and detection techniques include, for example: (i) limiting the types of responses provided to database queries; (ii) limiting the number/frequency of database queries to increase the work factor needed to determine the contents of such databases; and (iii) notifying organizational personnel when atypical database queries or accesses occur. This control focuses on the protection of organizational information from data mining while such information resides in organizational data stores. In contrast, AU-13 focuses on monitoring for organizational information that may have been mined or otherwise obtained from data stores and is now available as open source information residing on external sites, for example, through social networking or social media websites. |
The organization employs [Assignment: organization-defined data mining prevention and detection techniques] for [Assignment: organization-defined data storage objects] to adequately detect and protect against data mining. |
| CCI-002344 |
The organization defines the data mining detection techniques to be employed to adequately detect data mining attempts against organization-defined data storage objects. |
The organization conducting the inspection/assessment obtains and examines the documented data mining detection techniques to ensure the organization being inspected/assessed defines the data mining detection techniques to be employed to adequately detect data mining attempts against organization-defined data storage objects.
DoD has determined the data mining detection techniques are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the data mining detection techniques to be employed to adequately detect data mining attempts against organization-defined data storage objects.
DoD has determined the data mining detection techniques are not appropriate to define at the Enterprise level. |
Data Mining Protection |
AC-23 |
AC-23.2 |
Data storage objects include, for example, databases, database records, and database fields. Data mining prevention and detection techniques include, for example: (i) limiting the types of responses provided to database queries; (ii) limiting the number/frequency of database queries to increase the work factor needed to determine the contents of such databases; and (iii) notifying organizational personnel when atypical database queries or accesses occur. This control focuses on the protection of organizational information from data mining while such information resides in organizational data stores. In contrast, AU-13 focuses on monitoring for organizational information that may have been mined or otherwise obtained from data stores and is now available as open source information residing on external sites, for example, through social networking or social media websites. |
The organization employs [Assignment: organization-defined data mining prevention and detection techniques] for [Assignment: organization-defined data storage objects] to adequately detect and protect against data mining. |
| CCI-002345 |
The organization defines the data storage objects that are to be protected against data mining attempts. |
The organization conducting the inspection/assessment obtains and examines the documented data storage objects to ensure the organization being inspected/assessed defines the data storage objects that are to be protected against data mining attempts.
DoD has determined the data storage objects are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the data storage objects that are to be protected against data mining attempts.
DoD has determined the data storage objects are not appropriate to define at the Enterprise level. |
Data Mining Protection |
AC-23 |
AC-23.3 |
Data storage objects include, for example, databases, database records, and database fields. Data mining prevention and detection techniques include, for example: (i) limiting the types of responses provided to database queries; (ii) limiting the number/frequency of database queries to increase the work factor needed to determine the contents of such databases; and (iii) notifying organizational personnel when atypical database queries or accesses occur. This control focuses on the protection of organizational information from data mining while such information resides in organizational data stores. In contrast, AU-13 focuses on monitoring for organizational information that may have been mined or otherwise obtained from data stores and is now available as open source information residing on external sites, for example, through social networking or social media websites. |
The organization employs [Assignment: organization-defined data mining prevention and detection techniques] for [Assignment: organization-defined data storage objects] to adequately detect and protect against data mining. |
| CCI-002346 |
The organization employs organization-defined data mining prevention techniques for organization-defined data storage objects to adequately protect against data mining. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to employ data mining prevention techniques defined in AC-23, CCI 2343 for data storage objects defined in AC-23, CCI 2345 to adequately detect data mining attempts.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2346. |
The organization being inspected/assessed configures the information system to employ data mining prevention techniques defined in AC-23, CCI 2343 for data storage objects defined in AC-23, CCI 2345 to adequately detect data mining attempts.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2346. |
Data Mining Protection |
AC-23 |
AC-23.4 |
Data storage objects include, for example, databases, database records, and database fields. Data mining prevention and detection techniques include, for example: (i) limiting the types of responses provided to database queries; (ii) limiting the number/frequency of database queries to increase the work factor needed to determine the contents of such databases; and (iii) notifying organizational personnel when atypical database queries or accesses occur. This control focuses on the protection of organizational information from data mining while such information resides in organizational data stores. In contrast, AU-13 focuses on monitoring for organizational information that may have been mined or otherwise obtained from data stores and is now available as open source information residing on external sites, for example, through social networking or social media websites. |
The organization employs [Assignment: organization-defined data mining prevention and detection techniques] for [Assignment: organization-defined data storage objects] to adequately detect and protect against data mining. |
| CCI-002347 |
The organization employs organization-defined data mining detection techniques for organization-defined data storage objects to adequately detect data mining attempts. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to employ data mining detection techniques defined in AC-23, CCI 2344 for data storage objects defined in AC-23, CCI 2345 to adequately detect data mining attempts.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2347. |
The organization being inspected/assessed configures the information system to employ data mining detection techniques defined in AC-23, CCI 2344 for data storage objects defined in AC-23, CCI 2345 to adequately detect data mining attempts.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2347. |
Data Mining Protection |
AC-23 |
AC-23.5 |
Data storage objects include, for example, databases, database records, and database fields. Data mining prevention and detection techniques include, for example: (i) limiting the types of responses provided to database queries; (ii) limiting the number/frequency of database queries to increase the work factor needed to determine the contents of such databases; and (iii) notifying organizational personnel when atypical database queries or accesses occur. This control focuses on the protection of organizational information from data mining while such information resides in organizational data stores. In contrast, AU-13 focuses on monitoring for organizational information that may have been mined or otherwise obtained from data stores and is now available as open source information residing on external sites, for example, through social networking or social media websites. |
The organization employs [Assignment: organization-defined data mining prevention and detection techniques] for [Assignment: organization-defined data storage objects] to adequately detect and protect against data mining. |
| CCI-002348 |
The organization defines the access control decisions that are to be applied to each access request prior to access enforcement. |
The organization conducting the inspection/assessment obtains and examines the documented access control decisions to ensure the organization being inspected/assessed defines the access control decisions that are to be applied to each access request prior to access enforcement.
DoD has determined the access control decisions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the access control decisions that are to be applied to each access request prior to access enforcement.
DoD has determined the access control decisions are not appropriate to define at the Enterprise level. |
Access Control Decisions |
AC-24 |
AC-24.1 |
Access control decisions (also known as authorization decisions) occur when authorization information is applied to specific accesses. In contrast, access enforcement occurs when information systems enforce access control decisions. While it is very common to have access control decisions and access enforcement implemented by the same entity, it is not required and it is not always an optimal implementation choice. For some architectures and distributed information systems, different entities may perform access control decisions and access enforcement. |
The organization establishes procedures to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement. |
| CCI-002349 |
The organization establishes procedures to ensure organization-defined access control decisions are applied to each access request prior to access enforcement. |
The organization conducting the inspection/assessment obtains and examines the documented procedures to ensure the organization being inspected/assessed establishes procedures to ensure access control decisions defined in AC-24, CCI 2348 are applied to each access request prior to access enforcement. |
The organization being inspected/assessed establishes and documents procedures to ensure access control decisions defined in AC-24, CCI 2348 are applied to each access request prior to access enforcement. |
Access Control Decisions |
AC-24 |
AC-24.2 |
Access control decisions (also known as authorization decisions) occur when authorization information is applied to specific accesses. In contrast, access enforcement occurs when information systems enforce access control decisions. While it is very common to have access control decisions and access enforcement implemented by the same entity, it is not required and it is not always an optimal implementation choice. For some architectures and distributed information systems, different entities may perform access control decisions and access enforcement. |
The organization establishes procedures to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement. |
| CCI-002350 |
The organization defines the access authorization information that is to be transmitted using organization-defined security safeguards to organization-defined information systems that enforce access control decisions. |
The organization conducting the inspection/assessment obtains and examines the documented access authorization information to ensure the organization being inspected/assessed defines the access authorization information that is to be transmitted using organization-defined security safeguards to organization-defined information systems that enforce access control decisions.
DoD has determined the access authorization information is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the access authorization information that is to be transmitted using organization-defined security safeguards to organization-defined information systems that enforce access control decisions.
DoD has determined the access authorization information is not appropriate to define at the Enterprise level. |
Access Control Decisions | Transmit Access Authorization Information |
AC-24 (1) |
AC-24(1).1 |
In distributed information systems, authorization processes and access control decisions may occur in separate parts of the systems. In such instances, authorization information is transmitted securely so timely access control decisions can be enforced at the appropriate locations. To support the access control decisions, it may be necessary to transmit as part of the access authorization information, supporting security attributes. This is due to the fact that in distributed information systems, there are various access control decisions that need to be made and different entities (e.g., services) make these decisions in a serial fashion, each requiring some security attributes to make the decisions. Protecting access authorization information (i.e., access control decisions) ensures that such information cannot be altered, spoofed, or otherwise compromised during transmission. |
The information system transmits [Assignment: organization-defined access authorization information] using [Assignment: organization-defined security safeguards] to [Assignment: organization-defined information systems] that enforce access control decisions. |
| CCI-002351 |
The organization defines the security safeguards to be employed when transmitting organization-defined access authorization information to organization-defined information systems that enforce access control decisions. |
The organization conducting the inspection/assessment obtains and examines the documented security safeguards to ensure the organization being inspected/assessed defines the security safeguards to be employed when transmitting organization-defined access authorization information to organization-defined information systems that enforce access control decisions.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security safeguards to be employed when transmitting organization-defined access authorization information to organization-defined information systems that enforce access control decisions.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
Access Control Decisions | Transmit Access Authorization Information |
AC-24 (1) |
AC-24(1).2 |
In distributed information systems, authorization processes and access control decisions may occur in separate parts of the systems. In such instances, authorization information is transmitted securely so timely access control decisions can be enforced at the appropriate locations. To support the access control decisions, it may be necessary to transmit as part of the access authorization information, supporting security attributes. This is due to the fact that in distributed information systems, there are various access control decisions that need to be made and different entities (e.g., services) make these decisions in a serial fashion, each requiring some security attributes to make the decisions. Protecting access authorization information (i.e., access control decisions) ensures that such information cannot be altered, spoofed, or otherwise compromised during transmission. |
The information system transmits [Assignment: organization-defined access authorization information] using [Assignment: organization-defined security safeguards] to [Assignment: organization-defined information systems] that enforce access control decisions. |
| CCI-002352 |
The organization defines the information systems that are to be recipients of organization-defined access authorization information using organization-defined security safeguards. |
The organization conducting the inspection/assessment obtains and examines the documented information systems to ensure the organization being inspected/assessed defines the information systems that are to be recipients of organization-defined access authorization information using organization-defined security safeguards.
DoD has determined the information systems are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information systems that are to be recipients of organization-defined access authorization information using organization-defined security safeguards.
DoD has determined the information systems are not appropriate to define at the Enterprise level. |
Access Control Decisions | Transmit Access Authorization Information |
AC-24 (1) |
AC-24(1).3 |
In distributed information systems, authorization processes and access control decisions may occur in separate parts of the systems. In such instances, authorization information is transmitted securely so timely access control decisions can be enforced at the appropriate locations. To support the access control decisions, it may be necessary to transmit as part of the access authorization information, supporting security attributes. This is due to the fact that in distributed information systems, there are various access control decisions that need to be made and different entities (e.g., services) make these decisions in a serial fashion, each requiring some security attributes to make the decisions. Protecting access authorization information (i.e., access control decisions) ensures that such information cannot be altered, spoofed, or otherwise compromised during transmission. |
The information system transmits [Assignment: organization-defined access authorization information] using [Assignment: organization-defined security safeguards] to [Assignment: organization-defined information systems] that enforce access control decisions. |
| CCI-002353 |
The information system transmits organization-defined access authorization information using organization-defined security safeguards to organization-defined information systems which enforce access control decisions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to transmit access authorization information defined in AC-24 (1), CCI 2350 using security safeguards defined in AC-24 (1), CCI 2351 to information systems defined in AC-24 (1), CCI 2352 which enforce access control decisions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2353. |
The organization being inspected/assessed configures the information system to transmit access authorization information defined in AC-24 (1), CCI 2350 using security safeguards defined in AC-24 (1), CCI 2351 to information systems defined in AC-24 (1), CCI 2352 which enforce access control decisions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2353. |
Access Control Decisions | Transmit Access Authorization Information |
AC-24 (1) |
AC-24(1).4 |
In distributed information systems, authorization processes and access control decisions may occur in separate parts of the systems. In such instances, authorization information is transmitted securely so timely access control decisions can be enforced at the appropriate locations. To support the access control decisions, it may be necessary to transmit as part of the access authorization information, supporting security attributes. This is due to the fact that in distributed information systems, there are various access control decisions that need to be made and different entities (e.g., services) make these decisions in a serial fashion, each requiring some security attributes to make the decisions. Protecting access authorization information (i.e., access control decisions) ensures that such information cannot be altered, spoofed, or otherwise compromised during transmission. |
The information system transmits [Assignment: organization-defined access authorization information] using [Assignment: organization-defined security safeguards] to [Assignment: organization-defined information systems] that enforce access control decisions. |
| CCI-002354 |
The organization defines the security attributes, not to include the identity of the user or process acting on behalf of the user, to be used as the basis for enforcing access control decisions. |
The organization conducting the inspection/assessment obtains and examines the documented security attributes to ensure the organization being inspected/assessed defines the security attributes, not to include the identity of the user or process acting on behalf of the user, to be used as the basis for enforcing access control decisions.
DoD has determined the security attributes are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security attributes, not to include the identity of the user or process acting on behalf of the user, to be used as the basis for enforcing access control decisions.
DoD has determined the security attributes are not appropriate to define at the Enterprise level. |
Access Control Decisions | No User Or Process Identity |
AC-24 (2) |
AC-24(2).1 |
In certain situations, it is important that access control decisions can be made without information regarding the identity of the users issuing the requests. These are generally instances where preserving individual privacy is of paramount importance. In other situations, user identification information is simply not needed for access control decisions and, especially in the case of distributed information systems, transmitting such information with the needed degree of assurance may be very expensive or difficult to accomplish. |
The information system enforces access control decisions based on [Assignment: organization-defined security attributes] that do not include the identity of the user or process acting on behalf of the user. |
| CCI-002355 |
The information system enforces access control decisions based on organization-defined security attributes that do not include the identity of the user or process acting on behalf of the user. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce access control decisions based on security attributes defined in AC-24 (2), CCI 2354 that do not include the identity of the user or process acting on behalf of the user.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2355. |
The organization being inspected/assessed configures the information system to enforce access control decisions based on security attributes defined in AC-24 (2), CCI 2354 that do not include the identity of the user or process acting on behalf of the user.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2355. |
Access Control Decisions | No User Or Process Identity |
AC-24 (2) |
AC-24(2).2 |
In certain situations, it is important that access control decisions can be made without information regarding the identity of the users issuing the requests. These are generally instances where preserving individual privacy is of paramount importance. In other situations, user identification information is simply not needed for access control decisions and, especially in the case of distributed information systems, transmitting such information with the needed degree of assurance may be very expensive or difficult to accomplish. |
The information system enforces access control decisions based on [Assignment: organization-defined security attributes] that do not include the identity of the user or process acting on behalf of the user. |
| CCI-002356 |
The organization defines the access control policies to be implemented by the information system^s reference monitor. |
The organization conducting the inspection/assessment obtains and examines the documented access control policies to ensure the organization being inspected/assessed defines the access control policies to be implemented by the information system's reference monitor.
DoD has determined the access control policies are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the access control policies to be implemented by the information system's reference monitor.
DoD has determined the access control policies are not appropriate to define at the Enterprise level. |
Reference Monitor |
AC-25 |
AC-25.1 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Reference monitors typically enforce mandatory access control policies—a type of access control that restricts access to objects based on the identity of subjects or groups to which the subjects belong. The access controls are mandatory because subjects with certain privileges (i.e., access permissions) are restricted from passing those privileges on to any other subjects, either directly or indirectly—that is, the information system strictly enforces the access control policy based on the rule set established by the policy. The tamperproof property of the reference monitor prevents adversaries from compromising the functioning of the mechanism. The always invoked property prevents adversaries from bypassing the mechanism and hence violating the security policy. The smallness property helps to ensure the completeness in the analysis and testing of the mechanism to detect weaknesses or deficiencies (i.e., latent flaws) that would prevent the enforcement of the security policy. Related controls: AC-3, AC-16, SC-3, SC-39. |
The information system implements a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured. |
| CCI-002357 |
The information system implements a reference monitor for organization-defined access control policies that is tamperproof. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement a reference monitor for access control policies defined in AC-25, CCI 2356 that is tamperproof.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2357. |
The organization being inspected/assessed configures the information system to implement a reference monitor for access control policies defined in AC-25, CCI 2356 that is tamperproof.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2357. |
Reference Monitor |
AC-25 |
AC-25.2 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Reference monitors typically enforce mandatory access control policies—a type of access control that restricts access to objects based on the identity of subjects or groups to which the subjects belong. The access controls are mandatory because subjects with certain privileges (i.e., access permissions) are restricted from passing those privileges on to any other subjects, either directly or indirectly—that is, the information system strictly enforces the access control policy based on the rule set established by the policy. The tamperproof property of the reference monitor prevents adversaries from compromising the functioning of the mechanism. The always invoked property prevents adversaries from bypassing the mechanism and hence violating the security policy. The smallness property helps to ensure the completeness in the analysis and testing of the mechanism to detect weaknesses or deficiencies (i.e., latent flaws) that would prevent the enforcement of the security policy. Related controls: AC-3, AC-16, SC-3, SC-39. |
The information system implements a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured. |
| CCI-002358 |
The information system implements a reference monitor for organization-defined access control policies that is always invoked. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement a reference monitor for access control policies defined in AC-25, CCI 2356 that is always invoked.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2358. |
The organization being inspected/assessed configures the information system to implement a reference monitor for access control policies defined in AC-25, CCI 2356 that is always invoked.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2358. |
Reference Monitor |
AC-25 |
AC-25.3 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Reference monitors typically enforce mandatory access control policies—a type of access control that restricts access to objects based on the identity of subjects or groups to which the subjects belong. The access controls are mandatory because subjects with certain privileges (i.e., access permissions) are restricted from passing those privileges on to any other subjects, either directly or indirectly—that is, the information system strictly enforces the access control policy based on the rule set established by the policy. The tamperproof property of the reference monitor prevents adversaries from compromising the functioning of the mechanism. The always invoked property prevents adversaries from bypassing the mechanism and hence violating the security policy. The smallness property helps to ensure the completeness in the analysis and testing of the mechanism to detect weaknesses or deficiencies (i.e., latent flaws) that would prevent the enforcement of the security policy. Related controls: AC-3, AC-16, SC-3, SC-39. |
The information system implements a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured. |
| CCI-002359 |
The information system implements a reference monitor for organization-defined access control policies that is small enough to be subject to analysis and testing, the completeness of which can be assured. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement a reference monitor for access control policies defined in AC-25, CCI 2356 that is small enough to be subject to analysis and testing, the completeness of which can be assured.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2359. |
The organization being inspected/assessed configures the information system to implement a reference monitor for access control policies defined in AC-25, CCI 2356 that is small enough to be subject to analysis and testing, the completeness of which can be assured.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2359. |
Reference Monitor |
AC-25 |
AC-25.4 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Reference monitors typically enforce mandatory access control policies—a type of access control that restricts access to objects based on the identity of subjects or groups to which the subjects belong. The access controls are mandatory because subjects with certain privileges (i.e., access permissions) are restricted from passing those privileges on to any other subjects, either directly or indirectly—that is, the information system strictly enforces the access control policy based on the rule set established by the policy. The tamperproof property of the reference monitor prevents adversaries from compromising the functioning of the mechanism. The always invoked property prevents adversaries from bypassing the mechanism and hence violating the security policy. The smallness property helps to ensure the completeness in the analysis and testing of the mechanism to detect weaknesses or deficiencies (i.e., latent flaws) that would prevent the enforcement of the security policy. Related controls: AC-3, AC-16, SC-3, SC-39. |
The information system implements a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured. |
| CCI-002048 |
The organization defines the personnel or roles to whom the security awareness and training policy is disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the roles as organizational personnel with security awareness and training responsibilities. |
DoD has defined the roles as organizational personnel with security awareness and training responsibilities.
DoD disseminates DoDD 8570.01 organization-wide via the DoD Issuances website.
http://www.dtic.mil/whs/directives/corres/dir.html |
Security Awareness And Training Policy And Procedures |
AT-1 |
AT-1.1 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency]. |
| CCI-002049 |
The organization defines the personnel or roles to whom the security awareness and training procedures are disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the roles as organizational personnel with security awareness and training responsibilities. |
DoD has defined the roles as organizational personnel with security awareness and training responsibilities. |
Security Awareness And Training Policy And Procedures |
AT-1 |
AT-1.2 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency]. |
| CCI-002055 |
The organization includes security awareness training on recognizing and reporting potential indicators of insider threat. |
The IA Awareness CBT, "Cyber Awareness Challenge," and Virtual Training Environment (VTE) Courses: "Introduction to Insider Threat" and "Monitoring for Insider Threat" available on the IASE website meet the DoD requirement to include security awareness training on recognizing and reporting potential indicators of insider threat.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level training available on the IASE website. |
The IA Awareness CBT, "Cyber Awareness Challenge," and Virtual Training Environment (VTE) Courses: "Introduction to Insider Threat" and "Monitoring for Insider Threat" available on the IASE website meet the DoD requirement to include security awareness training on recognizing and reporting potential indicators of insider threat.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level training available on the IASE website. |
Security Awareness | Insider Threat |
AT-2 (2) |
AT-2(2).1 |
Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction, attempts to gain access to information not required for job performance, unexplained access to financial resources, bullying or sexual harassment of fellow employees, workplace violence, and other serious violations of organizational policies, procedures, directives, rules, or practices. Security awareness training includes how to communicate employee and management concerns regarding potential indicators of insider threat through appropriate organizational channels in accordance with established organizational policies and procedures. Related controls: PL-4, PM-12, PS-3, PS-6. |
The organization includes security awareness training on recognizing and reporting potential indicators of insider threat. |
| CCI-002050 |
The organization defines the personnel or roles to whom initial and refresher training in the employment and operation of environmental controls is to be provided. |
The organization conducting the inspection/assessment obtains and examines the documented personnel or roles to ensure the organization being inspected/assessed defines the personnel or roles to whom initial and refresher training in the employment and operation of environmental controls is to be provided.
DoD has determined the personnel or roles are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the personnel or roles to whom initial and refresher training in the employment and operation of environmental controls is to be provided.
DoD has determined the personnel or roles are not appropriate to define at the Enterprise level. |
Security Training | Environmental Controls |
AT-3 (1) |
AT-3(1).4 |
Environmental controls include, for example, fire suppression and detection devices/systems, sprinkler systems, handheld fire extinguishers, fixed fire hoses, smoke detectors, temperature/humidity, HVAC, and power within the facility. Organizations identify personnel with specific roles and responsibilities associated with environmental controls requiring specialized training. Related controls: PE-1, PE-13, PE-14, PE-15. |
The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls. |
| CCI-002051 |
The organization defines the personnel or roles to whom initial and refresher training in the employment and operation of physical security controls is to be provided. |
The organization conducting the inspection/assessment obtains and examines the documented personnel or roles to ensure the organization being inspected/assessed defines the personnel or roles to whom initial and refresher training in the employment and operation of physical security controls is to be provided.
DoD has determined the personnel or roles are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the personnel or roles to whom initial and refresher training in the employment and operation of physical security controls is to be provided.
DoD has determined the personnel or roles are not appropriate to define at the Enterprise level. |
Security Training | Physical Security Controls |
AT-3 (2) |
AT-3(2).4 |
Physical security controls include, for example, physical access control devices, physical intrusion alarms, monitoring/surveillance equipment, and security guards (deployment and operating procedures). Organizations identify personnel with specific roles and responsibilities associated with physical security controls requiring specialized training. Related controls: PE-2, PE-3, PE-4, PE-5. |
The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls. |
| CCI-002052 |
The organization includes practical exercises in security training that reinforce training objectives. |
The organization conducting the inspection/assessment obtains and examines the security training materials to ensure the organization being inspected/assessed includes practical exercises in security training that reinforce training objectives. |
The organization being inspected/assessed includes practical exercises in security training that reinforce training objectives. |
Security Training | Practical Exercises |
AT-3 (3) |
AT-3(3).1 |
Practical exercises may include, for example, security training for software developers that includes simulated cyber attacks exploiting common software vulnerabilities (e.g., buffer overflows), or spear/whale phishing attacks targeted at senior leaders/executives. These types of practical exercises help developers better understand the effects of such vulnerabilities and appreciate the need for security coding standards and processes. |
The organization includes practical exercises in security training that reinforce training objectives. |
| CCI-002053 |
The organization provides training to its personnel on organization-defined indicators of malicious code to recognize suspicious communications and anomalous behavior in organizational information systems. |
The organization conducting the inspection/assessment obtains and examines the training materials and indicators of malicious code defined in AT-3 (4), CCI 2054 to ensure the organization being inspected/assessed provides users with the means to recognize suspicious communications and anomalous behavior in organizational information systems. |
The organization being inspected/assessed provides training to its personnel on indicators of malicious code defined in AT-3 (4), CCI 2054 to recognize suspicious communications and anomalous behavior in organizational information systems. |
Security Training | Suspicious Communications And Anomalous System Behavior |
AT-3 (4) |
AT-3(4).1 |
A well-trained workforce provides another organizational safeguard that can be employed as part of a defense-in-depth strategy to protect organizations against malicious code coming in to organizations via email or the web applications. Personnel are trained to look for indications of potentially suspicious email (e.g., receiving an unexpected email, receiving an email containing strange or poor grammar, or receiving an email from an unfamiliar sender but who appears to be from a known sponsor or contractor). Personnel are also trained on how to respond to such suspicious email or web communications (e.g., not opening attachments, not clicking on embedded web links, and checking the source of email addresses). For this process to work effectively, all organizational personnel are trained and made aware of what constitutes suspicious communications. Training personnel on how to recognize anomalous behaviors in organizational information systems can potentially provide early warning for the presence of malicious code. Recognition of such anomalous behavior by organizational personnel can supplement automated malicious code detection and protection tools and systems employed by organizations. |
The organization provides training to its personnel on [Assignment: organization-defined indicators of malicious code] to recognize suspicious communications and anomalous behavior in organizational information systems. |
| CCI-002054 |
The organization defines indicators of malicious code to recognize suspicious communications and anomalous behavior in organizational information systems. |
The organization conducting the inspection/assessment obtains and examines the documented indicators to ensure the organization being inspected/assessed defines indicators of malicious code to recognize suspicious communications and anomalous behavior in organizational information systems.
DoD has determined the indicators are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents indicators of malicious code to recognize suspicious communications and anomalous behavior in organizational information systems.
DoD has determined the indicators are not appropriate to define at the Enterprise level. |
Security Training | Suspicious Communications And Anomalous System Behavior |
AT-3 (4) |
AT-3(4).2 |
A well-trained workforce provides another organizational safeguard that can be employed as part of a defense-in-depth strategy to protect organizations against malicious code coming in to organizations via email or the web applications. Personnel are trained to look for indications of potentially suspicious email (e.g., receiving an unexpected email, receiving an email containing strange or poor grammar, or receiving an email from an unfamiliar sender but who appears to be from a known sponsor or contractor). Personnel are also trained on how to respond to such suspicious email or web communications (e.g., not opening attachments, not clicking on embedded web links, and checking the source of email addresses). For this process to work effectively, all organizational personnel are trained and made aware of what constitutes suspicious communications. Training personnel on how to recognize anomalous behaviors in organizational information systems can potentially provide early warning for the presence of malicious code. Recognition of such anomalous behavior by organizational personnel can supplement automated malicious code detection and protection tools and systems employed by organizations. |
The organization provides training to its personnel on [Assignment: organization-defined indicators of malicious code] to recognize suspicious communications and anomalous behavior in organizational information systems. |
| CCI-001831 |
The organization documents an audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
|
|
|
|
|
|
|
| CCI-001832 |
The organization disseminates the audit and accountability policy to organization-defined personnel or roles. |
The organization conducting the inspection/assessment obtains and examines the audit and accountability procedures via the inspected organization's information sharing capability (e.g. portal, intranet, email, etc.) to ensure it has been disseminated. |
The organization being inspected/assessed disseminates, via an information sharing capibility, to the ISSO and ISSM and others as the local organization deems appropriate an audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
DoD has defined the personnel or roles as the ISSO and ISSM and others as the local organization deems appropriate.
|
Audit And Accountability Policy And Procedures |
AU-1 |
AU-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy [Assignment: organization-defined frequency]; and
2. Audit and accountability procedures [Assignment: organization-defined frequency]. |
| CCI-001833 |
The organization documents procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls. |
|
|
|
|
|
|
|
| CCI-001834 |
The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls. |
The organization conducting the inspection/assessment obtains and examines the audit and accountability procedures via the inspected organization's information sharing capability (e.g. portal, intranet, email, etc.) to ensure it has been disseminated. |
The organization being inspected/assessed disseminates, via an information sharing capibility, to the ISSO and ISSM and others as the local organization deems appropriate audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls.
DoD has defined the personnel or roles as the ISSO and ISSM and others as the local organization deems appropriate.
|
Audit And Accountability Policy And Procedures |
AU-1 |
AU-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy [Assignment: organization-defined frequency]; and
2. Audit and accountability procedures [Assignment: organization-defined frequency]. |
| CCI-001835 |
The organization defines the frequency on which it will review the audit and accountability policy. |
|
|
|
|
|
|
|
| CCI-001836 |
The organization defines the frequency on which it will update the audit and accountability policy. |
|
|
|
|
|
|
|
| CCI-001837 |
The organization reviews the audit and accountability policy on an organization-defined frequency. |
|
|
|
|
|
|
|
| CCI-001838 |
The organization updates the audit and accountability policy on an organization-defined frequency. |
|
|
|
|
|
|
|
| CCI-001839 |
The organization defines the frequency on which it will review the audit and accountability procedures. |
|
|
|
|
|
|
|
| CCI-001840 |
The organization defines the frequency on which it will update the audit and accountability procedures. |
|
|
|
|
|
|
|
| CCI-001841 |
The organization reviews the audit and accountability procedures on an organization-defined frequency. |
|
|
|
|
|
|
|
| CCI-001842 |
The organization updates the audit and accountability procedures on an organization-defined frequency. |
|
|
|
|
|
|
|
| CCI-001930 |
The organization defines the organizational personnel or roles to whom the audit and accountability policy is to be disseminated. |
The organization conducting the inspection/assessment obtains and examines the documented list of personnel or roles to whom the audit and accountability policy is to be disseminated to ensure the organization being inspected/assessed has either defined additional personnel or roles, or identified that there are no additional personnel or roles.
DoD has defined the personnel or roles as the ISSO and ISSM and others as the local organization deems appropriate. |
The organization being inspected/assessed defines and documents any personnel or roles, in addition to the ISSO or ISSM, to whom the audit and accountability policy is to be disseminated. If there are no additional personnel or roles, the organization must also document that.
DoD has defined the personnel or roles as the ISSO and ISSM and others as the local organization deems appropriate. |
Audit And Accountability Policy And Procedures |
AU-1 |
AU-1.1 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy [Assignment: organization-defined frequency]; and
2. Audit and accountability procedures [Assignment: organization-defined frequency]. |
| CCI-001931 |
The organization defines the organizational personnel or roles to whom the audit and accountability procedures are to be disseminated. |
The organization conducting the inspection/assessment obtains and examines the documented list of personnel or roles to whom the audit and accountability procedures are to be disseminated to ensure the organization being inspected/assessed has either defined additional personnel or roles, or identified that there are no additional personnel or roles.
DoD has defined the personnel or roles as the ISSO and ISSM and others as the local organization deems appropriate. |
The organization being inspected/assessed defines and documents any personnel or roles, in addition to the ISSO or ISSM, to whom the audit and accountability procedures are to be disseminated. If there are no additional personnel or roles, the organization must also document that.
DoD has defined the personnel or roles as the ISSO and ISSM and others as the local organization deems appropriate. |
Audit And Accountability Policy And Procedures |
AU-1 |
AU-1.2 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy [Assignment: organization-defined frequency]; and
2. Audit and accountability procedures [Assignment: organization-defined frequency]. |
| CCI-001843 |
The organization defines a frequency for updating the list of organization-defined auditable events. |
|
|
|
|
|
|
|
| CCI-001844 |
The information system provides centralized management and configuration of the content to be captured in audit records generated by organization-defined information system components. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to provide centralized management and configuration of the content to be captured in audit records generated by all information system and network components.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1844.
DoD has defined the information system components as all information system and network components. |
The organization being inspected/assessed configures the information system to provide centralized management and configuration of the content to be captured in audit records generated by all information system and network components.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1844.
DoD has defined the information system components as all information system and network components. |
Content Of Audit Records | Centralized Management Of Planned Audit Record Content |
AU-3 (2) |
AU-3(2).1 |
This control enhancement requires that the content to be captured in audit records be configured from a central location (necessitating automation). Organizations coordinate the selection of required audit content to support the centralized management and configuration capability provided by the information system. Related controls: AU-6, AU-7. |
The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components]. |
| CCI-001845 |
The information system provides centralized configuration of the content to be captured in audit records generated by organization-defined information system components. |
|
|
|
|
|
|
|
| CCI-001846 |
The organization defines information system components that will generate the audit records which are to be captured for centralized management of the content. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the information system components as all information system and network components. |
DoD has defined the information system components as all information system and network components. |
Content Of Audit Records | Centralized Management Of Planned Audit Record Content |
AU-3 (2) |
AU-3(2).2 |
This control enhancement requires that the content to be captured in audit records be configured from a central location (necessitating automation). Organizations coordinate the selection of required audit content to support the centralized management and configuration capability provided by the information system. Related controls: AU-6, AU-7. |
The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components]. |
| CCI-001847 |
The organization defines information system components that will generate the audit records which are to be captured for centralized configuration of the content. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the information system components as all information system and network components. |
DoD has defined the information system components as all information system and network components. |
Content Of Audit Records | Centralized Management Of Planned Audit Record Content |
AU-3 (2) |
AU-3(2).3 |
This control enhancement requires that the content to be captured in audit records be configured from a central location (necessitating automation). Organizations coordinate the selection of required audit content to support the centralized management and configuration capability provided by the information system. Related controls: AU-6, AU-7. |
The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components]. |
| CCI-001848 |
The organization defines the audit record storage requirements. |
The organization conducting the inspection/assessment obtains and examines the documented audit record storage requirements to ensure the organization being inspected/assessed has defined those requirements.
DoD has determined the audit record storage requirements are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the required audit record storage capacity.
DoD has determined the audit record storage requirements are not appropriate to define at the Enterprise level. |
Audit Storage Capacity |
AU-4 |
AU-4.1 |
Organizations consider the types of auditing to be performed and the audit processing requirements when allocating audit storage capacity. Allocating sufficient audit storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of auditing capability. Related controls: AU-2, AU-5, AU-6, AU-7, AU-11, SI-4. |
The organization allocates audit record storage capacity in accordance with [Assignment: organization-defined audit record storage requirements]. |
| CCI-001849 |
The organization allocates audit record storage capacity in accordance with organization-defined audit record storage requirements. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to allocate audit record storage capacity as defined in AU-4, CCI 1848.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1849. |
The organization being inspected/assessed allocates, and configures the information system to allocate audit record storage capacity as defined in AU-4, CCI 1848.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1849. |
Audit Storage Capacity |
AU-4 |
AU-4.2 |
Organizations consider the types of auditing to be performed and the audit processing requirements when allocating audit storage capacity. Allocating sufficient audit storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of auditing capability. Related controls: AU-2, AU-5, AU-6, AU-7, AU-11, SI-4. |
The organization allocates audit record storage capacity in accordance with [Assignment: organization-defined audit record storage requirements]. |
| CCI-001850 |
The organization defines the frequency on which the information system off-loads audit records onto a different system or media than the system being audited. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at a minimum, real-time for interconnected systems and weekly for stand-alone systems. |
DoD has defined the frequency as at a minimum, real-time for interconnected systems and weekly for stand-alone systems. |
Audit Storage Capacity | Transfer To Alternate Storage |
AU-4 (1) |
AU-4(1).1 |
Off-loading is a process designed to preserve the confidentiality and integrity of audit records by moving the records from the primary information system to a secondary or alternate system. It is a common process in information systems with limited audit storage capacity; the audit storage is used only in a transitory fashion until the system can communicate with the secondary or alternate system designated for storing the audit records, at which point the information is transferred. |
The information system off-loads audit records [Assignment: organization-defined frequency] onto a different system or media than the system being audited. |
| CCI-001851 |
The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to off-load audit records at a minimum, in real-time for interconnected systems and weekly for stand-alone systems onto a different system or media than the system being audited.
DoD has defined the frequency as at a minimum, real-time for interconnected systems and weekly for stand-alone systems.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1851. |
The organization being inspected/assessed configures the information system to off-load audit records at a minimum, in real-time for interconnected systems and weekly for stand-alone systems onto a different system or media than the system being audited.
DoD has defined the frequency as at a minimum, real-time for interconnected systems and weekly for stand-alone systems.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1851. |
Audit Storage Capacity | Transfer To Alternate Storage |
AU-4 (1) |
AU-4(1).2 |
Off-loading is a process designed to preserve the confidentiality and integrity of audit records by moving the records from the primary information system to a secondary or alternate system. It is a common process in information systems with limited audit storage capacity; the audit storage is used only in a transitory fashion until the system can communicate with the secondary or alternate system designated for storing the audit records, at which point the information is transferred. |
The information system off-loads audit records [Assignment: organization-defined frequency] onto a different system or media than the system being audited. |
| CCI-001852 |
The organization defines the personnel, roles and/or locations to receive a warning when allocated audit record storage volume reaches a defined percentage of maximum audit records storage capacity. |
The organization conducting the inspection/assessment obtains and examines the documented list of personnel or roles who should receive a warning when allocated audit record storage volume reaches a defined percentage of maximum audit records storage capacity to ensure the organization being inspected/assessed has either defined additional personnel or roles, or identified that there are no additional personnel or roles beyond the ISSO/PMO and ISSM.
DoD has defined the personnel or roles as at a minimum, the ISSO/PMO and ISSM. |
The organization being inspected/assessed defines and documents any personnel or roles, in addition to the ISSO/PMO and ISSM, who shall receive a warning when allocated audit record storage volume reaches a defined percentage of maximum audit records storage capacity. If there are no additional personnel or roles, the organization must also document that.
DoD has defined the personnel or roles as at a minimum, the ISSO/PMO and ISSM. |
Response To Audit Processing Failures | Audit Storage Capacity |
AU-5 (1) |
AU-5(1).1 |
Organizations may have multiple audit data storage repositories distributed across multiple information system components, with each repository having different storage volume capacities. |
The information system provides a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit record storage volume reaches [Assignment: organi zation-defined percentage] of repository maximum audit record storage capacity. |
| CCI-001853 |
The organization defines the time period within which organization-defined personnel, roles, and/or locations are to receive warnings when allocated audit record storage volume reaches an organization-defined percentage of maximum audit records storage capacity. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as immediate. |
DoD has defined the time period as immediate. |
Response To Audit Processing Failures | Audit Storage Capacity |
AU-5 (1) |
AU-5(1).2 |
Organizations may have multiple audit data storage repositories distributed across multiple information system components, with each repository having different storage volume capacities. |
The information system provides a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit record storage volume reaches [Assignment: organi zation-defined percentage] of repository maximum audit record storage capacity. |
| CCI-001854 |
The organization defines the percentage of maximum audit record storage capacity that is to be reached, at which time the information system will provide a warning to organization-defined personnel, roles, and/or locations. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the percentage as 75 percent. |
DoD has defined the percentage as 75 percent. |
Response To Audit Processing Failures | Audit Storage Capacity |
AU-5 (1) |
AU-5(1).3 |
Organizations may have multiple audit data storage repositories distributed across multiple information system components, with each repository having different storage volume capacities. |
The information system provides a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit record storage volume reaches [Assignment: organi zation-defined percentage] of repository maximum audit record storage capacity. |
| CCI-001855 |
The information system provides a warning to organization-defined personnel, roles, and/or locations within an organization-defined time period when allocated audit record storage volume reaches an organization-defined percentage of repository maximum audit record storage capacity. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to immediately provide a warning to personnel, roles, and/or locations defined in AU-5 (1), CCI 1852 when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.
DoD has defined the time period as immediate.
DoD has defined the percentage as 75 percent.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1855. |
The organization being inspected/assessed configures the information system to immediately provide a warning to personnel, roles, and/or locations defined in AU-5 (1), CCI 1852 when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.
DoD has defined the time period as immediate.
DoD has defined the percentage as 75 percent.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1855. |
Response To Audit Processing Failures | Audit Storage Capacity |
AU-5 (1) |
AU-5(1).4 |
Organizations may have multiple audit data storage repositories distributed across multiple information system components, with each repository having different storage volume capacities. |
The information system provides a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit record storage volume reaches [Assignment: organi zation-defined percentage] of repository maximum audit record storage capacity. |
| CCI-001856 |
The organization defines the real-time period within which the information system is to provide an alert when organization-defined audit failure events occur. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the real-time period as immediate. |
DoD has defined the real-time period as immediate. |
Response To Audit Processing Failures | Real-Time Alerts |
AU-5 (2) |
AU-5(2).2 |
Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less). |
The information system provides an alert in [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring real-time alerts]. |
| CCI-001857 |
The organization defines the personnel, roles, and/or locations to receive alerts when organization-defined audit failure events occur. |
The organization conducting the inspection/assessment obtains and examines the documented list of personnel or roles who should receive alerts when all audit failure events occur to ensure the organization being inspected/assessed has either defined additional personnel or roles, or identified that there are no additional personnel or roles.
DoD has defined the audit failure events as all. |
The organization being inspected/assessed defines and documents any personnel or roles, in addition to the SCA and ISSO, who shall receive alerts when all audit failure events occur. If there are no additional personnel or roles, the organization must also document that.
DoD has defined the personnel or roles as at a minimum, the SCA and ISSO.
DoD has defined the audit failure events as all. |
Response To Audit Processing Failures | Real-Time Alerts |
AU-5 (2) |
AU-5(2).3 |
Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less). |
The information system provides an alert in [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring real-time alerts]. |
| CCI-001858 |
The information system provides a real-time alert in an organization-defined real-time period to organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configured the information system to immediately provide a real-time alert to personnel, roles, and/or locations defined in AU-5 (2), CCI 1857 when all audit failure events requiring real-time alerts occur.
DoD has defined the real-time period as immediate.
DoD has defined the audit failure events as all.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1858. |
The organization being inspected/assessed configures the information system to immediately provide a real-time alert to personnel, roles, and/or locations defined in AU-5 (2), CCI 1857 when all audit failure events requiring real-time alerts occur.
DoD has defined the real-time period as immediate.
DoD has defined the audit failure events as all.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1858. |
Response To Audit Processing Failures | Real-Time Alerts |
AU-5 (2) |
AU-5(2).4 |
Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less). |
The information system provides an alert in [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring real-time alerts]. |
| CCI-001859 |
The organization defines the network communication traffic volume thresholds reflecting limits on auditing capacity, specifying when the information system will reject or delay network traffic that exceed those thresholds. |
The organization conducting the inspection/assessment obtains and examines the documented network communication traffic volume thresholds to ensure they have been defined. |
The organization being inspected/assessed defines and documents the network communication traffic volume thresholds reflecting limits on auditing capacity, specifying when the information system will reject or delay network traffic that exceed those thresholds. |
Response To Audit Processing Failures | Configurable Traffic Volume Thresholds |
AU-5 (3) |
AU-5(3).4 |
Organizations have the capability to reject or delay the processing of network communications traffic if auditing such traffic is determined to exceed the storage capacity of the information system audit function. The rejection or delay response is triggered by the established organizational traffic volume thresholds which can be adjusted based on changes to audit storage capacity. |
The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity and [Selection: rejects; delays] network traffic above those thresholds. |
| CCI-001860 |
The organization defines the audit failures which, should they occur, will invoke an organization-defined system mode. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the audit failures as all. |
DoD has defined the audit failures as all. |
Response To Audit Processing Failures | Shutdown On Failure |
AU-5 (4) |
AU-5(4).1 |
Organizations determine the types of audit failures that can trigger automatic information system shutdowns or degraded operations. Because of the importance of ensuring mission/business continuity, organizations may determine that the nature of the audit failure is not so severe that it warrants a complete shutdown of the information system supporting the core organizational missions/business operations. In those instances, partial information system shutdowns or operating in a degraded mode with reduced capability may be viable alternatives. Related control: AU-15. |
The information system invokes a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission/business functionality available] in the event of [Assignment: organization-defined audit failures], unless an alternate audit capability exists. |
| CCI-001861 |
The information system invokes an organization-defined system mode, in the event of organization-defined audit failures, unless an alternate audit capability exists. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed invokes the system mode defined in AU-5 (4), CCI 2907 in the event all audit failures, unless an alternate audit capability exists.
DoD has defined the audit failures as all.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1861 |
The organization being inspected/assessed configures the information system to invoke the system mode defined in AU-5 (4), CCI 2907 in the event all audit failures, unless an alternate audit capability exists.
DoD has defined the audit failures as all.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1861.
|
Response To Audit Processing Failures | Shutdown On Failure |
AU-5 (4) |
AU-5(4).2 |
Organizations determine the types of audit failures that can trigger automatic information system shutdowns or degraded operations. Because of the importance of ensuring mission/business continuity, organizations may determine that the nature of the audit failure is not so severe that it warrants a complete shutdown of the information system supporting the core organizational missions/business operations. In those instances, partial information system shutdowns or operating in a degraded mode with reduced capability may be viable alternatives. Related control: AU-15. |
The information system invokes a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission/business functionality available] in the event of [Assignment: organization-defined audit failures], unless an alternate audit capability exists. |
| CCI-002907 |
The organization defines the system mode to be invoked, such as a full system shutdown, a partial system shutdown, or a degraded operational mode with limited mission/business functionality available, in the event of organization-defined audit failures. |
The organization conducting the inspection/assessment obtains and examines the documented system mode to ensure the organization being inspected/assessed defines the system mode to be invoked.
|
The organization being inspected/assessed defines and documents the system mode to be invoked. Possible examples of system modes include a full system shutdown, a partial system shutdown, or a degraded operational mode with limited mission/business functionality available.
|
Response To Audit Processing Failures | Shutdown On Failure |
AU-5 (4) |
AU-5(4).3 |
Organizations determine the types of audit failures that can trigger automatic information system shutdowns or degraded operations. Because of the importance of ensuring mission/business continuity, organizations may determine that the nature of the audit failure is not so severe that it warrants a complete shutdown of the information system supporting the core organizational missions/business operations. In those instances, partial information system shutdowns or operating in a degraded mode with reduced capability may be viable alternatives. Related control: AU-15. |
The information system invokes a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission/business functionality available] in the event of [Assignment: organization-defined audit failures], unless an alternate audit capability exists. |
| CCI-001862 |
The organization defines the types of inappropriate or unusual activity to be reviewed and analyzed in the audit records. |
The organization conducting the inspection/assessment obtains and examines the documented types of inappropriate or unusual activity to ensure they have been defined.
DoD has determined that the types of inappropriate or unusual activity are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the types of inappropriate or unusual activity to be reviewed and analyzed in the audit records.
DoD has determined that the types of inappropriate or unusual activity are not appropriate to define at the Enterprise level. |
Audit Review, Analysis, And Reporting |
AU-6 |
AU-6.3 |
Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review/analysis may be carried out by other organizations granted such authority. Related controls: AC-2, AC-3, AC-6, AC-17, AT-3, AU-7, AU-16, CA-7, CM-5, CM-10, CM-11, IA-3, IA-5, IR-5, IR-6, MA-4, MP-4, PE-3, PE-6, PE-14, PE-16, RA-5, SC-7, SC-18, SC-19, SI-3, SI-4, SI-7. |
The organization:
a. Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and
b. Reports findings to [Assignment: organization-defined personnel or roles]. |
| CCI-001863 |
The organization defines the personnel or roles to receive the reports of organization-defined inappropriate or unusual activity. |
The organization conducting the inspection/assessment obtains and examines the documented list of personnel or roles who should receive the reports of inappropriate or unusual activity defined in AU-6, CCI 1862 to ensure the organization being inspected/assessed has either defined additional personnel or roles, or identified that there are no additional personnel or roles. |
The organization being inspected/assessed defines and documents any personnel or roles, in addition to the ISSO and ISSM, who shall receive the reports of inappropriate or unusual activity defined in AU-6, CCI 1862. If there are no additional personnel or roles, the organization must also document that.
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
Audit Review, Analysis, And Reporting |
AU-6 |
AU-6.5 |
Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review/analysis may be carried out by other organizations granted such authority. Related controls: AC-2, AC-3, AC-6, AC-17, AT-3, AU-7, AU-16, CA-7, CM-5, CM-10, CM-11, IA-3, IA-5, IR-5, IR-6, MA-4, MP-4, PE-3, PE-6, PE-14, PE-16, RA-5, SC-7, SC-18, SC-19, SI-3, SI-4, SI-7. |
The organization:
a. Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and
b. Reports findings to [Assignment: organization-defined personnel or roles]. |
| CCI-001864 |
The organization employs automated mechanisms to integrate audit review and analysis to support organizational processes for investigation of and response to suspicious activities. |
The organization conducting the inspection/assessment obtains and examines documentation identifying automated mechanisms to integrate audit review and analysis to ensure such mechanisms have been identified.
The organization conducting the inspection/assessment examines the identified automated mechanisms to ensure they have been implemented. |
The organization being inspected/assessed identifies and implements automated mechanisms to integrate audit review and analysis.
The goal is to support organizational investigation of and response to suspicious activities. |
Audit Review, Analysis, And Reporting | Process Integration |
AU-6 (1) |
AU-6(1).1 |
Organizational processes benefiting from integrated audit review, analysis, and reporting include, for example, incident response, continuous monitoring, contingency planning, and Inspector General audits. Related controls: AU-12, PM-7. |
The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. |
| CCI-001865 |
The organization employs automated mechanisms to integrate reporting processes to support organizational investigation of and response to suspicious activities. |
The organization conducting the inspection/assessment obtains and examines documentation identifying automated mechanisms to integrate reporting processes to ensure such mechanisms have been identified.
The organization conducting the inspection/assessment examines the identified automated mechanisms to ensure they have been implemented. |
The organization being inspected/assessed identifies and implements automated mechanisms to integrate reporting processes (e.g., centralized log analysis tools).
The goal is to support organizational investigation of and response to suspicious activities. |
Audit Review, Analysis, And Reporting | Process Integration |
AU-6 (1) |
AU-6(1).2 |
Organizational processes benefiting from integrated audit review, analysis, and reporting include, for example, incident response, continuous monitoring, contingency planning, and Inspector General audits. Related controls: AU-12, PM-7. |
The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. |
| CCI-001866 |
The organization defines the data/information to be collected from other sources to enhance its ability to identify inappropriate or unusual activity. |
The organization conducting the inspection/assessment obtains and examines documented data/information from other sources to ensure the information has been defined.
DoD has determined that the data/information is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the data/information to be collected from other sources to enhance its ability to identify inappropriate or unusual activity.
If no additional data/information is to be collected, that should also be documented.
DoD has determined that the data/information is not appropriate to define at the Enterprise level. |
Audit Review, Analysis, And Reporting | Integration / Scanning And Monitoring Capabilities |
AU-6 (5) |
AU-6(5).1 |
This control enhancement does not require vulnerability scanning, the generation of performance data, or information system monitoring. Rather, the enhancement requires that the analysis of information being otherwise produced in these areas is integrated with the analysis of audit information. Security Event and Information Management System tools can facilitate audit record aggregation/consolidation from multiple information system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans and correlating attack detection events with scanning results. Correlation with performance data can help uncover denial of service attacks or cyber attacks resulting in unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations. Related controls: AU-12, IR-4, RA-5. |
The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. |
| CCI-001867 |
The organization integrates analysis of audit records with analysis of vulnerability scanning information, performance data, information system monitoring information, and/or organization-defined data/information collected from other sources to further enhance its ability to identify inappropriate or unusual activity. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed integrates the analysis of audit records with the data/information defined in AU-6 (5), CCI 1866 (if any) to further enhance its ability to identify inappropriate or unusual activity. |
The organization being inspected/assessed documents and implements a process to integrate the analysis of audit records with the data/information defined in AU-6 (5), CCI 1866 (if any) to further enhance its ability to identify inappropriate or unusual activity. |
Audit Review, Analysis, And Reporting | Integration / Scanning And Monitoring Capabilities |
AU-6 (5) |
AU-6(5).2 |
This control enhancement does not require vulnerability scanning, the generation of performance data, or information system monitoring. Rather, the enhancement requires that the analysis of information being otherwise produced in these areas is integrated with the analysis of audit information. Security Event and Information Management System tools can facilitate audit record aggregation/consolidation from multiple information system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans and correlating attack detection events with scanning results. Correlation with performance data can help uncover denial of service attacks or cyber attacks resulting in unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations. Related controls: AU-12, IR-4, RA-5. |
The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. |
| CCI-001868 |
The organization specifies the permitted actions for each information system process, role, and/or user associated with the review and analysis of audit information. |
The organization conducting the inspection/assessment obtains and examines the documented permitted actions to ensure the organization being inspected/assessed specifies the permitted actions for each information system process, role, and/or user associated with the review and analysis of audit information. |
The organization being inspected/assessed specifies and documents the permitted actions for each information system process, role, and/or user associated with the review and analysis of audit information. |
Audit Review, Analysis, And Reporting | Permitted Actions |
AU-6 (7) |
AU-6(7).1 |
Organizations specify permitted actions for information system processes, roles, and/or users associated with the review, analysis, and reporting of audit records through account management techniques. Specifying permitted actions on audit information is a way to enforce the principle of least privilege. Permitted actions are enforced by the information system and include, for example, read, write, execute, append, and delete. |
The organization specifies the permitted actions for each [Selection (one or more): information system process; role; user] associated with the review, analysis, and reporting of audit information. |
| CCI-001869 |
The organization specifies the permitted actions for each information system process, role, and/or user associated with the reporting of audit information. |
The organization conducting the inspection/assessment obtains and examines the documented permitted actions to ensure the organization being inspected/assessed specifies the permitted actions for each information system process, role, and/or user associated with the reporting of audit information. |
The organization being inspected/assessed specifies and documents the permitted actions for each information system process, role, and/or user associated with the reporting of audit information. |
Audit Review, Analysis, And Reporting | Permitted Actions |
AU-6 (7) |
AU-6(7).2 |
Organizations specify permitted actions for information system processes, roles, and/or users associated with the review, analysis, and reporting of audit records through account management techniques. Specifying permitted actions on audit information is a way to enforce the principle of least privilege. Permitted actions are enforced by the information system and include, for example, read, write, execute, append, and delete. |
The organization specifies the permitted actions for each [Selection (one or more): information system process; role; user] associated with the review, analysis, and reporting of audit information. |
| CCI-001870 |
The organization performs a full-text analysis of audited privileged commands in a physically-distinct component or subsystem of the information system, or other information system that is dedicated to that analysis. |
The organization conducting the inspection/assessment obtains and examines the documented process and supporting records (e.g., analysis results) to ensure the organization being inspected/assessed performs a full-text analysis of audited privileged commands in a physically-distinct component or subsystem of the information system, or other information system that is dedicated to that analysis. |
The organization being inspected/assessed documents and implements a process to perform a full-text analysis of audited privileged commands in a physically-distinct component or subsystem of the information system, or other information system that is dedicated to that analysis. |
Audit Review, Analysis, And Reporting | Full Text Analysis Of Privileged Commands |
AU-6 (8) |
AU-6(8).1 |
This control enhancement requires a distinct environment for the dedicated analysis of audit information related to privileged users without compromising such information on the information system where the users have elevated privileges including the capability to execute privileged commands. Full text analysis refers to analysis that considers the full text of privileged commands (i.e., commands and all parameters) as opposed to analysis that considers only the name of the command. Full text analysis includes, for example, the use of pattern matching and heuristics. Related controls: AU-3, AU-9, AU-11, AU-12. |
The organization performs a full-text analysis of audited privileged commands in a physically distinct component or subsystem of the information system, or other information system that is dedicated to that analysis. |
| CCI-001871 |
The organization correlates information from non-technical sources with audit information to enhance organization-wide situational awareness. |
The organization conducting the inspection/assessment obtains and examines the documented process and supporting records to ensure the organization being inspected/assessed correlates information from non-technical sources with audit information to enhance organization-wide situational awareness. |
The organization being inspected/assessed documents and implements a process to correlate information from non-technical sources with audit information to enhance organization-wide situational awareness. |
Audit Review, Analysis, And Reporting | Correlation With Information From Nontechnical Sources |
AU-6 (9) |
AU-6(9).1 |
Nontechnical sources include, for example, human resources records documenting organizational policy violations (e.g., sexual harassment incidents, improper use of organizational information assets). Such information can lead organizations to a more directed analytical effort to detect potential malicious insider activity. Due to the sensitive nature of the information available from nontechnical sources, organizations limit access to such information to minimize the potential for the inadvertent release of privacy-related information to individuals that do not have a need to know. Thus, correlation of information from nontechnical sources with audit information generally occurs only when individuals are suspected of being involved in a security incident. Organizations obtain legal advice prior to initiating such actions. Related control: AT-2. |
The organization correlates information from non-technical sources with audit information to enhance organization-wide situational awareness. |
| CCI-001872 |
The organization adjusts the level of audit review and analysis within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. |
The organization conducting the inspection/assessment obtains and examines the documented process and supporting records to ensure the organization being inspected/assessed adjusts the level of audit review within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. |
The organization being inspected/assessed documents and implements a process for adjusting the level of audit review within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information (e.g., INFOCON). |
Audit Review, Analysis, And Reporting | Audit Level Adjustment |
AU-6 (10) |
AU-6(10).1 |
The frequency, scope, and/or depth of the audit review, analysis, and reporting may be adjusted to meet organizational needs based on new information received. |
The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. |
| CCI-001873 |
The organization adjusts the level of audit analysis within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. |
|
|
|
|
|
|
|
| CCI-001874 |
The organization adjusts the level of audit reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. |
The organization conducting the inspection/assessment obtains and examines the documented process and supporting records to ensure the organization being inspected/assessed adjusts the level of audit reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. |
The organization being inspected/assessed documents and implements a process for adjusting the level of audit reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information (e.g., INFOCON). |
Audit Review, Analysis, And Reporting | Audit Level Adjustment |
AU-6 (10) |
AU-6(10).2 |
The frequency, scope, and/or depth of the audit review, analysis, and reporting may be adjusted to meet organizational needs based on new information received. |
The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. |
| CCI-001875 |
The information system provides an audit reduction capability that supports on-demand audit review and analysis. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed employs information systems that provide an audit reduction capability that support on-demand audit review and analysis (either natively or through the use of third-party tools).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1875. |
The organization being inspected/assessed must employ information systems that provide an audit reduction capability that support on-demand audit review and analysis (either natively or through the use of third-party tools).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1875. |
Audit Reduction And Report Generation |
AU-7 |
AU-7.1 |
Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit reduction and report generation capabilities do not always emanate from the same information system or from the same organizational entities conducting auditing activities. Audit reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the information system can generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the timestamp in the record is insufficient. Related control: AU-6. |
The information system provides an audit reduction and report generation capability that:
a. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and
b. Does not alter the original content or time ordering of audit records. |
| CCI-001876 |
The information system provides an audit reduction capability that supports on-demand reporting requirements. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed employs information systems that provide an audit reduction capability that supports on-demand reporting requirements (either natively or through the use of third-party tools).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1876. |
The organization being inspected/assessed must employ information systems that provide an audit reduction capability that support on-demand reporting requirements (either natively or through the use of third-party tools).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1876. |
Audit Reduction And Report Generation |
AU-7 |
AU-7.2 |
Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit reduction and report generation capabilities do not always emanate from the same information system or from the same organizational entities conducting auditing activities. Audit reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the information system can generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the timestamp in the record is insufficient. Related control: AU-6. |
The information system provides an audit reduction and report generation capability that:
a. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and
b. Does not alter the original content or time ordering of audit records. |
| CCI-001877 |
The information system provides an audit reduction capability that supports after-the-fact investigations of security incidents. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed employs information systems that provide an audit reduction capability that supports after-the-fact investigations of security incidents (either natively or through the use of third-party tools).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1877. |
The organization being inspected/assessed must employ information systems that provide an audit reduction capability that support after-the-fact investigations of security incidents (either natively or through the use of third-party tools).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1877. |
Audit Reduction And Report Generation |
AU-7 |
AU-7.3 |
Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit reduction and report generation capabilities do not always emanate from the same information system or from the same organizational entities conducting auditing activities. Audit reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the information system can generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the timestamp in the record is insufficient. Related control: AU-6. |
The information system provides an audit reduction and report generation capability that:
a. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and
b. Does not alter the original content or time ordering of audit records. |
| CCI-001878 |
The information system provides a report generation capability that supports on-demand audit review and analysis. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed employs information systems that provide a report generation capability that supports on-demand audit review and analysis (either natively or through the use of third-party tools).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1878. |
The organization being inspected/assessed must employ information systems that provide a report generation capability that support on-demand audit review and analysis (either natively or through the use of third-party tools).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1878. |
Audit Reduction And Report Generation |
AU-7 |
AU-7.4 |
Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit reduction and report generation capabilities do not always emanate from the same information system or from the same organizational entities conducting auditing activities. Audit reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the information system can generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the timestamp in the record is insufficient. Related control: AU-6. |
The information system provides an audit reduction and report generation capability that:
a. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and
b. Does not alter the original content or time ordering of audit records. |
| CCI-001879 |
The information system provides a report generation capability that supports on-demand reporting requirements. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed employs information systems that provide a report generation capability that supports on-demand reporting requirements (either natively or through the use of third-party tools).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1879. |
The organization being inspected/assessed must employ information systems that provide a report generation capability that support on-demand reporting requirements (either natively or through the use of third-party tools).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1879. |
Audit Reduction And Report Generation |
AU-7 |
AU-7.5 |
Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit reduction and report generation capabilities do not always emanate from the same information system or from the same organizational entities conducting auditing activities. Audit reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the information system can generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the timestamp in the record is insufficient. Related control: AU-6. |
The information system provides an audit reduction and report generation capability that:
a. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and
b. Does not alter the original content or time ordering of audit records. |
| CCI-001880 |
The information system provides a report generation capability that supports after-the-fact investigations of security incidents. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed employs information systems that provide a report generation capability that supports after-the-fact investigations of security incidents (either natively or through the use of third-party tools).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1880. |
The organization being inspected/assessed must employ information systems that provide a report generation capability that support after-the-fact investigations of security incidents (either natively or through the use of third-party tools).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1880. |
Audit Reduction And Report Generation |
AU-7 |
AU-7.6 |
Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit reduction and report generation capabilities do not always emanate from the same information system or from the same organizational entities conducting auditing activities. Audit reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the information system can generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the timestamp in the record is insufficient. Related control: AU-6. |
The information system provides an audit reduction and report generation capability that:
a. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and
b. Does not alter the original content or time ordering of audit records. |
| CCI-001881 |
The information system provides an audit reduction capability that does not alter original content or time ordering of audit records. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed employs an audit reduction capability that does not alter original audit records.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1881. |
The organization being inspected/assessed must ensure that the audit reduction capability does not alter the original audit records.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1881. |
Audit Reduction And Report Generation |
AU-7 |
AU-7.7 |
Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit reduction and report generation capabilities do not always emanate from the same information system or from the same organizational entities conducting auditing activities. Audit reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the information system can generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the timestamp in the record is insufficient. Related control: AU-6. |
The information system provides an audit reduction and report generation capability that:
a. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and
b. Does not alter the original content or time ordering of audit records. |
| CCI-001882 |
The information system provides a report generation capability that does not alter original content or time ordering of audit records. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed employs a report generation capability that does not alter original audit records.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1882. |
The organization being inspected/assessed must ensure that the report generation capability does not alter the original audit records.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1882. |
Audit Reduction And Report Generation |
AU-7 |
AU-7.8 |
Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit reduction and report generation capabilities do not always emanate from the same information system or from the same organizational entities conducting auditing activities. Audit reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the information system can generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the timestamp in the record is insufficient. Related control: AU-6. |
The information system provides an audit reduction and report generation capability that:
a. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and
b. Does not alter the original content or time ordering of audit records. |
| CCI-001883 |
The organization defines the audit fields within audit records to be processed for events of interest by the information system. |
The organization conducting the inspection/assessment obtains and examines the documented audit fields to ensure the organization being inspected/assessed defines the audit fields within audit records to be processed for events of interest by the information system.
DoD has determined that the audit fields are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed must define and document the audit fields within audit records to be processed for events of interest by the information system.
DoD has determined that the audit fields are not appropriate to define at the Enterprise level. |
Audit Reduction And Report Generation | Automatic Processing |
AU-7 (1) |
AU-7(1).2 |
Events of interest can be identified by the content of specific audit record fields including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific information system component. Related controls: AU-2, AU-12. |
The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records]. |
| CCI-001884 |
The organization defines the audit fields within audit records to be sorted for events of interest by the information system. |
The organization conducting the inspection/assessment obtains and examines the documented audit fields to ensure the organization being inspected/assessed defines the audit fields within audit records to be sorted for events of interest by the information system.
DoD has determined that the audit fields are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed must define and document the audit fields within audit records to be sorted for events of interest by the information system.
DoD has determined that the audit fields are not appropriate to define at the Enterprise level. |
Audit Reduction And Report Generation | Automatic Sort And Search |
AU-7 (2) |
AU-7(2).1 |
Sorting and searching of audit records may be based upon the contents of audit record fields, for example: (i) date/time of events; (ii) user identifiers; (iii) Internet Protocol (IP) addresses involved in the event; (iv) type of event; or (v) event success/failure. |
The information system provides the capability to sort and search audit records for events of interest based on the content of [Assignment: organization-defined audit fields within audit records]. |
| CCI-001885 |
The organization defines the audit fields within audit records to be searched for events of interest by the information system. |
The organization conducting the inspection/assessment obtains and examines the documented audit fields to ensure the organization being inspected/assessed defines the audit fields within audit records to be searched for events of interest by the information system.
DoD has determined that the audit fields are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed must define and document the audit fields within audit records to be searched for events of interest by the information system.
DoD has determined that the audit fields are not appropriate to define at the Enterprise level. |
Audit Reduction And Report Generation | Automatic Sort And Search |
AU-7 (2) |
AU-7(2).2 |
Sorting and searching of audit records may be based upon the contents of audit record fields, for example: (i) date/time of events; (ii) user identifiers; (iii) Internet Protocol (IP) addresses involved in the event; (iv) type of event; or (v) event success/failure. |
The information system provides the capability to sort and search audit records for events of interest based on the content of [Assignment: organization-defined audit fields within audit records]. |
| CCI-001886 |
The information system provides the capability to sort audit records for events of interest based on the content of organization-defined audit fields within audit records. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed employs information systems that provide the capability to sort audit records for events of interest based on the content of audit fields within audit records as defined in AU-7 (2), CCI 1884.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1886. |
The organization being inspected/assessed must employ information systems that provide the capability to sort audit records for events of interest based on the content of audit fields within audit records as defined in AU-7 (2), CCI 1884.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1886. |
Audit Reduction And Report Generation | Automatic Sort And Search |
AU-7 (2) |
AU-7(2).3 |
Sorting and searching of audit records may be based upon the contents of audit record fields, for example: (i) date/time of events; (ii) user identifiers; (iii) Internet Protocol (IP) addresses involved in the event; (iv) type of event; or (v) event success/failure. |
The information system provides the capability to sort and search audit records for events of interest based on the content of [Assignment: organization-defined audit fields within audit records]. |
| CCI-001887 |
The information system provides the capability to search audit records for events of interest based on the content of organization-defined audit fields within audit records. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed employs information systems that provide the capability to search audit records for events of interest based on the content of audit fields within audit records as defined in AU-7 (2), CCI 1885.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1887. |
The organization being inspected/assessed must employ information systems that provide the capability to search audit records for events of interest based on the content of audit fields within audit records as defined in AU-7 (2), CCI 1885.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1887. |
Audit Reduction And Report Generation | Automatic Sort And Search |
AU-7 (2) |
AU-7(2).4 |
Sorting and searching of audit records may be based upon the contents of audit record fields, for example: (i) date/time of events; (ii) user identifiers; (iii) Internet Protocol (IP) addresses involved in the event; (iv) type of event; or (v) event success/failure. |
The information system provides the capability to sort and search audit records for events of interest based on the content of [Assignment: organization-defined audit fields within audit records]. |
| CCI-001888 |
The organization defines the granularity of time measurement for time stamps generated for audit records. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the granularity of time measurement as one second. |
DoD has defined the granularity of time measurement as one second. |
Time Stamps |
AU-8 |
AU-8.2 |
Time stamps generated by the information system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. Organizations may define different time granularities for different system components. Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities. Related controls: AU-3, AU-12. |
The information system:
a. Uses internal system clocks to generate time stamps for audit records; and
b. Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity of time measurement]. |
| CCI-001889 |
The information system records time stamps for audit records that meet organization-defined granularity of time measurement. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to generate time in the time stamps for audit records that meets one second granularity of time measurement.
DoD has defined the granularity of time measurement as one second.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1889. |
The organization being inspected/assessed configures the information system to generate time in the time stamps for audit records that meets one second granularity of time measurement.
DoD has defined the granularity of time measurement as one second.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1889. |
Time Stamps |
AU-8 |
AU-8.3 |
Time stamps generated by the information system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. Organizations may define different time granularities for different system components. Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities. Related controls: AU-3, AU-12. |
The information system:
a. Uses internal system clocks to generate time stamps for audit records; and
b. Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity of time measurement]. |
| CCI-001890 |
The information system records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to generate time stamps for audit records that contain time zones or time offsets that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1890. |
The organization being inspected/assessed configures the information system to generate time stamps for audit records that contain time zones or time offsets that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1890. |
Time Stamps |
AU-8 |
AU-8.4 |
Time stamps generated by the information system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. Organizations may define different time granularities for different system components. Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities. Related controls: AU-3, AU-12. |
The information system:
a. Uses internal system clocks to generate time stamps for audit records; and
b. Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity of time measurement]. |
| CCI-001891 |
The information system compares internal information system clocks on an organization-defined frequency with an organization-defined authoritative time source. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to synchronize internal information system clocks every 24 hours for networked systems with an authoritative time server which is synchronized with redundant United States Naval Observatory (USNO) time servers as designated for the appropriate DoD network (NIPRNet / SIPRNet) and/or the Global Positioning System (GPS) when the time difference is greater than the difference defined in AU-8 (1), CCI 1892.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1891.
DoD has defined the frequency as every 24 hours for networked systems.
DoD has defined the authoritative time source as an authoritative time server which is synchronized with redundant United States Naval Observatory (USNO) time servers as designated for the appropriate DoD network (NIPRNet / SIPRNet) and/or the Global Positioning System (GPS). |
The organization being inspected/assessed configures the information system to synchronize internal information system clocks every 24 hours for networked systems with an authoritative time server which is synchronized with redundant United States Naval Observatory (USNO) time servers as designated for the appropriate DoD network (NIPRNet / SIPRNet) and/or the Global Positioning System (GPS) when the time difference is greater than the difference defined in AU-8 (1), CCI 1892.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1891.
DoD has defined the frequency as every 24 hours for networked systems.
DoD has defined the authoritative time source as an authoritative time server which is synchronized with redundant United States Naval Observatory (USNO) time servers as designated for the appropriate DoD network (NIPRNet / SIPRNet) and/or the Global Positioning System (GPS). |
Time Stamps | Synchronization With Authoritative Time Source |
AU-8 (1) |
AU-8(1).3 |
This control enhancement provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. |
The information system:
(a) Compares the internal information system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]; and
(b) Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period]. |
| CCI-001892 |
The organization defines the time difference which, when exceeded, will require the information system to synchronize the internal information system clocks to the organization-defined authoritative time source. |
The organization conducting the inspection/assessment obtains and examines the documented time difference to ensure the organization being inspected/assessed defines the time difference which, when exceeded, will require the information system to synchronize the internal information system clocks.
DoD has determined the time difference is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the time difference, which, when exceeded, will require the information system to synchronize the internal information system clocks.
DoD has determined the time difference is not appropriate to define at the Enterprise level. |
Time Stamps | Synchronization With Authoritative Time Source |
AU-8 (1) |
AU-8(1).4 |
This control enhancement provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. |
The information system:
(a) Compares the internal information system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]; and
(b) Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period]. |
| CCI-001893 |
The information system identifies a secondary authoritative time source that is located in a different geographic region than the primary authoritative time source. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed uses a secondary authoritative time source that is located in a different geographic region than the primary authoritative time source.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1893. |
The organization being inspected/assessed configures the information system to use a secondary authoritative time source that is located in a different geographic region than the primary authoritative time source.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1893. |
Time Stamps | Secondary Authoritative Time Source |
AU-8 (2) |
AU-8(2).1 |
|
The information system identifies a secondary authoritative time source that is located in a different geographic region than the primary authoritative time source. |
| CCI-002046 |
The information system synchronizes the internal system clocks to the authoritative time source when the time difference is greater than the organization-defined time period. |
The organization conducting the inspection/assessment examines the information system to ensure the system synchronizes the internal system clocks to the authoritative time source when the time difference is greater than the time period defined in AU-8 (1), CCI 1892.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2046. |
The organization being inspected/assessed configures the information system to synchronize the internal system clocks to the authoritative time source when the time difference is greater than the time period defined in AU-8 (1), CCI 1892.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2046. |
Time Stamps | Synchronization With Authoritative Time Source |
AU-8 (1) |
AU-8(1).5 |
This control enhancement provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. |
The information system:
(a) Compares the internal information system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]; and
(b) Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period]. |
| CCI-001894 |
The organization defines the subset of privileged users who will be authorized access to the management of audit functionality. |
The organization conducting the inspection/assessment obtains and examines the documented subset of privileged users to be authorized access to the management of audit functionality, to ensure the organization being inspected/assessed defines and documents the subset of privileged users to be authorized access to the management of audit functionality.
DoD has determined the subset of privileged users is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the subset of privileged users to be authorized access to the management of audit functionality.
DoD has determined the subset of privileged users is not appropriate to define at the Enterprise level. |
Protection Of Audit Information | Access By Subset Of Privileged Users |
AU-9 (4) |
AU-9(4).1 |
Individuals with privileged access to an information system and who are also the subject of an audit by that system, may affect the reliability of audit information by inhibiting audit activities or modifying audit records. This control enhancement requires that privileged access be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges. Related control: AC-5. |
The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users]. |
| CCI-001895 |
The organization defines the audit information requiring dual authorization for movement or deletion actions. |
The organization conducting the inspection/assessment obtains and examines the definition of audit information requiring dual authorization for movement or deletion actions, to ensure the organization being inspected/assessed defines and documents the audit information requiring dual authorization for movement or deletion actions.
DoD has determined the audit information is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the audit information requiring dual authorization for movement or deletion actions.
DoD has determined the audit information is not appropriate to define at the Enterprise level. |
Protection Of Audit Information | Dual Authorization |
AU-9 (5) |
AU-9(5).1 |
Organizations may choose different selection options for different types of audit information. Dual authorization mechanisms require the approval of two authorized individuals in order to execute. Dual authorization may also be known as two-person control. Related controls: AC-3, MP-2. |
The organization enforces dual authorization for [Selection (one or more): movement; deletion] of [Assignment: organization-defined audit information]. |
| CCI-001896 |
The organization enforces dual authorization for movement and/or deletion of organization-defined audit information. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to enforce dual authorization for movement and/or deletion of audit information defined in AU-9 (5), CCI 1895.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1896. |
The organization being inspected/assessed configures the information system to enforce dual authorization for movement and/or deletion of audit information defined in AU-9 (5), CCI 1895.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1896. |
Protection Of Audit Information | Dual Authorization |
AU-9 (5) |
AU-9(5).2 |
Organizations may choose different selection options for different types of audit information. Dual authorization mechanisms require the approval of two authorized individuals in order to execute. Dual authorization may also be known as two-person control. Related controls: AC-3, MP-2. |
The organization enforces dual authorization for [Selection (one or more): movement; deletion] of [Assignment: organization-defined audit information]. |
| CCI-001897 |
The organization defines the subset of privileged users who will be authorized read-only access to audit information. |
The organization conducting the inspection/assessment obtains and examines the subset of privileged users who will be authorized read-only access to audit information, to ensure the organization being inspected/assessed defines and documents subset of privileged users who will be authorized read-only access to audit information.
DoD has determined that the subset of privileged users is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the subset of privileged users who will be authorized read-only access to audit information.
DoD has determined that the subset of privileged users is not appropriate to define at the Enterprise level. |
Protection Of Audit Information | Read Only Access |
AU-9 (6) |
AU-9(6).1 |
Restricting privileged user authorizations to read-only helps to limit the potential damage to organizations that could be initiated by such users (e.g., deleting audit records to cover up malicious activity). |
The organization authorizes read only access to audit information to [Assignment: organization-defined subset of privileged users]. |
| CCI-001898 |
The organization authorizes read-only access to audit information to an organization-defined subset of privileged users. |
The organization conducting the inspection/assessment obtains and examines the documentation of read only access authorizations for audit information to ensure only the subset of privileged users defined in AU-9 (6), CCI 1897 have been granted access authorization. |
The organization being inspected/assessed authorizes read only access to audit information to only the subset of privileged users defined in AU-9 (6), CCI 1897. |
Protection Of Audit Information | Read Only Access |
AU-9 (6) |
AU-9(6).2 |
Restricting privileged user authorizations to read-only helps to limit the potential damage to organizations that could be initiated by such users (e.g., deleting audit records to cover up malicious activity). |
The organization authorizes read only access to audit information to [Assignment: organization-defined subset of privileged users]. |
| CCI-001899 |
The organization defines the actions to be covered by non-repudiation. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the actions to be covered by non-repudiation as actions defined by DoDI 8520.02 and DoDI 8520.03.
|
DoD has defined the actions to be covered by non-repudiation as actions defined by DoDI 8520.02 and DoDI 8520.03. |
Non-Repudiation |
AU-10 |
AU-10.2 |
Types of individual actions covered by non-repudiation include, for example, creating information, sending and receiving messages, approving information (e.g., indicating concurrence or signing a contract). Non-repudiation protects individuals against later claims by: (i) authors of not having authored particular documents; (ii) senders of not having transmitted messages; (iii) receivers of not having received messages; or (iv) signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from a particular individual, or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request) or received specific information. Organizations obtain non-repudiation services by employing various techniques or mechanisms (e.g., digital signatures, digital message receipts). Related controls: SC-12, SC-8, SC-13, SC-16, SC-17, SC-23. |
The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed [Assignment: organization-defined actions to be covered by non-repudiation]. |
| CCI-001900 |
The organization defines the strength of binding to be applied to the binding of the identity of the information producer with the information. |
The organization conducting the inspection/assessment obtains and examines the documented strength of binding to ensure the organization being inspected/assessed defines the strength of binding and where within the information system it has been implemented, to be applied to the binding of the identity of the information producer with the information.
DoD has determined that the strength of binding is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the strength of binding and where within the information system it has been implemented, to be applied to the binding of the identity of the information producer with the information.
DoD has determined that the strength of binding is not appropriate to define at the Enterprise level. |
Non-Repudiation | Association Of Identities |
AU-10 (1) |
AU-10(1).1 |
This control enhancement supports audit requirements that provide organizational personnel with the means to identify who produced specific information in the event of an information transfer. Organizations determine and approve the strength of the binding between the information producer and the information based on the security category of the information and relevant risk factors. Related controls: AC-4, AC-16. |
The information system:
(a) Binds the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and
(b) Provides the means for authorized individuals to determine the identity of the producer of the information. |
| CCI-001901 |
The information system binds the identity of the information producer with the information to an organization-defined strength of binding. |
The organization conducting the inspection/assessment examines the information system to ensure the producer identity is bound to the information with the strength of binding defined in AU-10 (1) CCI 1900.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1901. |
The organization being inspected/assessed configures the information system to bind the identify of the information producer with the information with the strength of binding defined in AU-10 (1) CCI 1900.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1901. |
Non-Repudiation | Association Of Identities |
AU-10 (1) |
AU-10(1).2 |
This control enhancement supports audit requirements that provide organizational personnel with the means to identify who produced specific information in the event of an information transfer. Organizations determine and approve the strength of the binding between the information producer and the information based on the security category of the information and relevant risk factors. Related controls: AC-4, AC-16. |
The information system:
(a) Binds the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and
(b) Provides the means for authorized individuals to determine the identity of the producer of the information. |
| CCI-001902 |
The information system provides the means for authorized individuals to determine the identity of the producer of the information. |
The organization conducting the inspection/assessment examines the information system to ensure authorized individuals are able to determine the identity of the producer of the information.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1902. |
The organization being inspected/assessed configures the information system to provide a means for authorized individuals to determine the identity of the producer of the information.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1902. |
Non-Repudiation | Association Of Identities |
AU-10 (1) |
AU-10(1).3 |
This control enhancement supports audit requirements that provide organizational personnel with the means to identify who produced specific information in the event of an information transfer. Organizations determine and approve the strength of the binding between the information producer and the information based on the security category of the information and relevant risk factors. Related controls: AC-4, AC-16. |
The information system:
(a) Binds the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and
(b) Provides the means for authorized individuals to determine the identity of the producer of the information. |
| CCI-001903 |
The organization defines the frequency on which the information system is to validate the binding of the information producer identity to the information. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as according to the tool's capability frequency, but at a minimum, upon first access or hourly in cases of continued access. |
DoD has defined the frequency as according to the tool's capability frequency, but at a minimum, upon first access or hourly in cases of continued access. |
Non-Repudiation | Validate Binding Of Information Producer Identity |
AU-10 (2) |
AU-10(2).1 |
This control enhancement prevents the modification of information between production and review. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Organizations determine if validations are in response to user requests or generated automatically. Related controls: AC-3, AC-4, AC-16. |
The information system:
(a) Validates the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and
(b) Performs [Assignment: organization-defined actions] in the event of a validation error. |
| CCI-001904 |
The information system validates the binding of the information producer identity to the information at an organization-defined frequency. |
The organization conducting the inspection/assessment examines the information system to ensure the information system is configured to validate the binding of the information producer identity to the information according to the tool's capability frequency, but at a minimum, upon first access or hourly in cases of continued access.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1904.
DoD has defined the frequency as according to the tool's capability frequency, but at a minimum, upon first access or hourly in cases of continued access. |
The organization being inspected/assessed configures the information system to validate the binding of the information producer identity to the information according to the tool's capability frequency, but at a minimum, upon first access or hourly in cases of continued access.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1904.
DoD has defined the frequency as according to the tool's capability frequency, but at a minimum, upon first access or hourly in cases of continued access. |
Non-Repudiation | Validate Binding Of Information Producer Identity |
AU-10 (2) |
AU-10(2).2 |
This control enhancement prevents the modification of information between production and review. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Organizations determine if validations are in response to user requests or generated automatically. Related controls: AC-3, AC-4, AC-16. |
The information system:
(a) Validates the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and
(b) Performs [Assignment: organization-defined actions] in the event of a validation error. |
| CCI-001905 |
The organization defines the actions to be performed in the event of an error when validating the binding of the information producer identity to the information. |
The organization conducting the inspection/assessment obtains and examines the documented actions to ensure the organization being inspected/assessed defines the actions to be performed in the event of an error when validating the binding of the information producer identity to the information.
DoD has determined the actions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the actions to be performed in the event of an error when validating the binding of the information producer identity to the information.
The organization should consider the system's environment and impact of the errors when defining the actions.
Examples of actions include automated notification to administrators, halt system process or read action
DoD has determined the actions are not appropriate to define at the Enterprise level. |
Non-Repudiation | Validate Binding Of Information Producer Identity |
AU-10 (2) |
AU-10(2).3 |
This control enhancement prevents the modification of information between production and review. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Organizations determine if validations are in response to user requests or generated automatically. Related controls: AC-3, AC-4, AC-16. |
The information system:
(a) Validates the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and
(b) Performs [Assignment: organization-defined actions] in the event of a validation error. |
| CCI-001906 |
The information system performs organization-defined actions in the event of an error when validating the binding of the information producer identity to the information. |
The organization conducting the inspection/assessment examines the information system to ensure the information system is configured to perform the actions defined in AU-10 (2), CCI 1905 in the event of an error when validating the binding of the information producer identity to the information.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1906. |
The organization being inspected/assessed configures the information system to perform the actions defined in AU-10 (2), CCI 1905 in the event of an error when validating the binding of the information producer identity to the information.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1906. |
Non-Repudiation | Validate Binding Of Information Producer Identity |
AU-10 (2) |
AU-10(2).4 |
This control enhancement prevents the modification of information between production and review. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Organizations determine if validations are in response to user requests or generated automatically. Related controls: AC-3, AC-4, AC-16. |
The information system:
(a) Validates the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and
(b) Performs [Assignment: organization-defined actions] in the event of a validation error. |
| CCI-001907 |
The organization defines the security domains which will require the information system validate the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer. |
The organization conducting the inspection/assessment obtains and examines the documented security domains to ensure the organization being inspected/assessed defines the security domains which require the information system validate the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer.
DoD has determined the security domains are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security domains which require the information system validate the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer.
DoD has determined the security domains are not appropriate to define at the Enterprise level.
Note: Security domain as defined by CNSSI 4009. |
Non-Repudiation | Validate Binding Of Information Reviewer Identity |
AU-10 (4) |
AU-10(4).2 |
This control enhancement prevents the modification of information between review and transfer/release. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Organizations determine validations are in response to user requests or generated automatically. Related controls: AC-4, AC-16. |
The information system:
(a) Validates the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer between [Assignment: organization-defined security domains]; and
(b) Performs [Assignment: organization-defined actions] in the event of a validation error. |
| CCI-001908 |
The organization defines the action the information system is to perform in the event of an information reviewer identity binding validation error. |
The organization conducting the inspection/assessment obtains and examines the documented actions to ensure the organization being inspected/assessed defines the actions the information system is to perform in the event of a information reviewer identity binding validation error. At a minimum, the actions must include alerting the data/information owner of a validation error on a reviewers identity.
DoD has determined that all actions are not appropriate to define at the Enterprise level. At a minimum, the actions must include alerting the data/information owner of a validation error on a reviewers identity. |
The organization being inspected/assessed defines and documents the actions the information system is to perform in the event of a information reviewer identity binding validation error. At a minimum, the actions must include alerting the data/information owner of a validation error on a reviewers identity.
DoD has determined that all actions are not appropriate to define at the Enterprise level. At a minimum, the actions must include alerting the data/information owner of a validation error on a reviewers identity. |
Non-Repudiation | Validate Binding Of Information Reviewer Identity |
AU-10 (4) |
AU-10(4).3 |
This control enhancement prevents the modification of information between review and transfer/release. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Organizations determine validations are in response to user requests or generated automatically. Related controls: AC-4, AC-16. |
The information system:
(a) Validates the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer between [Assignment: organization-defined security domains]; and
(b) Performs [Assignment: organization-defined actions] in the event of a validation error. |
| CCI-001909 |
The information system performs organization-defined actions in the event of an information reviewer identity binding validation error. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to perform actions defined in AU-10 (4), CCI 1908 in the event of an information reviewer identity binding validation error.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1909. |
The organization being inspected/assessed configures the information system to perform actions defined in AU-10 (4), CCI 1908 in the event of an information reviewer identity binding validation error.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1909. |
Non-Repudiation | Validate Binding Of Information Reviewer Identity |
AU-10 (4) |
AU-10(4).4 |
This control enhancement prevents the modification of information between review and transfer/release. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Organizations determine validations are in response to user requests or generated automatically. Related controls: AC-4, AC-16. |
The information system:
(a) Validates the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer between [Assignment: organization-defined security domains]; and
(b) Performs [Assignment: organization-defined actions] in the event of a validation error. |
| CCI-002044 |
The organization defines measures to be employed to ensure that long-term audit records generated by the information system can be retrieved. |
The organization conducting the inspection/assessment obtains and examines the documented measures to ensure the organization being inspected/assessed defines measures to be employed to ensure that long-term audit records generated by the information system can be retrieved.
DoD has determined that the measures are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents measures to be employed to ensure that long-term audit records generated by the information system can be retrieved.
DoD has determined that the measures are not appropriate to define at the Enterprise level. |
Audit Record Retention | Long-Term Retrieval Capability |
AU-11 (1) |
AU-11(1).1 |
Measures employed by organizations to help facilitate the retrieval of audit records include, for example, converting records to newer formats, retaining equipment capable of reading the records, and retaining necessary documentation to help organizational personnel understand how to interpret the records. |
The organization employs [Assignment: organization-defined measures] to ensure that long-term audit records generated by the information system can be retrieved. |
| CCI-002045 |
The organization employs organization-defined measures to ensure that long-term audit records generated by the information system can be retrieved. |
The organization conducting the inspection/assessment obtains and examines the documented measures to ensure the organization being inspected/assessed employs the measures defined in AU-11 (1), CCI 2044 to ensure that long-term audit records generated by the information system can be retrieved. |
The organization being inspected/assessed employs the measures defined in AU-11 (1), CCI 2044 to ensure that long-term audit records generated by the information system can be retrieved. |
Audit Record Retention | Long-Term Retrieval Capability |
AU-11 (1) |
AU-11(1).2 |
Measures employed by organizations to help facilitate the retrieval of audit records include, for example, converting records to newer formats, retaining equipment capable of reading the records, and retaining necessary documentation to help organizational personnel understand how to interpret the records. |
The organization employs [Assignment: organization-defined measures] to ensure that long-term audit records generated by the information system can be retrieved. |
| CCI-001910 |
The organization defines the personnel or roles allowed to select which auditable events are to be audited by specific components of the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as the ISSM or individuals appointed by the ISSM. |
DoD has defined the personnel or roles as the ISSM or individuals appointed by the ISSM. |
Audit Generation |
AU-12 |
AU-12.4 |
Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records. Related controls: AC-3, AU-2, AU-3, AU-6, AU-7. |
The information system:
a. Provides audit record generation capability for the auditable events defined in AU-2 at [Assignment: organization-defined information system components];
b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and
c. Generates audit records for the audited events defined in AU-2 with the content defined in AU-3. |
| CCI-001911 |
The organization defines the selectable event criteria to be used as the basis for changes to the auditing to be performed on organization-defined information system components, by organization-defined individuals or roles, within organization-defined time thresholds. |
The organization conducting the inspection/assessment obtains and examines the documented selectable event criteria to ensure the organization being inspected/assessed defines the selectable event criteria for which changed auditing is to be performed.
DoD has determined the selectable event criteria is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the selectable event criteria for which changed auditing is to be performed.
DoD has determined the selectable event criteria is not appropriate to define at the Enterprise level. |
Audit Generation | Changes By Authorized Individuals |
AU-12 (3) |
AU-12(3).1 |
This control enhancement enables organizations to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve information system resources may be extended to address certain threat situations. In addition, auditing may be limited to a specific set of events to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which audit actions are changed, for example, near real-time, within minutes, or within hours. Related control: AU-7. |
The information system provides the capability for [Assignment: organization-defined individuals or roles] to change the auditing to be performed on [Assignment: organization-defined information system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds]. |
| CCI-001912 |
The organization defines the time thresholds for organization-defined individuals or roles to change the auditing to be performed based on organization-defined selectable event criteria. |
The organization conducting the inspection/assessment obtains and examines the documented time thresholds to ensure the organization being inspected/assessed defines the time thresholds for individuals or roles to change the auditing to be performed on information system components based on selectable event criteria defined in AU-12 (3), CCI 1911 occurs.
DoD has determined the time thresholds are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the time thresholds for individuals or roles to change the auditing to be performed on information system components based on selectable event criteria defined in AU-12 (3), CCI 1911 occurs.
DoD has determined the time thresholds are not appropriate to define at the Enterprise level. |
Audit Generation | Changes By Authorized Individuals |
AU-12 (3) |
AU-12(3).2 |
This control enhancement enables organizations to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve information system resources may be extended to address certain threat situations. In addition, auditing may be limited to a specific set of events to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which audit actions are changed, for example, near real-time, within minutes, or within hours. Related control: AU-7. |
The information system provides the capability for [Assignment: organization-defined individuals or roles] to change the auditing to be performed on [Assignment: organization-defined information system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds]. |
| CCI-001913 |
The organization defines the individuals or roles that are to be provided the capability to change the auditing to be performed based on organization-defined selectable event criteria, within organization-defined time thresholds. |
The organization conducting the inspection/assessment obtains and examines the documented individuals or roles to ensure the organization being inspected/assessed defines the individuals or roles that are to be provided the capability to change the auditing to be performed based on the selectable event criteria defined in AU-12 (3), CCI 1911, within the time thresholds defined in AU-12 (3), CCI 1912.
DoD has determined that the individuals or roles are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the individuals or roles that are to be provided the capability to change the auditing to be performed based on the selectable event criteria defined in AU-12 (3), CCI 1911, within the time thresholds defined in AU-12 (3), CCI 1912.
DoD has determined that the individuals or roles are not appropriate to define at the Enterprise level. |
Audit Generation | Changes By Authorized Individuals |
AU-12 (3) |
AU-12(3).3 |
This control enhancement enables organizations to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve information system resources may be extended to address certain threat situations. In addition, auditing may be limited to a specific set of events to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which audit actions are changed, for example, near real-time, within minutes, or within hours. Related control: AU-7. |
The information system provides the capability for [Assignment: organization-defined individuals or roles] to change the auditing to be performed on [Assignment: organization-defined information system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds]. |
| CCI-001914 |
The information system provides the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined information system components based on organization-defined selectable event criteria within organization-defined time thresholds. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide the capability for individuals or roles defined in AU-12 (3), CCI 1913 to change the auditing to be performed on information system components defined in AU-12 (3), CCI 2047 based on selectable event criteria defined in AU-12 (3), CCI 1911 within time thresholds defined in AU-12 (3), CCI 1912.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1914. |
The organization being inspected/assessed configures the information system to provide the capability for individuals or roles defined in AU-12 (3), CCI 1913 to change the auditing to be performed on information system components defined in AU-12 (3), CCI 2047 based on selectable event criteria defined in AU-12 (3), CCI 1911 within time thresholds defined in AU-12 (3), CCI 1912.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1914. |
Audit Generation | Changes By Authorized Individuals |
AU-12 (3) |
AU-12(3).4 |
This control enhancement enables organizations to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve information system resources may be extended to address certain threat situations. In addition, auditing may be limited to a specific set of events to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which audit actions are changed, for example, near real-time, within minutes, or within hours. Related control: AU-7. |
The information system provides the capability for [Assignment: organization-defined individuals or roles] to change the auditing to be performed on [Assignment: organization-defined information system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds]. |
| CCI-002047 |
The organization defines the information system components on which the auditing that is to be performed can be changed by organization-defined individuals or roles. |
The organization conducting the inspection/assessment obtains and examines the documented information system components to ensure the organization being inspected/assessed has defined the information system components on which the auditing that is to be performed can be changed by the individuals or roles defined in AU-12 (3), CCI 1913.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system components on which the auditing that is to be performed can be changed by individuals or roles defined in AU-12 (3), CCI 1913.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
Audit Generation | Changes By Authorized Individuals |
AU-12 (3) |
AU-12(3).5 |
This control enhancement enables organizations to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve information system resources may be extended to address certain threat situations. In addition, auditing may be limited to a specific set of events to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which audit actions are changed, for example, near real-time, within minutes, or within hours. Related control: AU-7. |
The information system provides the capability for [Assignment: organization-defined individuals or roles] to change the auditing to be performed on [Assignment: organization-defined information system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds]. |
| CCI-001915 |
The organization defines the open source information and/or information sites to be monitored for evidence of unauthorized exfiltration or disclosure of organizational information. |
The organization conducting the inspection/assessment obtains and examines the documented open source information and/or information sites to ensure the organization being inspected/assessed defines the open source information and/or information sites to be monitored for evidence of unauthorized exfiltration or disclosure of organizational information.
DoD has determined that open source information and/or information sites should be defined at the Component level, not appropriate to define at the Enterprise level. Note: The value in this control may not be used to deny reciprocal acceptance of a C&A (A&A) package. |
The organization being inspected/assessed defines and documents the open source information and/or information sites to be monitored for evidence of unauthorized exfiltration or disclosure of organizational information.
DoD has determined that open source information and/or information sites should be defined at the Component level, not appropriate to define at the Enterprise level. Note: The value in this control may not be used to deny reciprocal acceptance of a C&A (A&A) package. |
Monitoring For Information Disclosure |
AU-13 |
AU-13.3 |
Open source information includes, for example, social networking sites. Related controls: PE-3, SC-7. |
The organization monitors [Assignment: organization-defined open source information and/or information sites] [Assignment: organization-defined frequency] for evidence of unauthorized disclosure of organizational information. |
| CCI-001916 |
The organization employs automated mechanisms to determine if organizational information has been disclosed in an unauthorized manner. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms to ensure that the identified system determines if organizational information has been disclosed in an unauthorized manner.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed documents and employs an automated mechanism to determine if organizational information has been disclosed in an unauthorized manner. |
Monitoring For Information Disclosure | Use Of Automated Tools |
AU-13 (1) |
AU-13(1).1 |
Automated mechanisms can include, for example, automated scripts to monitor new posts on selected websites, and commercial services providing notifications and alerts to organizations. |
The organization employs automated mechanisms to determine if organizational information has been disclosed in an unauthorized manner. |
| CCI-001917 |
The organization defines the frequency for reviewing the open source information sites being monitored. |
The organization conducting the inspection/assessment obtains and examines the documented frequency to ensure the organization being inspected/assessed defines the frequency for reviewing the open source information sites being monitored.
DoD has determined that the frequency should be defined at the Component level, not appropriate to define at the Enterprise level. Note: The value in this control may not be used to deny reciprocal acceptance of a C&A (A&A) package. |
The organization being inspected/assessed defines and documents the frequency for reviewing the open source information sites being monitored.
DoD has determined that the frequency should be defined at the Component level, not appropriate to define at the Enterprise level. Note: The value in this control may not be used to deny reciprocal acceptance of a C&A (A&A) package. |
Monitoring For Information Disclosure | Review Of Monitored Sites |
AU-13 (2) |
AU-13(2).1 |
|
The organization reviews the open source information sites being monitored [Assignment: organization-defined frequency]. |
| CCI-001918 |
The organization reviews the open source information sites being monitored per organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed reviews the open source information sites being monitored per the frequency defined in AU-13 (2), CCI 1917. |
The organization being inspected/assessed documents and implements a process to review the open source information sites being monitored per the frequency defined in AU-13 (2), CCI 1917. |
Monitoring For Information Disclosure | Review Of Monitored Sites |
AU-13 (2) |
AU-13(2).2 |
|
The organization reviews the open source information sites being monitored [Assignment: organization-defined frequency]. |
| CCI-001919 |
The information system provides the capability for authorized users to select a user session to capture/record or view/hear. |
The organization conducting the inspection/assessments examines the information system to ensure the organization being inspected/assessed configures the information system to provide the capability for authorized users to select a user session to capture/record or view/hear.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1919. |
The organization being inspected/assessed configures the information system to provide the capability for authorized users to select a user session to capture/record or view/hear.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1919. |
Session Audit |
AU-14 |
AU-14.1 |
Session audits include, for example, monitoring keystrokes, tracking websites visited, and recording information and/or file transfers. Session auditing activities are developed, integrated, and used in consultation with legal counsel in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, or standards. Related controls: AC-3, AU-4, AU-5, AU-9, AU-11. |
The information system provides the capability for authorized users to select a user session to capture/record or view/hear. |
| CCI-001920 |
The information system provides the capability for authorized users to remotely view/hear all content related to an established user session in real time. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide the capability for authorized users to remotely view/hear all content related to an established user session in real time.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1920. |
The organization being inspected/assessed configures the information system to provide the capability for authorized users to remotely view/hear all content related to an established user session in real time.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1920. |
Session Audit | Remote Viewing / Listening |
AU-14 (3) |
AU-14(3).1 |
|
The information system provides the capability for authorized users to remotely view/hear all content related to an established user session in real time. |
| CCI-001921 |
The organization defines the alternative audit functionality to be provided in the event of a failure in the primary audit capability. |
The organization conducting the inspection/assessment obtains and examines the documented alternative audit functionality to ensure the organization being inspected/assessed has defined the alternative audit functionality to be provided in the event of a failure in the primary audit capability.
DoD has determined that the actions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed will define and document the alternative audit functionality to be provided in the event of a failure in the primary audit capability. The organization shall consider trade-offs between the needs for system availability and audit integrity when defining the actions.
Unless availability is an overriding concern, the default action should be to shut down the information system.
DoD has determined that the actions are not appropriate to define at the Enterprise level. |
Alternate Audit Capability |
AU-15 |
AU-15.1 |
Since an alternate audit capability may be a short-term protection employed until the failure in the primary auditing capability is corrected, organizations may determine that the alternate audit capability need only provide a subset of the primary audit functionality that is impacted by the failure. Related control: AU-5. |
The organization provides an alternative audit capability in the event of a failure in primary audit capability that provides [Assignment: organization-defined alternate audit functionality]. |
| CCI-001922 |
The organization provides an alternative audit capability in the event of a failure in primary audit capability that provides organization-defined alternative audit functionality. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement an alternative audit capability in the event of a failure in primary audit capability that provides the alternative audit functionality defined in AU-15, CCI 1921.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1922. |
The organization being inspected/assessed configures the information system to implement an alternative audit capability in the event of a failure in primary audit capability that provides the alternative audit functionality defined in AU-15, CCI 1921.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1922. |
Alternate Audit Capability |
AU-15 |
AU-15.2 |
Since an alternate audit capability may be a short-term protection employed until the failure in the primary auditing capability is corrected, organizations may determine that the alternate audit capability need only provide a subset of the primary audit functionality that is impacted by the failure. Related control: AU-5. |
The organization provides an alternative audit capability in the event of a failure in primary audit capability that provides [Assignment: organization-defined alternate audit functionality]. |
| CCI-001923 |
The organization defines the audit information to be coordinated among external organizations when audit information is transmitted across organizational boundaries. |
The organization conducting the inspection/assessment obtains and examines the documented audit information to ensure the organization being inspected/assessed defines the audit information to be coordinated among external organizations when audit information is transmitted across organizational boundaries.
DoD has determined the methods are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the audit information to be coordinated among external organizations when audit information is transmitted across organizational boundaries.
DoD has determined the methods are not appropriate to define at the Enterprise level. |
Cross-Organizational Auditing |
AU-16 |
AU-16.1 |
When organizations use information systems and/or services of external organizations, the auditing capability necessitates a coordinated approach across organizations. For example, maintaining the identity of individuals that requested particular services across organizational boundaries may often be very difficult, and doing so may prove to have significant performance ramifications. Therefore, it is often the case that cross-organizational auditing (e.g., the type of auditing capability provided by service-oriented architectures) simply captures the identity of individuals issuing requests at the initial information system, and subsequent systems record that the requests emanated from authorized individuals. Related control: AU-6. |
The organization employs [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries. |
| CCI-001924 |
The organization defines the methods to be employed when coordinating audit information among external organizations when audit information is transmitted across organizational boundaries. |
The organization conducting the inspection/assessment obtains and examines the documented methods to ensure the organization being inspected/assessed defines the methods to be employed when coordinating audit information among external organizations when audit information is transmitted across organizational boundaries.
DoD has determined the methods are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the methods to be employed when coordinating audit information among external organizations when audit information is transmitted across organizational boundaries.
DoD has determined the methods are not appropriate to define at the Enterprise level. |
Cross-Organizational Auditing |
AU-16 |
AU-16.2 |
When organizations use information systems and/or services of external organizations, the auditing capability necessitates a coordinated approach across organizations. For example, maintaining the identity of individuals that requested particular services across organizational boundaries may often be very difficult, and doing so may prove to have significant performance ramifications. Therefore, it is often the case that cross-organizational auditing (e.g., the type of auditing capability provided by service-oriented architectures) simply captures the identity of individuals issuing requests at the initial information system, and subsequent systems record that the requests emanated from authorized individuals. Related control: AU-6. |
The organization employs [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries. |
| CCI-001925 |
The organization employs organization-defined methods for coordinating organization-defined audit information among external organizations when audit information is transmitted across organizational boundaries. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed employs a process to employ the methods defined in AU-16, CCI 1924 for coordinating audit information defined in AU-16, CCI 1923 among external organizations when audit information is transmitted across organizational boundaries. |
The organization being inspected/assessed documents and implements a process to employ the methods defined in AU-16, CCI 1924 for coordinating audit information defined in AU-16, CCI 1923 among external organizations when audit information is transmitted across organizational boundaries. |
Cross-Organizational Auditing |
AU-16 |
AU-16.3 |
When organizations use information systems and/or services of external organizations, the auditing capability necessitates a coordinated approach across organizations. For example, maintaining the identity of individuals that requested particular services across organizational boundaries may often be very difficult, and doing so may prove to have significant performance ramifications. Therefore, it is often the case that cross-organizational auditing (e.g., the type of auditing capability provided by service-oriented architectures) simply captures the identity of individuals issuing requests at the initial information system, and subsequent systems record that the requests emanated from authorized individuals. Related control: AU-6. |
The organization employs [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries. |
| CCI-001926 |
The organization requires that the identity of individuals be preserved in cross-organizational audit trails. |
The organization conducting the inspection/assessment obtains and examines a sampling of cross organizational audit trails to ensure that the identify of individuals conducting audited actions is preserved. |
The organization being inspected/assessed implements a process to ensure that the identity of individuals be preserved in cross organizational audit trails. |
Cross-Organizational Auditing | Identity Preservation |
AU-16 (1) |
AU-16(1).1 |
This control enhancement applies when there is a need to be able to trace actions that are performed across organizational boundaries to a specific individual. |
The organization requires that the identity of individuals be preserved in cross organizational audit trails. |
| CCI-001927 |
The organization defines the organizations that will be provided cross-organizational audit information. |
The organization conducting the inspection/assessment obtains and examines the documented organizations to ensure the organization being inspected/assessed defines the organizations that will be provided cross-organizational audit information.
DoD has determined the cross-organizational sharing agreements are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the organizations that will be provided cross-organizational audit information.
DoD has determined the cross-organizational sharing agreements are not appropriate to define at the Enterprise level. |
Cross-Organizational Auditing | Sharing Of Audit Information |
AU-16 (2) |
AU-16(2).1 |
Because of the distributed nature of the audit information, cross-organization sharing of audit information may be essential for effective analysis of the auditing being performed. For example, the audit records of one organization may not provide sufficient information to determine the appropriate or inappropriate use of organizational information resources by individuals in other organizations. In some instances, only the home organizations of individuals have the appropriate knowledge to make such determinations, thus requiring the sharing of audit information among organizations. |
The organization provides cross-organizational audit information to [Assignment: organization defined organizations] based on [Assignment: organization-defined cross organizational sharing agreements]. |
| CCI-001928 |
The organization defines the cross-organizational sharing agreements to be established with organization-defined organizations authorized to be provided cross-organizational sharing of audit information. |
The organization conducting the inspection/assessment obtains and examines the documented sharing agreements to ensure the organization being inspected/assessed defines the cross-organizational sharing agreements to be established with organizations defined in AU-16 (2), CCI 1927 authorized to be provided cross-organizational sharing of audit information.
DoD has determined the cross-organizational sharing agreements are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the cross-organizational sharing agreements to be established with organizations defined in AU-16 (2), CCI 1927 authorized to be provided cross-organizational sharing of audit information.
DoD has determined the cross-organizational sharing agreements are not appropriate to define at the Enterprise level. |
Cross-Organizational Auditing | Sharing Of Audit Information |
AU-16 (2) |
AU-16(2).2 |
Because of the distributed nature of the audit information, cross-organization sharing of audit information may be essential for effective analysis of the auditing being performed. For example, the audit records of one organization may not provide sufficient information to determine the appropriate or inappropriate use of organizational information resources by individuals in other organizations. In some instances, only the home organizations of individuals have the appropriate knowledge to make such determinations, thus requiring the sharing of audit information among organizations. |
The organization provides cross-organizational audit information to [Assignment: organization defined organizations] based on [Assignment: organization-defined cross organizational sharing agreements]. |
| CCI-001929 |
The organization provides cross-organizational audit information to organization-defined organizations based on organization-defined cross organizational sharing agreements. |
The organization conducting the inspection/assessment obtains and examines the audit information that provides cross-organizational audit information to organizations defined in AU-16 (2), CCI 1927 based on cross organizational sharing agreements defined in AU-16 (2), CCI 1928. |
The organization being inspected/assessed provides cross-organizational audit information to organizations defined in AU-16 (2), CCI 1927 based on cross organizational sharing agreements defined in AU-16 (2), CCI 1928. |
Cross-Organizational Auditing | Sharing Of Audit Information |
AU-16 (2) |
AU-16(2).3 |
Because of the distributed nature of the audit information, cross-organization sharing of audit information may be essential for effective analysis of the auditing being performed. For example, the audit records of one organization may not provide sufficient information to determine the appropriate or inappropriate use of organizational information resources by individuals in other organizations. In some instances, only the home organizations of individuals have the appropriate knowledge to make such determinations, thus requiring the sharing of audit information among organizations. |
The organization provides cross-organizational audit information to [Assignment: organization defined organizations] based on [Assignment: organization-defined cross organizational sharing agreements]. |
| CCI-002060 |
The organization develops and documents a security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
|
|
|
|
|
|
|
| CCI-002061 |
The organization defines the personnel or roles to whom security assessment and authorization policy is to be disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as all personnel. |
DoD has defined the personnel or roles as all personnel.
DoD disseminates DoDI 8510.01 organization-wide via the DoD Issuances website.
http://www.dtic.mil/whs/directives/corres/ins1.html |
Security Assessment And Authorization Policy And Procedures |
CA-1 |
CA-1.1 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and
b. Reviews and updates the current:
1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and
2. Security assessment and authorization procedures [Assignment: organization-defined frequency]. |
| CCI-002062 |
The organization defines the personnel or roles to whom the security assessment and authorization procedures are to be disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as all personnel. |
DoD has defined the personnel or roles as all personnel.
|
Security Assessment And Authorization Policy And Procedures |
CA-1 |
CA-1.2 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and
b. Reviews and updates the current:
1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and
2. Security assessment and authorization procedures [Assignment: organization-defined frequency]. |
| CCI-002063 |
The organization defines the level of independence for assessors or assessment teams to conduct security control assessments of organizational information systems. |
The organization conducting the inspection/assessment obtains and examines the documented level of independence to ensure the organization being inspected/assessed defines the level of independence for assessors or assessment teams to conduct security control assessments of organizational information systems.
DoD has determined the level of independence is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the level of independence for assessors or assessment teams to conduct security control assessments of organizational information systems.
DoD has determined the level of independence is not appropriate to define at the Enterprise level. |
Security Assessments | Independent Assessors |
CA-2 (1) |
CA-2(1).2 |
Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of organizational information systems. Impartiality implies that assessors are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the organizational information systems under assessment or to the determination of security control effectiveness. To achieve impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in positions of advocacy for the organizations acquiring their services. Independent assessments can be obtained from elements within organizations or can be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of information systems and/or the ultimate risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. This includes determining whether contracted security assessment services have sufficient independence, for example, when information system owners are not directly involved in contracting processes or cannot unduly influence the impartiality of assessors conducting assessments. In special situations, for example, when organizations that own the information systems are small or organizational structures require that assessments are conducted by individuals that are in the developmental, operational, or management chain of system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Organizations recognize that assessments performed for purposes other than direct support to authorization decisions are, when performed by assessors with sufficient independence, more likely to be useable for such decisions, thereby reducing the need to repeat assessments. |
The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to conduct security control assessments. |
| CCI-002064 |
The organization selects one or more security assessment techniques to be conducted. |
The organization conducting the inspection/assessment obtains and examines the selected list of assessment techniques that are to be conducted to ensure the selections have been documented. |
The organization being inspected/assessed selects and documents one or more security assessment techniques to be conducted. Techniques include in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment and performance/load testing, as well as any other techniques identified in CA-2 (2), CCI 1582.
DoD has determined the other forms of security assessments are not appropriate to define at the Enterprise level. |
Security Assessments | Specialized Assessments |
CA-2 (2) |
CA-2(2).4 |
Organizations can employ information system monitoring, insider threat assessments, malicious user testing, and other forms of testing (e.g., verification and validation) to improve readiness by exercising organizational capabilities and indicating current performance levels as a means of focusing actions to improve security. Organizations conduct assessment activities in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can incorporate vulnerabilities uncovered during assessments into vulnerability remediation processes. Related controls: PE-3, SI-2. |
The organization includes as part of security control assessments, [Assignment: organization- defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]]. |
| CCI-002065 |
The organization defines the frequency at which to conduct security control assessments. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at least annually. |
DoD has defined the frequency as at least annually. |
Security Assessments | Specialized Assessments |
CA-2 (2) |
CA-2(2).5 |
Organizations can employ information system monitoring, insider threat assessments, malicious user testing, and other forms of testing (e.g., verification and validation) to improve readiness by exercising organizational capabilities and indicating current performance levels as a means of focusing actions to improve security. Organizations conduct assessment activities in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can incorporate vulnerabilities uncovered during assessments into vulnerability remediation processes. Related controls: PE-3, SI-2. |
The organization includes as part of security control assessments, [Assignment: organization- defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]]. |
| CCI-002066 |
The organization accepts the results of an assessment of the organization-defined information system performed by an organization-defined external organization when the assessment meets organization-defined requirements. |
The organization conducting the inspection/assessment obtains and examines a sampling of records of acceptance or rejection of external organization assessment results to ensure the organization being inspected/assessed accepts the results of an assessment of the information system defined in CA-2 (3), CCI 2067 performed by external organization defined in CA-2 (3), CCI 2068 when the assessment meets requirements defined in CA-2 (3), CCI 2069. |
The organization being inspected/assessed accepts the results of an assessment of the information system defined in CA-2 (3), CCI 2067 performed by external organization defined in CA-2 (3), CCI 2068 when the assessment meets requirements defined in CA-2 (3), CCI 2069.
The organization must maintain records of acceptance or rejection of external organization assessment results. |
Security Assessments | External Organizations |
CA-2 (3) |
CA-2(3).1 |
Organizations may often rely on assessments of specific information systems by other (external) organizations. Utilizing such existing assessments (i.e., reusing existing assessment evidence) can significantly decrease the time and resources required for organizational assessments by limiting the amount of independent assessment activities that organizations need to perform. The factors that organizations may consider in determining whether to accept assessment results from external organizations can vary. Determinations for accepting assessment results can be based on, for example, past assessment experiences one organization has had with another organization, the reputation that organizations have with regard to assessments, the level of detail of supporting assessment documentation provided, or mandates imposed upon organizations by federal legislation, policies, or directives. |
The organization accepts the results of an assessment of [Assignment: organization-defined information system] performed by [Assignment: organization-defined external organization] when the assessment meets [Assignment: organization-defined requirements]. |
| CCI-002067 |
The organization defines the information systems for which they will accept the results of an assessment performed by an external organization. |
The organization conducting the inspection/assessment obtains and examines the documented information systems to ensure the organization being inspected/assessed defines the information systems for which they will accept the results of an assessment performed by an external organization.
DoD has determined the information systems are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information systems for which they will accept the results of an assessment performed by an external organization.
DoD has determined the information systems are not appropriate to define at the Enterprise level. |
Security Assessments | External Organizations |
CA-2 (3) |
CA-2(3).2 |
Organizations may often rely on assessments of specific information systems by other (external) organizations. Utilizing such existing assessments (i.e., reusing existing assessment evidence) can significantly decrease the time and resources required for organizational assessments by limiting the amount of independent assessment activities that organizations need to perform. The factors that organizations may consider in determining whether to accept assessment results from external organizations can vary. Determinations for accepting assessment results can be based on, for example, past assessment experiences one organization has had with another organization, the reputation that organizations have with regard to assessments, the level of detail of supporting assessment documentation provided, or mandates imposed upon organizations by federal legislation, policies, or directives. |
The organization accepts the results of an assessment of [Assignment: organization-defined information system] performed by [Assignment: organization-defined external organization] when the assessment meets [Assignment: organization-defined requirements]. |
| CCI-002068 |
The organization defines the external organizations from which assessment results for organization-defined information systems will be accepted. |
The organization conducting the inspection/assessment obtains and examines the documented external organizations to ensure the organization being inspected/assessed defines the external organizations from which assessment results for organization-defined information systems will be accepted.
DoD has determined the external organizations are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the external organizations from which assessment results for organization-defined information systems will be accepted.
DoD has determined the external organizations are not appropriate to define at the Enterprise level. |
Security Assessments | External Organizations |
CA-2 (3) |
CA-2(3).3 |
Organizations may often rely on assessments of specific information systems by other (external) organizations. Utilizing such existing assessments (i.e., reusing existing assessment evidence) can significantly decrease the time and resources required for organizational assessments by limiting the amount of independent assessment activities that organizations need to perform. The factors that organizations may consider in determining whether to accept assessment results from external organizations can vary. Determinations for accepting assessment results can be based on, for example, past assessment experiences one organization has had with another organization, the reputation that organizations have with regard to assessments, the level of detail of supporting assessment documentation provided, or mandates imposed upon organizations by federal legislation, policies, or directives. |
The organization accepts the results of an assessment of [Assignment: organization-defined information system] performed by [Assignment: organization-defined external organization] when the assessment meets [Assignment: organization-defined requirements]. |
| CCI-002069 |
The organization defines the requirements the assessments for organization-defined information systems from organization-defined external organizations must meet. |
The organization conducting the inspection/assessment obtains and examine the documented requirements to ensure the organization being inspected/assessed defines the requirements the assessments for organization-defined information systems from organization-defined external organizations must meet.
DoD has determined the requirements are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the requirements the assessments for organization-defined information systems from organization-defined external organizations must meet.
DoD has determined the requirements are not appropriate to define at the Enterprise level. |
Security Assessments | External Organizations |
CA-2 (3) |
CA-2(3).4 |
Organizations may often rely on assessments of specific information systems by other (external) organizations. Utilizing such existing assessments (i.e., reusing existing assessment evidence) can significantly decrease the time and resources required for organizational assessments by limiting the amount of independent assessment activities that organizations need to perform. The factors that organizations may consider in determining whether to accept assessment results from external organizations can vary. Determinations for accepting assessment results can be based on, for example, past assessment experiences one organization has had with another organization, the reputation that organizations have with regard to assessments, the level of detail of supporting assessment documentation provided, or mandates imposed upon organizations by federal legislation, policies, or directives. |
The organization accepts the results of an assessment of [Assignment: organization-defined information system] performed by [Assignment: organization-defined external organization] when the assessment meets [Assignment: organization-defined requirements]. |
| CCI-002070 |
The organization^s security assessment plan describes the assessment team, and assessment roles and responsibilities. |
The organization conducting the inspection/assessment obtains and examines the security assessment plan to ensure the organization being inspected/assessed lists their assessment team members and their associated assessment roles and responsibilities in the security assessment plan. |
The organization being inspected/assessed lists their assessment team members and their associated assessment roles and responsibilities in the security assessment plan. |
Security Assessments |
CA-2 |
CA-2.5 |
Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives.
To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4. |
The organization:
a. Develops a security assessment plan that describes the scope of the assessment including:
1. Security controls and control enhancements under assessment;
2. Assessment procedures to be used to determine security control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
c. Produces a security assessment report that documents the results of the assessment; and
d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. |
| CCI-002071 |
The organization defines the individuals or roles to whom the results of the security control assessment are to be provided. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the individuals or roles as at a minimum, the ISSO and ISSM. |
DoD has defined the individuals or roles as at a minimum, the ISSO and ISSM. |
Security Assessments |
CA-2 |
CA-2.10 |
Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives.
To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4. |
The organization:
a. Develops a security assessment plan that describes the scope of the assessment including:
1. Security controls and control enhancements under assessment;
2. Assessment procedures to be used to determine security control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
c. Produces a security assessment report that documents the results of the assessment; and
d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. |
| CCI-002072 |
The organization defines the unclassified, national security systems that are prohibited from directly connecting to an external network without the use of an organization-defined boundary protection device. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the unclassified, national security systems as all unclassified NSS. |
DoD has defined the unclassified, national security systems as all unclassified NSS. |
System Interconnections | Unclassified National Security System Connections |
CA-3 (1) |
CA-3(1).2 |
Organizations typically do not have control over external networks (e.g., the Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate communications (i.e., information flows) between unclassified national security systems and external networks. This control enhancement is required for organizations processing, storing, or transmitting Controlled Unclassified Information (CUI). |
The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]. |
| CCI-002073 |
The organization defines the boundary protection device to be used to connect organization-defined unclassified, national security systems to an external network. |
The organization conducting the inspection/assessment obtains and examines the documented boundary protection device to ensure the organization being inspected/assessed defines the boundary protection device to be used to connect organization-defined unclassified, national security systems to an external network.
DoD has determined the boundary protection device is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the boundary protection device to be used to connect organization-defined unclassified, national security systems to an external network.
DoD has determined the boundary protection device is not appropriate to define at the Enterprise level. |
System Interconnections | Unclassified National Security System Connections |
CA-3 (1) |
CA-3(1).3 |
Organizations typically do not have control over external networks (e.g., the Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate communications (i.e., information flows) between unclassified national security systems and external networks. This control enhancement is required for organizations processing, storing, or transmitting Controlled Unclassified Information (CUI). |
The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]. |
| CCI-002074 |
The organization defines the boundary protection device to be used for the direct connection of classified, national security system to an external network. |
The organization conducting the inspection/assessment obtains and examines the documented boundary protection device to ensure the organization being inspected/assessed defines the boundary protection device to be used for the direct connection of classified, national security system to an external network.
DoD has determined the boundary protection device is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the boundary protection device to be used for the direct connection of classified, national security system to an external network.
DoD has determined the boundary protection device is not appropriate to define at the Enterprise level. |
System Interconnections | Classified National Security System Connections |
CA-3 (2) |
CA-3(2).2 |
Organizations typically do not have control over external networks (e.g., the Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate communications (i.e., information flows) between classified national security systems and external networks. In addition, approved boundary protection devices (typically managed interface/cross-domain systems) provide information flow enforcement from information systems to external networks. |
The organization prohibits the direct connection of a classified, national security system to an external network without the use of [Assignment; organization-defined boundary protection device]. |
| CCI-002075 |
The organization prohibits the direct connection of an organization-defined unclassified, non-national security system to an external network without the use of organization-defined boundary protection device. |
The organization conducting the inspection/assessment obtains and examines network topology diagrams and examines the information system to ensure the organization being inspected/assessed does not connect any national security systems to an external network without the use of protection devices defined in CA-3 (3), CCI 2077. |
The organization being inspected/assessed does not connect any national security systems to an external network without the use of protection devices defined in CA-3 (3), CCI 2077. |
System Interconnections | Unclassified Non-National Security System Connections |
CA-3 (3) |
CA-3(3).1 |
Organizations typically do not have control over external networks (e.g., the Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate communications (i.e., information flows) between unclassified non-national security systems and external networks. This control enhancement is required for organizations processing, storing, or transmitting Controlled Unclassified Information (CUI). |
The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, non national security system] to an external network without the use of [Assignment; organization-defined boundary protection device]. |
| CCI-002076 |
The organization defines the unclassified, non-national security system that is prohibited from directly connecting to an external network without the use of an organization-defined boundary protection device. |
The organization conducting the inspection/assessment obtains and examines the documented unclassified, non-national security system to ensure the organization being inspected/assessed defines the unclassified, non-national security system that is prohibited from directly connecting to an external network without the use of an organization-defined boundary protection device.
DoD has determined the unclassified, non-national security system is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the unclassified, non-national security system that is prohibited from directly connecting to an external network without the use of an organization-defined boundary protection device.
DoD has determined the unclassified, non-national security system is not appropriate to define at the Enterprise level. |
System Interconnections | Unclassified Non-National Security System Connections |
CA-3 (3) |
CA-3(3).2 |
Organizations typically do not have control over external networks (e.g., the Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate communications (i.e., information flows) between unclassified non-national security systems and external networks. This control enhancement is required for organizations processing, storing, or transmitting Controlled Unclassified Information (CUI). |
The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, non national security system] to an external network without the use of [Assignment; organization-defined boundary protection device]. |
| CCI-002077 |
The organization defines the boundary protection device to be used to directly connect an organization-defined unclassified, non-national security system to an external network. |
The organization conducting the inspection/assessment obtains and examines the documented boundary protection device to ensure the organization being inspected/assessed defines the boundary protection device to be used to directly connect an organization-defined unclassified, non-national security system to an external network.
DoD has determined the boundary protection device is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the boundary protection device to be used to directly connect an organization-defined unclassified, non-national security system to an external network.
DoD has determined the boundary protection device is not appropriate to define at the Enterprise level. |
System Interconnections | Unclassified Non-National Security System Connections |
CA-3 (3) |
CA-3(3).3 |
Organizations typically do not have control over external networks (e.g., the Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate communications (i.e., information flows) between unclassified non-national security systems and external networks. This control enhancement is required for organizations processing, storing, or transmitting Controlled Unclassified Information (CUI). |
The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, non national security system] to an external network without the use of [Assignment; organization-defined boundary protection device]. |
| CCI-002078 |
The organization prohibits the direct connection of an organization-defined information system to a public network. |
The organization conducting the inspection/assessment obtains and examines network topology diagrams and examines the information system to ensure the organization being inspected/assessed does not connect any information system defined in CA-3 (4), CCI 2079 to a public network. |
The organization being inspected/assessed does not connect any information system defined in CA-3 (4), CCI 2079 to a public network. |
System Interconnections | Connections To Public Networks |
CA-3 (4) |
CA-3(4).1 |
A public network is any network accessible to the general public including, for example, the Internet and organizational extranets with public access. |
The organization prohibits the direct connection of an [Assignment: organization-defined information system] to a public network. |
| CCI-002079 |
The organization defines the information system that is prohibited from directly connecting to a public network. |
The organization conducting the inspection/assessment obtains and examines the documented information system to ensure the organization being inspected/assessed defines the information system that is prohibited from directly connecting to a public network.
DoD has determined the information system is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system that is prohibited from directly connecting to a public network.
DoD has determined the information system is not appropriate to define at the Enterprise level. |
System Interconnections | Connections To Public Networks |
CA-3 (4) |
CA-3(4).2 |
A public network is any network accessible to the general public including, for example, the Internet and organizational extranets with public access. |
The organization prohibits the direct connection of an [Assignment: organization-defined information system] to a public network. |
| CCI-002080 |
The organization employs either an allow-all, deny-by-exception or a deny-all, permit-by-exception policy for allowing organization-defined information systems to connect to external information systems. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to employ a deny-all, permit by exception policy for allowing any systems requiring external connectivity to connect to external information systems.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2080.
DoD has defined the information systems as any systems requiring external connectivity. |
The organization being inspected/assessed configures the information system to employ a deny-all, permit by exception policy for allowing any systems requiring external connectivity to connect to external information systems.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2080.
DoD has defined the information systems as any systems requiring external connectivity. |
System Interconnections | Restrictions On External System Connections |
CA-3 (5) |
CA-3(5).1 |
Organizations can constrain information system connectivity to external domains (e.g., websites) by employing one of two policies with regard to such connectivity: (i) allow-all, deny by exception, also known as blacklisting (the weaker of the two policies); or (ii) deny-all, allow by exception, also known as whitelisting (the stronger of the two policies). For either policy, organizations determine what exceptions, if any, are acceptable. Related control: CM-7. |
The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing [Assignment: organization-defined information systems] to connect to external information systems. |
| CCI-002081 |
The organization defines the information systems that employ either an allow-all, deny-by-exception or a deny-all, permit-by-exception policy for allowing connections to external information systems. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the information systems as any systems requiring external connectivity. |
DoD has defined the information systems as any systems requiring external connectivity. |
System Interconnections | Restrictions On External System Connections |
CA-3 (5) |
CA-3(5).2 |
Organizations can constrain information system connectivity to external domains (e.g., websites) by employing one of two policies with regard to such connectivity: (i) allow-all, deny by exception, also known as blacklisting (the weaker of the two policies); or (ii) deny-all, allow by exception, also known as whitelisting (the stronger of the two policies). For either policy, organizations determine what exceptions, if any, are acceptable. Related control: CM-7. |
The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing [Assignment: organization-defined information systems] to connect to external information systems. |
| CCI-002082 |
The organization selects either an allow-all, deny-by-exception or a deny-all, permit-by-exception policy for allowing organization-defined information systems to connect to external information systems. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed selects deny-all, permit by exception policy for allowing any systems requiring external connectivity to connect to external information systems.
DoD has defined the information systems as any systems requiring external connectivity. |
The organization being inspected/assessed selects deny-all, permit by exception policy for allowing any systems requiring external connectivity to connect to external information systems.
DoD has defined the information systems as any systems requiring external connectivity. |
System Interconnections | Restrictions On External System Connections |
CA-3 (5) |
CA-3(5).3 |
Organizations can constrain information system connectivity to external domains (e.g., websites) by employing one of two policies with regard to such connectivity: (i) allow-all, deny by exception, also known as blacklisting (the weaker of the two policies); or (ii) deny-all, allow by exception, also known as whitelisting (the stronger of the two policies). For either policy, organizations determine what exceptions, if any, are acceptable. Related control: CM-7. |
The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing [Assignment: organization-defined information systems] to connect to external information systems. |
| CCI-002083 |
The organization reviews and updates Interconnection Security Agreements on an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit trail of reviews and updates to ensure the organization being inspected/assessed reviews and updates Interconnection Security Agreements at least annually.
DoD has defined the frequency as at least annually. |
The organization being inspected/assessed reviews and updates Interconnection Security Agreements at least annually.
The organization must maintain an audit trail of reviews and updates.
DoD has defined the frequency as at least annually. |
System Interconnections |
CA-3 |
CA-3.5 |
This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls. Related controls: AC-3, AC-4, AC-20, AU-2, AU-12, AU-16, CA-7, IA-3, SA-9, SC-7, SI-4. |
The organization:
a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;
b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and
c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency]. |
| CCI-002084 |
The organization defines the frequency at which reviews and updates to the Interconnection Security Agreements must be conducted. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at least annually. |
DoD has defined the frequency as at least annually. |
System Interconnections |
CA-3 |
CA-3.6 |
This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls. Related controls: AC-3, AC-4, AC-20, AU-2, AU-12, AU-16, CA-7, IA-3, SA-9, SC-7, SI-4. |
The organization:
a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;
b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and
c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency]. |
| CCI-002085 |
The organization defines the level of independence the assessors or assessment teams must have to monitor the security controls in the information system on an ongoing basis. |
Future DoD-wide CM guidance to be published |
Future DoD-wide CM guidance to be published |
Continuous Monitoring | Independent Assessment |
CA-7 (1) |
CA-7(1).2 |
Organizations can maximize the value of assessments of security controls during the continuous monitoring process by requiring that such assessments be conducted by assessors or assessment teams with appropriate levels of independence based on continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in advocacy positions for the organizations acquiring their services. |
The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to monitor the security controls in the information system on an ongoing basis. |
| CCI-002086 |
The organization employs trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data. |
Future DoD-wide CM guidance to be published |
Future DoD-wide CM guidance to be published |
Continuous Monitoring | Trend Analyses |
CA-7 (3) |
CA-7(3).1 |
Trend analyses can include, for example, examining recent threat information regarding the types of threat events that have occurred within the organization or across the federal government, success rates of certain types of cyber attacks, emerging vulnerabilities in information technologies, evolving social engineering techniques, results from multiple security control assessments, the effectiveness of configuration settings, and findings from Inspectors General or auditors. |
The organization employs trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data. |
| CCI-002087 |
The organization establishes and defines the metrics to be monitored for the continuous monitoring program. |
Future DoD-wide CM guidance to be published |
Future DoD-wide CM guidance to be published |
Continuous Monitoring |
CA-7 |
CA-7.2 |
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4. |
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. |
| CCI-002088 |
The organization establishes and defines the frequencies for continuous monitoring. |
Future DoD-wide CM guidance to be published |
Future DoD-wide CM guidance to be published |
Continuous Monitoring |
CA-7 |
CA-7.3 |
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4. |
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. |
| CCI-002089 |
The organization establishes and defines the frequencies for assessments supporting continuous monitoring. |
Future DoD-wide CM guidance to be published |
Future DoD-wide CM guidance to be published |
Continuous Monitoring |
CA-7 |
CA-7.4 |
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4. |
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. |
| CCI-002090 |
The organization implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy. |
Future DoD-wide CM guidance to be published |
Future DoD-wide CM guidance to be published |
Continuous Monitoring |
CA-7 |
CA-7.6 |
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4. |
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. |
| CCI-002091 |
The organization implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring. |
Future DoD-wide CM guidance to be published |
Future DoD-wide CM guidance to be published |
Continuous Monitoring |
CA-7 |
CA-7.7 |
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4. |
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. |
| CCI-002092 |
The organization implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information. |
Future DoD-wide CM guidance to be published |
Future DoD-wide CM guidance to be published |
Continuous Monitoring |
CA-7 |
CA-7.8 |
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4. |
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. |
| CCI-002093 |
The organization conducts penetration testing in accordance with organization-defined frequency on organization-defined information systems or system components. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as a sampling of the penetration test results to ensure the organization being inspected/assessed conducts penetration testing in accordance with the frequency defined in CA-8, CCI 2094 on information systems or system components defined in CA-8, CCI 2095. |
The organization being inspected/assessed documents and implements a process to conduct penetration testing in accordance with the frequency defined in CA-8, CCI 2094 on information systems or system components defined in CA-8, CCI 2095.
The organization must maintain a record of penetration test results. |
Penetration Testing |
CA-8 |
CA-8.1 |
Penetration testing is a specialized type of assessment conducted on information systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Such testing can be used to either validate vulnerabilities or determine the degree of resistance organizational information systems have to adversaries within a set of specified constraints (e.g., time, resources, and/or skills). Penetration testing attempts to duplicate the actions of adversaries in carrying out hostile cyber attacks against organizations and provides a more in-depth analysis of security-related weaknesses/deficiencies. Organizations can also use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted on the hardware, software, or firmware components of an information system and can exercise both physical and technical security controls. A standard method for penetration testing includes, for example: (i) pretest analysis based on full knowledge of the target system; (ii) pretest identification of potential vulnerabilities based on pretest analysis; and (iii) testing designed to determine exploitability of identified vulnerabilities. All parties agree to the rules of engagement before the commencement of penetration testing scenarios. Organizations correlate the penetration testing rules of engagement with the tools, techniques, and procedures that are anticipated to be employed by adversaries carrying out attacks. Organizational risk assessments guide decisions on the level of independence required for personnel conducting penetration testing. Related control: SA-12. |
The organization conducts penetration testing [Assignment:organization-defined frequency] on [Assignment: organization-defined information systems or system components]. |
| CCI-002094 |
The organization defines the frequency for conducting penetration testing on organization-defined information systems or system components. |
The organization conducting the inspection/assessment obtains and examines the documented frequency to ensure the organization being inspected/assessed defines the frequency for conducting penetration testing on organization-defined information systems or system components.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the frequency for conducting penetration testing on organization-defined information systems or system components.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
Penetration Testing |
CA-8 |
CA-8.2 |
Penetration testing is a specialized type of assessment conducted on information systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Such testing can be used to either validate vulnerabilities or determine the degree of resistance organizational information systems have to adversaries within a set of specified constraints (e.g., time, resources, and/or skills). Penetration testing attempts to duplicate the actions of adversaries in carrying out hostile cyber attacks against organizations and provides a more in-depth analysis of security-related weaknesses/deficiencies. Organizations can also use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted on the hardware, software, or firmware components of an information system and can exercise both physical and technical security controls. A standard method for penetration testing includes, for example: (i) pretest analysis based on full knowledge of the target system; (ii) pretest identification of potential vulnerabilities based on pretest analysis; and (iii) testing designed to determine exploitability of identified vulnerabilities. All parties agree to the rules of engagement before the commencement of penetration testing scenarios. Organizations correlate the penetration testing rules of engagement with the tools, techniques, and procedures that are anticipated to be employed by adversaries carrying out attacks. Organizational risk assessments guide decisions on the level of independence required for personnel conducting penetration testing. Related control: SA-12. |
The organization conducts penetration testing [Assignment:organization-defined frequency] on [Assignment: organization-defined information systems or system components]. |
| CCI-002095 |
The organization defines the information systems or system components on which penetration testing will be conducted. |
The organization conducting the inspection/assessment obtains and examines the documented information systems or system components to ensure the organization being inspected/assessed defines the information systems or system components on which penetration testing will be conducted.
DoD has determined the information systems or system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information systems or system components on which penetration testing will be conducted.
DoD has determined the information systems or system components are not appropriate to define at the Enterprise level. |
Penetration Testing |
CA-8 |
CA-8.3 |
Penetration testing is a specialized type of assessment conducted on information systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Such testing can be used to either validate vulnerabilities or determine the degree of resistance organizational information systems have to adversaries within a set of specified constraints (e.g., time, resources, and/or skills). Penetration testing attempts to duplicate the actions of adversaries in carrying out hostile cyber attacks against organizations and provides a more in-depth analysis of security-related weaknesses/deficiencies. Organizations can also use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted on the hardware, software, or firmware components of an information system and can exercise both physical and technical security controls. A standard method for penetration testing includes, for example: (i) pretest analysis based on full knowledge of the target system; (ii) pretest identification of potential vulnerabilities based on pretest analysis; and (iii) testing designed to determine exploitability of identified vulnerabilities. All parties agree to the rules of engagement before the commencement of penetration testing scenarios. Organizations correlate the penetration testing rules of engagement with the tools, techniques, and procedures that are anticipated to be employed by adversaries carrying out attacks. Organizational risk assessments guide decisions on the level of independence required for personnel conducting penetration testing. Related control: SA-12. |
The organization conducts penetration testing [Assignment:organization-defined frequency] on [Assignment: organization-defined information systems or system components]. |
| CCI-002096 |
The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components. |
The organization conducting the inspection/assessment obtains and examines a sampling of the penetration test results to ensure the organization being inspected/assessed employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components. |
The organization being inspected/assessed employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components.
The organization must maintain a record of penetration test results. |
Penetration Testing | Independent Penetration Agent Or Team |
CA-8 (1) |
CA-8(1).1 |
Independent penetration agents or teams are individuals or groups who conduct impartial penetration testing of organizational information systems. Impartiality implies that penetration agents or teams are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the information systems that are the targets of the penetration testing. Supplemental guidance for CA-2 (1) provides additional information regarding independent assessments that can be applied to penetration testing. Related control: CA-2. |
The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components. |
| CCI-002097 |
The organization defines red team exercises to simulate attempts by adversaries to compromise organizational information systems. |
The organization conducting the inspection/assessment obtains and examines the documented red team exercises to ensure the organization being inspected/assessed defines red team exercises to simulate attempts by adversaries to compromise organizational information systems.
DoD has determined the red team exercises are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents red team exercises to simulate attempts by adversaries to compromise organizational information systems.
DoD has determined the red team exercises are not appropriate to define at the Enterprise level. |
Penetration Testing | Red Team Exercises |
CA-8 (2) |
CA-8(2).1 |
Red team exercises extend the objectives of penetration testing by examining the security posture of organizations and their ability to implement effective cyber defenses. As such, red team exercises reflect simulated adversarial attempts to compromise organizational mission/business functions and provide a comprehensive assessment of the security state of information systems and organizations. Simulated adversarial attempts to compromise organizational missions/business functions and the information systems that support those missions/functions may include technology-focused attacks (e.g., interactions with hardware, software, or firmware components and/or mission/business processes) and social engineering-based attacks (e.g., interactions via email, telephone, shoulder surfing, or personal conversations). While penetration testing may be largely laboratory-based testing, organizations use red team exercises to provide more comprehensive assessments that reflect real-world conditions. Red team exercises can be used to improve security awareness and training and to assess levels of security control effectiveness. |
The organization employs red team exercises to simulate attempts by adversaries to compromise organizational information systems. |
| CCI-002098 |
The organization defines rules of engagement for red team exercises to simulate attempts by adversaries to compromise organizational information systems. |
The organization conducting the inspection/assessment obtains and examines the documented rules of engagement to ensure the organization being inspected/assessed defines the rules of engagement for red team exercise to simulate attempts by adversaries to compromise organizational information systems.
DoD has determined the rules of engagement are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents rules of engagement for red team exercise to simulate attempts by adversaries to compromise organizational information systems.
DoD has determined the rules of engagement are not appropriate to define at the Enterprise level. |
Penetration Testing | Red Team Exercises |
CA-8 (2) |
CA-8(2).2 |
Red team exercises extend the objectives of penetration testing by examining the security posture of organizations and their ability to implement effective cyber defenses. As such, red team exercises reflect simulated adversarial attempts to compromise organizational mission/business functions and provide a comprehensive assessment of the security state of information systems and organizations. Simulated adversarial attempts to compromise organizational missions/business functions and the information systems that support those missions/functions may include technology-focused attacks (e.g., interactions with hardware, software, or firmware components and/or mission/business processes) and social engineering-based attacks (e.g., interactions via email, telephone, shoulder surfing, or personal conversations). While penetration testing may be largely laboratory-based testing, organizations use red team exercises to provide more comprehensive assessments that reflect real-world conditions. Red team exercises can be used to improve security awareness and training and to assess levels of security control effectiveness. |
The organization employs red team exercises to simulate attempts by adversaries to compromise organizational information systems. |
| CCI-002099 |
The organization employs organization-defined red team exercises to simulate attempts by adversaries to compromise organizational information systems in accordance with organization-defined rules of engagement. |
The organization conducting the inspection/assessment obtains and examines the record of red team exercises and results to ensure the organization being inspected/assessed employs red team exercises defined in CA-8 (2), CCI 2097 to simulate attempts by adversaries to compromise organizational information systems in accordance with rules of engagement defined in CA-8 (2), CCI 2098. |
The organization being inspected/assessed employs red team exercises defined in CA-8 (2), CCI 2097 to simulate attempts by adversaries to compromise organizational information systems in accordance with rules of engagement defined in CA-8 (2), CCI 2098.
The organization must maintain a record of red team exercises and results. |
Penetration Testing | Red Team Exercises |
CA-8 (2) |
CA-8(2).3 |
Red team exercises extend the objectives of penetration testing by examining the security posture of organizations and their ability to implement effective cyber defenses. As such, red team exercises reflect simulated adversarial attempts to compromise organizational mission/business functions and provide a comprehensive assessment of the security state of information systems and organizations. Simulated adversarial attempts to compromise organizational missions/business functions and the information systems that support those missions/functions may include technology-focused attacks (e.g., interactions with hardware, software, or firmware components and/or mission/business processes) and social engineering-based attacks (e.g., interactions via email, telephone, shoulder surfing, or personal conversations). While penetration testing may be largely laboratory-based testing, organizations use red team exercises to provide more comprehensive assessments that reflect real-world conditions. Red team exercises can be used to improve security awareness and training and to assess levels of security control effectiveness. |
The organization employs red team exercises to simulate attempts by adversaries to compromise organizational information systems. |
| CCI-002100 |
The information system performs security compliance checks on constituent components prior to the establishment of the internal connection. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of security compliance checks to ensure the organization being inspected/assessed performs security compliance checks on constituent components prior to the establishment of the internal connection. |
The organization being inspected/assessed documents and implements a process to perform security compliance checks on constituent components prior to the establishment of the internal connection.
The organization must maintain a record of security compliance checks. |
Internal System Connections | Security Compliance Checks |
CA-9 (1) |
CA-9(1).1 |
Security compliance checks may include, for example, verification of the relevant baseline configuration. Related controls: CM-6. |
The information system performs security compliance checks on constituent system components prior to the establishment of the internal connection. |
| CCI-002101 |
The organization authorizes internal connections of organization-defined information system components or classes of components to the information system. |
The organization conducting the inspection/assessment obtains and examines the audit trail of authorizations to ensure the organization being inspected/assessed authorizes internal connections of information system components defined in CA-9, CCI 2102 or classes of components to the information system. |
The organization being inspected/assessed authorizes internal connections of information system components defined in CA-9, CCI 2102 or classes of components to the information system.
The organization must maintain an audit trail of authorizations. |
Internal System Connections |
CA-9 |
CA-9.1 |
This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration. Related controls: AC-3, AC-4, AC-18, AC-19, AU-2, AU-12, CA-7, CM-2, IA-3, SC-7, SI-4. |
The organization:
a. Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and
b. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. |
| CCI-002102 |
The organization defines the information system components or classes of components that are authorized internal connections to the information system. |
The organization conducting the inspection/assessment obtains and examines the documented information system components to ensure the organization being inspected/assessed defines the information system components or classes of components that that are authorized internal connections to the information system.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system components or classes of components that that are authorized internal connections to the information system.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
Internal System Connections |
CA-9 |
CA-9.2 |
This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration. Related controls: AC-3, AC-4, AC-18, AC-19, AU-2, AU-12, CA-7, CM-2, IA-3, SC-7, SI-4. |
The organization:
a. Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and
b. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. |
| CCI-002103 |
The organization documents, for each internal connection, the interface characteristics. |
The organization conducting the inspection/assessment obtains and examines the documented interface characteristics as well as the network topology to ensure the organization being inspected/assessed documents, for each internal connection, the interface characteristics. |
The organization being inspected/assessed documents, for each internal connection, the interface characteristics. |
Internal System Connections |
CA-9 |
CA-9.3 |
This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration. Related controls: AC-3, AC-4, AC-18, AC-19, AU-2, AU-12, CA-7, CM-2, IA-3, SC-7, SI-4. |
The organization:
a. Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and
b. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. |
| CCI-002104 |
The organization documents, for each internal connection, the security requirements. |
The organization conducting the inspection/assessment obtains and examines the documented security requirements as well as the network topology to ensure the organization being inspected/assessed documents, for each internal connection, the security requirements. |
The organization being inspected/assessed documents, for each internal connection, the security requirements. |
Internal System Connections |
CA-9 |
CA-9.4 |
This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration. Related controls: AC-3, AC-4, AC-18, AC-19, AU-2, AU-12, CA-7, CM-2, IA-3, SC-7, SI-4. |
The organization:
a. Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and
b. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. |
| CCI-002105 |
The organization documents, for each internal connection, the nature of the information communicated. |
The organization conducting the inspection/assessment obtains and examines the documented nature of information communication as well as the network topology to ensure the organization being inspected/assessed documents, for each internal connection, the nature of the information communicated. |
The organization being inspected/assessed documents, for each internal connection, the nature of the information communicated. |
Internal System Connections |
CA-9 |
CA-9.5 |
This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration. Related controls: AC-3, AC-4, AC-18, AC-19, AU-2, AU-12, CA-7, CM-2, IA-3, SC-7, SI-4. |
The organization:
a. Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and
b. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. |
| CCI-001820 |
The organization documents a configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
|
|
|
|
|
|
|
| CCI-001821 |
The organization defines the organizational personnel or roles to whom the configuration management policy is to be disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the organizational personnel or roles as all stakeholders in the configuration management process. |
DoD has defined the organizational personnel or roles as all stakeholders in the configuration management process. |
Configuration Management Policy And Procedures |
CM-1 |
CM-1.1 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and
b. Reviews and updates the current:
1. Configuration management policy [Assignment: organization-defined frequency]; and
2. Configuration management procedures [Assignment: organization-defined frequency]. |
| CCI-001822 |
The organization disseminates the configuration management policy to organization-defined personnel or roles. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy via the inspected organization's information sharing capability (e.g. portal, intranet, email, etc.) to ensure it has been disseminated. |
The organization being inspected/assessed disseminates a configuration management policy via an information sharing capability (e.g. portal, intranet, email, etc.) to all stakeholders in the configuration management process.
DoD has defined the organizational personnel or roles as all stakeholders in the configuration management process. |
Configuration Management Policy And Procedures |
CM-1 |
CM-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and
b. Reviews and updates the current:
1. Configuration management policy [Assignment: organization-defined frequency]; and
2. Configuration management procedures [Assignment: organization-defined frequency]. |
| CCI-001823 |
The organization documents the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. |
|
|
|
|
|
|
|
| CCI-001824 |
The organization defines the organizational personnel or roles to whom the configuration management procedures are to be disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the organizational personnel or roles as all stakeholders in the configuration management process. |
DoD has defined the organizational personnel or roles as all stakeholders in the configuration management process. |
Configuration Management Policy And Procedures |
CM-1 |
CM-1.2 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and
b. Reviews and updates the current:
1. Configuration management policy [Assignment: organization-defined frequency]; and
2. Configuration management procedures [Assignment: organization-defined frequency]. |
| CCI-001825 |
The organization disseminates to organization-defined personnel or roles the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. |
The organization conducting the inspection/assessment obtains and examines the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls via the inspected organization's information sharing capability (e.g. portal, intranet, email, etc.) to ensure it has been disseminated. |
The organization being inspected/assessed disseminates the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls via an information sharing capability (e.g. portal, intranet, email, etc.) to all stakeholders in the configuration management process.
DoD has defined the organizational personnel or roles as all stakeholders in the configuration management process. |
Configuration Management Policy And Procedures |
CM-1 |
CM-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and
b. Reviews and updates the current:
1. Configuration management policy [Assignment: organization-defined frequency]; and
2. Configuration management procedures [Assignment: organization-defined frequency]. |
| CCI-001736 |
The organization defines the previous versions of the baseline configuration of the information system required to support rollback. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the previous versions as the previous approved baseline configuration of IS components for a minimum of 3 month. |
DoD has defined the previous versions as the previous approved baseline configuration of IS components for a minimum of 3 month. |
Baseline Configuration | Retention Of Previous Configurations |
CM-2 (3) |
CM-2(3).2 |
Retaining previous versions of baseline configurations to support rollback may include, for example, hardware, software, firmware, configuration files, and configuration records. |
The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback. |
| CCI-001737 |
The organization defines the information systems, system components, or devices that are to have organization-defined configurations applied when located in areas of significant risk. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy to ensure the organization being inspected/assessed defines the information systems, system components, or devices that are to have configurations defined in CM-2 (7), CCI 1738 applied when located in areas of significant risk.
DoD has determined that this value is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents, in the configuration management policy, the information systems, system components, or devices that are to have configurations defined in CM-2 (7), CCI 1738 applied when located in areas of significant risk.
DoD has determined that this value is not appropriate to define at the Enterprise level. |
Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas |
CM-2 (7) |
CM-2(7).1 |
When it is known that information systems, system components, or devices (e.g., notebook computers, mobile devices) will be located in high-risk areas, additional security controls may be implemented to counter the greater threat in such areas coupled with the lack of physical security relative to organizational-controlled areas. For example, organizational policies and procedures for notebook computers used by individuals departing on and returning from travel include, for example, determining which locations are of concern, defining required configurations for the devices, ensuring that the devices are configured as intended before travel is initiated, and applying specific safeguards to the device after travel is completed. Specially configured notebook computers include, for example, computers with sanitized hard drives, limited applications, and additional hardening (e.g., more stringent configuration settings). Specified safeguards applied to mobile devices upon return from travel include, for example, examining the device for signs of physical tampering and purging/reimaging the hard disk drive. Protecting information residing on mobile devices is covered in the media protection family. |
The organization:
(a) Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and
(b) Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return. |
| CCI-001738 |
The organization defines the security configurations to be implemented on information systems, system components, or devices when they are located in areas of significant risk. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy to ensure the organization being inspected/assessed defines the security configurations to be implemented on information systems, system components, or devices when they are located in areas of significant risk.
DoD has determined that this value is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents, in the configuration management policy, the security configurations to be implemented on information systems, system components, or devices when they are located in areas of significant risk.
DoD has determined that this value is not appropriate to define at the Enterprise level. |
Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas |
CM-2 (7) |
CM-2(7).2 |
When it is known that information systems, system components, or devices (e.g., notebook computers, mobile devices) will be located in high-risk areas, additional security controls may be implemented to counter the greater threat in such areas coupled with the lack of physical security relative to organizational-controlled areas. For example, organizational policies and procedures for notebook computers used by individuals departing on and returning from travel include, for example, determining which locations are of concern, defining required configurations for the devices, ensuring that the devices are configured as intended before travel is initiated, and applying specific safeguards to the device after travel is completed. Specially configured notebook computers include, for example, computers with sanitized hard drives, limited applications, and additional hardening (e.g., more stringent configuration settings). Specified safeguards applied to mobile devices upon return from travel include, for example, examining the device for signs of physical tampering and purging/reimaging the hard disk drive. Protecting information residing on mobile devices is covered in the media protection family. |
The organization:
(a) Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and
(b) Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return. |
| CCI-001739 |
The organization issues organization-defined information systems, system components, or devices with organization-defined configurations to individuals traveling to locations the organization deems to be of significant risk. |
The organization conducting the inspection/assessment interviews organizational personnel with configuration management responsibilities to ensure that individuals traveling to locations that the organization deems to be of significant risk are issued information systems, system components, or devices as defined in CM-2 (7) CCI 1737 with configurations as defined in CM-2 (7) CCI 1738. |
The organization being inspected/assessed issues information systems, system components, or devices as defined in CM-2 (7) CCI 1737 with configurations as defined in CM-2 (7) CCI 1738 to individuals traveling to locations the organization deems to be of significant risk. |
Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas |
CM-2 (7) |
CM-2(7).3 |
When it is known that information systems, system components, or devices (e.g., notebook computers, mobile devices) will be located in high-risk areas, additional security controls may be implemented to counter the greater threat in such areas coupled with the lack of physical security relative to organizational-controlled areas. For example, organizational policies and procedures for notebook computers used by individuals departing on and returning from travel include, for example, determining which locations are of concern, defining required configurations for the devices, ensuring that the devices are configured as intended before travel is initiated, and applying specific safeguards to the device after travel is completed. Specially configured notebook computers include, for example, computers with sanitized hard drives, limited applications, and additional hardening (e.g., more stringent configuration settings). Specified safeguards applied to mobile devices upon return from travel include, for example, examining the device for signs of physical tampering and purging/reimaging the hard disk drive. Protecting information residing on mobile devices is covered in the media protection family. |
The organization:
(a) Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and
(b) Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return. |
| CCI-001815 |
The organization defines the security safeguards to be applied to devices when they return from areas of significant risk. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy to ensure the organization being inspected/assessed defines the security safeguards to be applied to devices when they return from areas of significant risk.
DoD has determined that this value is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents, in the configuration management policy, the security safeguards to be applied to devices when they return from areas of significant risk.
DoD has determined that this value is not appropriate to define at the Enterprise level. |
Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas |
CM-2 (7) |
CM-2(7).4 |
When it is known that information systems, system components, or devices (e.g., notebook computers, mobile devices) will be located in high-risk areas, additional security controls may be implemented to counter the greater threat in such areas coupled with the lack of physical security relative to organizational-controlled areas. For example, organizational policies and procedures for notebook computers used by individuals departing on and returning from travel include, for example, determining which locations are of concern, defining required configurations for the devices, ensuring that the devices are configured as intended before travel is initiated, and applying specific safeguards to the device after travel is completed. Specially configured notebook computers include, for example, computers with sanitized hard drives, limited applications, and additional hardening (e.g., more stringent configuration settings). Specified safeguards applied to mobile devices upon return from travel include, for example, examining the device for signs of physical tampering and purging/reimaging the hard disk drive. Protecting information residing on mobile devices is covered in the media protection family. |
The organization:
(a) Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and
(b) Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return. |
| CCI-001816 |
The organization applies organization-defined security safeguards to devices when individuals return from areas of significant risk. |
The organization conducting the inspection/assessment interviews organizational personnel with configuration management responsibilities to ensure that when individuals return from areas of significant risk, security safeguards as defined in CM-2 (7) CCI 1815 are applied to devices as defined in CM-2 (7) CCI 1737. |
The organization being inspected/assessed applies security safeguards as defined in CM-2 (7) CCI 1815 to devices when individuals return from areas of significant risk. |
Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas |
CM-2 (7) |
CM-2(7).5 |
When it is known that information systems, system components, or devices (e.g., notebook computers, mobile devices) will be located in high-risk areas, additional security controls may be implemented to counter the greater threat in such areas coupled with the lack of physical security relative to organizational-controlled areas. For example, organizational policies and procedures for notebook computers used by individuals departing on and returning from travel include, for example, determining which locations are of concern, defining required configurations for the devices, ensuring that the devices are configured as intended before travel is initiated, and applying specific safeguards to the device after travel is completed. Specially configured notebook computers include, for example, computers with sanitized hard drives, limited applications, and additional hardening (e.g., more stringent configuration settings). Specified safeguards applied to mobile devices upon return from travel include, for example, examining the device for signs of physical tampering and purging/reimaging the hard disk drive. Protecting information residing on mobile devices is covered in the media protection family. |
The organization:
(a) Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and
(b) Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return. |
| CCI-001740 |
The organization reviews proposed configuration-controlled changes to the information system. |
The organization conducting the inspection/assessment obtains and examines the audit trail of a sampling of proposed configuration controlled changes to ensure the reviews are being conducted. |
The organization being inspected/assessed conducts reviews of records documenting the proposed configuration controlled changes to each information system.
The organization will maintain an audit trail of each proposed configuration controlled change.
This action will be implemented by the CCB as defined in CM-3, CCI 1586. |
Configuration Change Control |
CM-3 |
CM-3.3 |
Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. |
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]. |
| CCI-001741 |
The organization documents configuration change decisions associated with the information system. |
The organization conducting the inspection/assessment obtains and examines the audit trail documenting configuration change decisions associated with the information system to ensure the organization being inspected/assessed has documented their decisions. |
The organization being inspected/assessed documents configuration change decisions associated with the information system.
The organization must maintain an audit trail of configuration change decisions.
This action will be implemented by the CCB as defined in CM-3, CCI 1586. |
Configuration Change Control |
CM-3 |
CM-3.4 |
Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. |
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]. |
| CCI-001742 |
The organization defines the approval authorities to be notified when proposed changes to the information system are received. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the approval authorities as the configuration control board (CCB). |
DoD has defined the approval authorities as the configuration control board (CCB). |
Configuration Change Control | Automated Document / Notification / Prohibition Of Changes |
CM-3 (1) |
CM-3(1).3 |
|
The organization employs automated mechanisms to:
(a) Document proposed changes to the information system;
(b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval;
(c) Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period];
(d) Prohibit changes to the information system until designated approvals are received;
(e) Document all changes to the information system; and
(f) Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed. |
| CCI-001743 |
The organization defines the security responses to be automatically implemented by the information system if baseline configurations are changed in an unauthorized manner. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy to ensure the organization being inspected/assessed defines the security responses to be automatically implemented by the information system if baseline configurations are changed in an unauthorized manner.
DoD has determined that the value is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents, in the configuration management policy, the security responses to be automatically implemented by the information system if baseline configurations are changed in an unauthorized manner.
DoD has determined that the value is not appropriate to define at the Enterprise level. |
Configuration Change Control | Automated Security Response |
CM-3 (5) |
CM-3(5).1 |
Security responses include, for example, halting information system processing, halting selected system functions, or issuing alerts/notifications to organizational personnel when there is an unauthorized modification of a configuration item. |
The information system implements [Assignment: organization-defined security responses] automatically if baseline configurations are changed in an unauthorized manner. |
| CCI-001744 |
The information system implements organization-defined security responses automatically if baseline configurations are changed in an unauthorized manner. |
The organization conducting the inspection/assessment obtains and examines the audit trail to ensure the organization being inspected/assessed implements security responses, as defined in CM-3 (5), CCI 1743, automatically if baseline configurations are changed in an unauthorized manner. |
The organization being inspected/assessed implements security responses, as defined in CM-3 (5), CCI 1743, automatically if baseline configurations are changed in an unauthorized manner.
The information system must maintain an audit trail of automatic security responses to unauthorized changes in baseline configurations. |
Configuration Change Control | Automated Security Response |
CM-3 (5) |
CM-3(5).2 |
Security responses include, for example, halting information system processing, halting selected system functions, or issuing alerts/notifications to organizational personnel when there is an unauthorized modification of a configuration item. |
The information system implements [Assignment: organization-defined security responses] automatically if baseline configurations are changed in an unauthorized manner. |
| CCI-001745 |
The organization defines the security safeguards that are to be provided by the cryptographic mechanisms which are employed by the organization. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the security safeguards as all security safeguards. |
DoD has defined the security safeguards as all security safeguards. |
Configuration Change Control | Cryptography Management |
CM-3 (6) |
CM-3(6).1 |
Regardless of the cryptographic means employed (e.g., public key, private key, shared secrets), organizations ensure that there are processes and procedures in place to effectively manage those means. For example, if devices use certificates as a basis for identification and authentication, there needs to be a process in place to address the expiration of those certificates. Related control: SC-13. |
The organization ensures that cryptographic mechanisms used to provide [Assignment: organization-defined security safeguards] are under configuration management. |
| CCI-001746 |
The organization ensures that cryptographic mechanisms used to provide organization-defined security safeguards are under configuration management. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy to ensure that cryptographic mechanisms used to provide all security safeguards are documented in the policy.
DoD has defined the security safeguards as all security safeguards. |
The organization being inspected/assessed ensures that cryptographic mechanisms used to provide all security safeguards are under configuration management.
DoD has defined the security safeguards as all security safeguards. |
Configuration Change Control | Cryptography Management |
CM-3 (6) |
CM-3(6).2 |
Regardless of the cryptographic means employed (e.g., public key, private key, shared secrets), organizations ensure that there are processes and procedures in place to effectively manage those means. For example, if devices use certificates as a basis for identification and authentication, there needs to be a process in place to address the expiration of those certificates. Related control: SC-13. |
The organization ensures that cryptographic mechanisms used to provide [Assignment: organization-defined security safeguards] are under configuration management. |
| CCI-001819 |
The organization implements approved configuration-controlled changes to the information system. |
The organization conducting the inspection/assessment obtains and examines the audit trail documenting the implementation of approved configuration-controlled changes to the information system to ensure the organization being inspected/assessed has implemented the approved changes. |
The organization being inspected/assessed implements approved configuration-controlled changes to the information system.
The organization must maintain an audit trail of the implementation of approved configuration-controlled changes. |
Configuration Change Control |
CM-3 |
CM-3.5 |
Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. |
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]. |
| CCI-002056 |
The organization defines the time period the records of configuration-controlled changes are to be retained. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as a time period defined by the organization's CCB. |
DoD has defined the time period as a time period defined by the organization's CCB. |
Configuration Change Control |
CM-3 |
CM-3.7 |
Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. |
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]. |
| CCI-002057 |
The organization defines the personnel to be notified when approved changes to the information system are completed. |
The organization conducting the inspection/assessment obtains and examines the documented personnel to ensure the organization being inspected/assessed defines the personnel to be notified when approved changes to the information system are completed, which must include, at a minimum, the CCB.
DoD has defined the personnel as at a minimum, the CCB. |
The organization being inspected/assessed defines and documents the personnel to be notified when approved changes to the information system are completed, which must include, at a minimum, the CCB.
DoD has defined the personnel as at a minimum, the CCB. |
Configuration Change Control | Automated Document / Notification / Prohibition Of Changes |
CM-3 (1) |
CM-3(1).8 |
|
The organization employs automated mechanisms to:
(a) Document proposed changes to the information system;
(b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval;
(c) Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period];
(d) Prohibit changes to the information system until designated approvals are received;
(e) Document all changes to the information system; and
(f) Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed. |
| CCI-002058 |
The organization employs automated mechanisms to notify organization-defined personnel when approved changes to the information system are completed. |
The organization conducting the inspection/assessment obtains and examines the audit trail of notifications of completed changes to the information system to ensure the organization being inspected/assessed notifies at a minimum, the CCB when approved changes to the information system are completed.
DoD has defined the personnel as at a minimum, the CCB.
|
The organization being inspected/assessed notifies at a minimum, the CCB when approved changes to the information system are completed.
The organization must maintain an audit trail of notifications of completed changes to the information system.
DoD has defined the personnel as at a minimum, the CCB. |
Configuration Change Control | Automated Document / Notification / Prohibition Of Changes |
CM-3 (1) |
CM-3(1).9 |
|
The organization employs automated mechanisms to:
(a) Document proposed changes to the information system;
(b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval;
(c) Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period];
(d) Prohibit changes to the information system until designated approvals are received;
(e) Document all changes to the information system; and
(f) Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed. |
| CCI-001817 |
The organization, when analyzing changes to the information system, looks for security impacts due to flaws, weaknesses, incompatibility, or intentional malice. |
The organization conducting the inspection/assessment obtains and examines the documented process and record of analysis to ensure the organization being inspected/assessed, when analyzing changes to the information system, looks for security impacts due to flaws, weaknesses, incompatibility, or intentional malice. |
The organization being inspected/assessed documents within their process for analyzing changes to the information system, methods for identifying security impacts due to flaws, weaknesses, incompatibility, or intentional malice.
The organization implements the documented process and must maintain a record of analysis. |
Security Impact Analysis | Separate Test Environments |
CM-4 (1) |
CM-4(1).1 |
Separate test environment in this context means an environment that is physically or logically isolated and distinct from the operational environment. The separation is sufficient to ensure that activities in the test environment do not impact activities in the operational environment, and information in the operational environment is not inadvertently transmitted to the test environment. Separate environments can be achieved by physical or logical means. If physically separate test environments are not used, organizations determine the strength of mechanism required when implementing logical separation (e.g., separation achieved through virtual machines). Related controls: SA-11, SC-3, SC-7. |
The organization analyzes changes to the information system in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice. |
| CCI-001818 |
The organization analyzes changes to the information system in a separate test environment before installation in an operational environment. |
The organization conducting the inspection/assessment obtains and examines the documented policy for analyzing changes as well as records of analysis to ensure the organization being inspected/assessed analyzes changes to the information system in a separate test environment before installation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice. |
The organization being inspected/assessed documents and employs a policy to analyze changes to the information system in a separate test environment before installation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.
The organization must maintain records of analysis of changes to the information system. |
Security Impact Analysis | Separate Test Environments |
CM-4 (1) |
CM-4(1).2 |
Separate test environment in this context means an environment that is physically or logically isolated and distinct from the operational environment. The separation is sufficient to ensure that activities in the test environment do not impact activities in the operational environment, and information in the operational environment is not inadvertently transmitted to the test environment. Separate environments can be achieved by physical or logical means. If physically separate test environments are not used, organizations determine the strength of mechanism required when implementing logical separation (e.g., separation achieved through virtual machines). Related controls: SA-11, SC-3, SC-7. |
The organization analyzes changes to the information system in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice. |
| CCI-001747 |
The organization defines critical software components the information system will prevent from being installed without verification the component has been digitally signed using a certificate that is recognized and approved by the organization. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the software components as any software components when the vendor provides digitally signed products. |
DoD has defined the software components as any software components when the vendor provides digitally signed products. |
Access Restrictions For Change | Signed Components |
CM-5 (3) |
CM-5(3).1 |
Software and firmware components prevented from installation unless signed with recognized and approved certificates include, for example, software and firmware version updates, patches, service packs, device drivers, and basic input output system (BIOS) updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures, is a method of code authentication. Related controls: CM-7, SC-13, SI-7. |
The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization. |
| CCI-001748 |
The organization defines critical firmware components the information system will prevent from being installed without verification the component has been digitally signed using a certificate that is recognized and approved by the organization. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the critical firmware components as any firmware components when the vendor provides digitally signed products. |
DoD has defined the critical firmware components as any firmware components when the vendor provides digitally signed products. |
Access Restrictions For Change | Signed Components |
CM-5 (3) |
CM-5(3).2 |
Software and firmware components prevented from installation unless signed with recognized and approved certificates include, for example, software and firmware version updates, patches, service packs, device drivers, and basic input output system (BIOS) updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures, is a method of code authentication. Related controls: CM-7, SC-13, SI-7. |
The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization. |
| CCI-001749 |
The information system prevents the installation of organization-defined software components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization. |
The organization conducting the inspection/assessment obtains and examines the documented process for preventing the installation of software onto any software components when the vendor provides digitally signed products without verification that software has been digitally signed using a certificate and approved by the organization.
The organization conducting the inspection/assessment reviews software on a sampling of the defined components to ensure that only software digitally signed by a defined CA is installed.
DoD has defined the software components as any software components when the vendor provides digitally signed products. |
The organization being inspected/assessed documents and implements a process to prevent the installation of software onto any software components when the vendor provides digitally signed products without verification that software has been digitally signed using a certificate and approved by the organization.
DoD has defined the software components as any software components when the vendor provides digitally signed products. |
Access Restrictions For Change | Signed Components |
CM-5 (3) |
CM-5(3).3 |
Software and firmware components prevented from installation unless signed with recognized and approved certificates include, for example, software and firmware version updates, patches, service packs, device drivers, and basic input output system (BIOS) updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures, is a method of code authentication. Related controls: CM-7, SC-13, SI-7. |
The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization. |
| CCI-001750 |
The information system prevents the installation of organization-defined firmware components without verification the firmware component has been digitally signed using a certificate that is recognized and approved by the organization. |
The organization conducting the inspection/assessment obtains and examines the documented process for preventing the installation of firmware onto any firmware components when the vendor provides digitally signed products without verification that firmware has been digitally signed using a certificate and approved by the organization.
The organization conducting the inspection/assessment reviews firmware on a sampling of the defined components to ensure that only firmware digitally signed by a defined CA is installed. |
The organization being inspected/assessed documents and implements a process to prevent the installation of firmware onto any firmware components when the vendor provides digitally signed products without verification that firmware has been digitally signed using a certificate and approved by the organization.
DoD has defined the critical firmware components as any firmware components when the vendor provides digitally signed products. |
Access Restrictions For Change | Signed Components |
CM-5 (3) |
CM-5(3).4 |
Software and firmware components prevented from installation unless signed with recognized and approved certificates include, for example, software and firmware version updates, patches, service packs, device drivers, and basic input output system (BIOS) updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures, is a method of code authentication. Related controls: CM-7, SC-13, SI-7. |
The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization. |
| CCI-001751 |
The organization defines system-level information requiring enforcement of a dual authorization for information system changes. |
The organization conducting the inspection/assessment obtains and examines the documented system-level information to ensure the organization being inspected/assessed defines the system-level information requiring enforcement of a dual authorization for information system changes.
DoD has determined to the information is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents system-level information requiring enforcement of a dual authorization for information system changes.
DoD has determined to the information is not appropriate to define at the Enterprise level. |
Access Restrictions For Change | Dual Authorization |
CM-5 (4) |
CM-5(4).3 |
Organizations employ dual authorization to ensure that any changes to selected information system components and information cannot occur unless two qualified individuals implement such changes. The two individuals possess sufficient skills/expertise to determine if the proposed changes are correct implementations of approved changes. Dual authorization may also be known as two-person control. Related controls: AC-5, CM-3. |
The organization enforces dual authorization for implementing changes to [Assignment: organization-defined information system components and system-level information]. |
| CCI-001752 |
The organization enforces dual authorization for changes to organization-defined system-level information. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed enforces dual authorization for changes to system-level information defined in CM-5 (4), CCI 1751. |
The organization being inspected/assessed documents and implements a process to enforce dual authorization for changes to system-level information defined in CM-5 (4), CCI 1751. |
Access Restrictions For Change | Dual Authorization |
CM-5 (4) |
CM-5(4).4 |
Organizations employ dual authorization to ensure that any changes to selected information system components and information cannot occur unless two qualified individuals implement such changes. The two individuals possess sufficient skills/expertise to determine if the proposed changes are correct implementations of approved changes. Dual authorization may also be known as two-person control. Related controls: AC-5, CM-3. |
The organization enforces dual authorization for implementing changes to [Assignment: organization-defined information system components and system-level information]. |
| CCI-001753 |
The organization limits privileges to change information system components within a production or operational environment. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed limits privileges to change information system components within a production or operational environment. |
The organization being inspected/assessed documents and implements a process to limit privileges to change information system components within a production or operational environment. |
Access Restrictions For Change | Limit Production / Operational Privileges |
CM-5 (5) |
CM-5(5).1 |
In many organizations, information systems support multiple core missions/business functions. Limiting privileges to change information system components with respect to operational systems is necessary because changes to a particular information system component may have far-reaching effects on mission/business processes supported by the system where the component resides. The complex, many-to-many relationships between systems and mission/business processes are in some cases, unknown to developers. Related control: AC-2. |
The organization:
(a) Limits privileges to change information system components and system-related information within a production or operational environment; and
(b) Reviews and reevaluates privileges [Assignment: organization-defined frequency]. |
| CCI-001754 |
The organization limits privileges to change system-related information within a production or operational environment. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed limits privileges to change system-related information within a production or operational environment. |
The organization being inspected/assessed documents and implements a process to limit privileges to change system-related information within a production or operational environment. |
Access Restrictions For Change | Limit Production / Operational Privileges |
CM-5 (5) |
CM-5(5).2 |
In many organizations, information systems support multiple core missions/business functions. Limiting privileges to change information system components with respect to operational systems is necessary because changes to a particular information system component may have far-reaching effects on mission/business processes supported by the system where the component resides. The complex, many-to-many relationships between systems and mission/business processes are in some cases, unknown to developers. Related control: AC-2. |
The organization:
(a) Limits privileges to change information system components and system-related information within a production or operational environment; and
(b) Reviews and reevaluates privileges [Assignment: organization-defined frequency]. |
| CCI-001813 |
The information system enforces access restrictions. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the configuration of the information system to ensure access restrictions are implemented. |
The organization being inspected/assessed documents and implements a process to enforce access restrictions provided by the information system. |
Access Restrictions For Change | Automated Access Enforcement / Auditing |
CM-5 (1) |
CM-5(1).1 |
Related controls: AU-2, AU-12, AU-6, CM-3, CM-6. |
The information system enforces access restrictions and supports auditing of the enforcement actions. |
| CCI-001814 |
The Information system supports auditing of the enforcement actions. |
The organization conducting the inspection/assessment reviews vendor documentation to ensure the information system supports auditing of the enforcement actions. If vendor documentation is not available, the organization conducting the inspection/assessment tests the information system for the capability. |
The organization being inspected/assessed leverages only information systems which support auditing of enforcement actions. |
Access Restrictions For Change | Automated Access Enforcement / Auditing |
CM-5 (1) |
CM-5(1).2 |
Related controls: AU-2, AU-12, AU-6, CM-3, CM-6. |
The information system enforces access restrictions and supports auditing of the enforcement actions. |
| CCI-001826 |
The organization defines the circumstances upon which the organization reviews the information system changes to determine whether unauthorized changes have occurred. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the circumstances as when there is an incident or when planned changes have been performed. |
DoD has defined the circumstances as when there is an incident or when planned changes have been performed. |
Access Restrictions For Change | Review System Changes |
CM-5 (2) |
CM-5(2).4 |
Indications that warrant review of information system changes and the specific circumstances justifying such reviews may be obtained from activities carried out by organizations during the configuration change process. Related controls: AU-6, AU-7, CM-3, CM-5, PE-6, PE-8. |
The organization reviews information system changes [Assignment: organization-defined frequency] and [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred. |
| CCI-001827 |
The organization defines the frequency with which to review information system privileges. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 90 days. |
DoD has defined the frequency as every 90 days. |
Access Restrictions For Change | Limit Production / Operational Privileges |
CM-5 (5) |
CM-5(5).3 |
In many organizations, information systems support multiple core missions/business functions. Limiting privileges to change information system components with respect to operational systems is necessary because changes to a particular information system component may have far-reaching effects on mission/business processes supported by the system where the component resides. The complex, many-to-many relationships between systems and mission/business processes are in some cases, unknown to developers. Related control: AC-2. |
The organization:
(a) Limits privileges to change information system components and system-related information within a production or operational environment; and
(b) Reviews and reevaluates privileges [Assignment: organization-defined frequency]. |
| CCI-001828 |
The organization defines the frequency with which to reevaluate information system privileges. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 90 days. |
DoD has defined the frequency as every 90 days. |
Access Restrictions For Change | Limit Production / Operational Privileges |
CM-5 (5) |
CM-5(5).4 |
In many organizations, information systems support multiple core missions/business functions. Limiting privileges to change information system components with respect to operational systems is necessary because changes to a particular information system component may have far-reaching effects on mission/business processes supported by the system where the component resides. The complex, many-to-many relationships between systems and mission/business processes are in some cases, unknown to developers. Related control: AC-2. |
The organization:
(a) Limits privileges to change information system components and system-related information within a production or operational environment; and
(b) Reviews and reevaluates privileges [Assignment: organization-defined frequency]. |
| CCI-001829 |
The organization reviews information system privileges per an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit trail of reviews to ensure the organization being inspected/assessed reviews information system privileges every 90 days.
DoD has defined the frequency as every 90 days. |
The organization being inspected/assessed reviews information system privileges every 90 days.
The organization must maintain the reviews as an audit trail.
DoD has defined the frequency as every 90 days. |
Access Restrictions For Change | Limit Production / Operational Privileges |
CM-5 (5) |
CM-5(5).5 |
In many organizations, information systems support multiple core missions/business functions. Limiting privileges to change information system components with respect to operational systems is necessary because changes to a particular information system component may have far-reaching effects on mission/business processes supported by the system where the component resides. The complex, many-to-many relationships between systems and mission/business processes are in some cases, unknown to developers. Related control: AC-2. |
The organization:
(a) Limits privileges to change information system components and system-related information within a production or operational environment; and
(b) Reviews and reevaluates privileges [Assignment: organization-defined frequency]. |
| CCI-001830 |
The organization reevaluates information system privileges per an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit trail of reviews to ensure the organization being inspected/assessed reevaluates information system privileges every 90 days.
DoD has defined the frequency as every 90 days. |
The organization being inspected/assessed reevaluates information system privileges every 90 days.
The organization must maintain the reevaluations as an audit trail.
DoD has defined the frequency as every 90 days. |
Access Restrictions For Change | Limit Production / Operational Privileges |
CM-5 (5) |
CM-5(5).6 |
In many organizations, information systems support multiple core missions/business functions. Limiting privileges to change information system components with respect to operational systems is necessary because changes to a particular information system component may have far-reaching effects on mission/business processes supported by the system where the component resides. The complex, many-to-many relationships between systems and mission/business processes are in some cases, unknown to developers. Related control: AC-2. |
The organization:
(a) Limits privileges to change information system components and system-related information within a production or operational environment; and
(b) Reviews and reevaluates privileges [Assignment: organization-defined frequency]. |
| CCI-001755 |
The organization defines the information system components for which any deviation from the established configuration settings are to be identified, documented, and approved. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the information system components as all configurable information system components. |
DoD has defined the information system components as all configurable information system components. |
Configuration Settings |
CM-6 |
CM-6.9 |
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. |
The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. |
| CCI-001756 |
The organization defines the operational requirements on which the configuration settings for the organization-defined information system components are to be based. |
The organization conducting the inspection/assessment obtains and examines the system security plan to ensure the organization being inspected/assessed defines the requirements which may deviate from the approved configuration settings on the information system components defined in CM-6, CCI 1755.
DoD has determined that it is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed must define and document in the system security plan, the requirements which may deviate from the approved configuration settings on the information system components defined in CM-6, CCI 1755.
DoD has determined that it is not appropriate to define at the Enterprise level. |
Configuration Settings |
CM-6 |
CM-6.10 |
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. |
The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. |
| CCI-001757 |
The organization defines the security safeguards the organization is to employ when responding to unauthorized changes to the organization-defined configuration settings. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy to ensure the organization being inspected/assessed defines the security safeguards the organization is to employ when responding to unauthorized changes to the configuration settings defined in CM-6 (2), CCI 1758.
DoD has determined that it is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed must define and document in the configuration management policy, the security safeguards the organization is to employ when responding to unauthorized changes to the configuration settings defined in CM-6 (2), CCI 1758.
DoD has determined that it is not appropriate to define at the Enterprise level. |
Configuration Settings | Respond To Unauthorized Changes |
CM-6 (2) |
CM-6(2).1 |
Responses to unauthorized changes to configuration settings can include, for example, alerting designated organizational personnel, restoring established configuration settings, or in extreme cases, halting affected information system processing. Related controls: IR-4, SI-7. |
The organization employs [Assignment: organization-defined security safeguards] to respond to unauthorized changes to [Assignment: organization-defined configuration settings]. |
| CCI-001758 |
The organization defines configuration settings for which the organization will employ organization-defined security safeguards in response to unauthorized changes. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy to ensure the organization being inspected/assessed defines the configuration settings for which the organization will employ security safeguards CM-6 (2), CCI 1757 in response to unauthorized changes.
DoD has defined the configuration settings as security related configuration settings defined at the program/system level. |
The organization being inspected/assessed must define and document in the configuration management policy, the configuration settings for which the organization will employ security safeguards defined in CM-6 (2), CCI 1757 in response to unauthorized changes.
DoD has defined the configuration settings as security related configuration settings defined at the program/system level. |
Configuration Settings | Respond To Unauthorized Changes |
CM-6 (2) |
CM-6(2).2 |
Responses to unauthorized changes to configuration settings can include, for example, alerting designated organizational personnel, restoring established configuration settings, or in extreme cases, halting affected information system processing. Related controls: IR-4, SI-7. |
The organization employs [Assignment: organization-defined security safeguards] to respond to unauthorized changes to [Assignment: organization-defined configuration settings]. |
| CCI-001759 |
The organization employs organization-defined security safeguards to respond to unauthorized changes to organization-defined configuration settings. |
The organization conducting the inspection/assessment obtains and examines the documented process and the audit trail of security safeguard implementation to ensure the organization being inspected/assessed implements security safeguards defined in CM-6 (2), CCI 1757 to respond to unauthorized changes to security related configuration settings defined at the program/system level.
DoD has defined the configuration settings as security related configuration settings defined at the program/system level. |
The organization being inspected/assessed documents and implements security safeguards defined in CM-6 (2), CCI 1757 to respond to unauthorized changes to security related configuration settings defined at the program/system level.
The organization must maintain an audit trail of security safeguard implementation.
DoD has defined the configuration settings as security related configuration settings defined at the program/system level. |
Configuration Settings | Respond To Unauthorized Changes |
CM-6 (2) |
CM-6(2).3 |
Responses to unauthorized changes to configuration settings can include, for example, alerting designated organizational personnel, restoring established configuration settings, or in extreme cases, halting affected information system processing. Related controls: IR-4, SI-7. |
The organization employs [Assignment: organization-defined security safeguards] to respond to unauthorized changes to [Assignment: organization-defined configuration settings]. |
| CCI-002059 |
The organization defines the information system components for which the organization will employ automated mechanisms to centrally manage, apply, and verify configuration settings. |
The organization conducting the inspection/assessment obtains and examine the documented information system components to ensure the organization being inspected/assessed defines the information system components for which the organization will employ automated mechanisms to centrally manage, apply, and verify configuration settings.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system components for which the organization will employ automated mechanisms to centrally manage, apply, and verify configuration settings.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
Configuration Settings | Automated Central Management / Application / Verification |
CM-6 (1) |
CM-6(1).4 |
Related controls: CA-7, CM-4. |
The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components]. |
| CCI-001760 |
The organization defines the frequency of information system reviews to identify unnecessary and/or nonsecure functions, ports, protocols, and services. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 30 days. |
DoD has defined the frequency as every 30 days. |
Least Functionality | Periodic Review |
CM-7 (1) |
CM-7(1).2 |
The organization can either make a determination of the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are examples of less than secure protocols. Related controls: AC-18, CM-7, IA-2. |
The organization:
(a) Reviews the information system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and
(b) Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure]. |
| CCI-001761 |
The organization defines the functions, ports, protocols, and services within the information system that are to be disabled when deemed unnecessary and/or nonsecure. |
The organization conducting the inspection/assessment obtains and examines the system security plan to ensure the organization being inspected/assessed defines the functions, ports, protocols and services within the information system that are to be disabled when deemed unnecessary.
DoD has determined that it is not appropriate to define unnecessary functions, ports, protocols and service at the Enterprise level. Nonsecure functions, ports, protocols and services are defined in DoDI 8551.01. |
The organization being inspected/assessed must define and document in the system security plan, the functions, ports, protocols and services within the information system that are to be disabled when deemed unnecessary.
DoD has determined that it is not appropriate to define unnecessary functions, ports, protocols and service at the Enterprise level. Nonsecure functions, ports, protocols and services are defined in DoDI 8551.01. |
Least Functionality | Periodic Review |
CM-7 (1) |
CM-7(1).3 |
The organization can either make a determination of the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are examples of less than secure protocols. Related controls: AC-18, CM-7, IA-2. |
The organization:
(a) Reviews the information system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and
(b) Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure]. |
| CCI-001762 |
The organization disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure. |
The organization conducting the inspection/assessment inspects the information system to ensure the organization being inspected/assessed disables functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure as defined in CM-7 (1), CCI 1761. |
The organization being inspected/assessed must disable functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure as defined in CM-7 (1), CCI 1761. |
Least Functionality | Periodic Review |
CM-7 (1) |
CM-7(1).4 |
The organization can either make a determination of the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are examples of less than secure protocols. Related controls: AC-18, CM-7, IA-2. |
The organization:
(a) Reviews the information system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and
(b) Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure]. |
| CCI-001763 |
The organization defines the policies regarding software program usage and restrictions. |
The organization conducting the inspection/assessment obtains and examines the rules as well as the software list to ensure that all network capable software programs are DoDI 8551 compliant and that the rules authorizing the use of all other programs are defined.
DoD has determined that the rules authorizing the terms and conditions of software program usage on the information system are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents their rules for approval of software program usage.
For network capable software programs, the organization being inspected/assessed complies with DoDI 8551.
DoD has determined that the rules authorizing the terms and conditions of software program usage on the information system are not appropriate to define at the Enterprise level. |
Least Functionality | Prevent Program Execution |
CM-7 (2) |
CM-7(2).2 |
Related controls: CM-8, PM-5. |
The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. |
| CCI-001764 |
The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage. |
The organization conducting the inspection/assessment examines the information systems to ensure the systems are configured to prevent the execution of programs not authorized in accordance with CM-7 (2) CCIs 1592 and 1763. |
The organization being inspected/assessed configures the information system to prevent the execution of programs not authorized in accordance with CM-7 (2) CCIs 1592 and 1763. |
Least Functionality | Prevent Program Execution |
CM-7 (2) |
CM-7(2).3 |
Related controls: CM-8, PM-5. |
The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. |
| CCI-001765 |
The organization defines the software programs not authorized to execute on the information system. |
The organization conducting the inspection/assessment obtains and examines the documented list of software programs not authorized to execute to ensure that list is defined.
The organization conducting the inspection/assessment reviews the list to ensure that any network capable software is included IAW DoDI 8551.01.
DoD has determined that a comprehensive list of unauthorized software programs is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed must define and document software programs not authorized to execute on the information system.
For network capable software, the organization-defined list must include all software programs as defined IAW DoDI 8551.01.
DoD has determined that a comprehensive list of unauthorized software programs is not appropriate to define at the Enterprise level. |
Least Functionality | Unauthorized Software / Blacklisting |
CM-7 (4) |
CM-7(4).1 |
The process used to identify software programs that are not authorized to execute on organizational information systems is commonly referred to as blacklisting. Organizations can implement CM-7 (5) instead of this control enhancement if whitelisting (the stronger of the two policies) is the preferred approach for restricting software program execution. Related controls: CM-6, CM-8, PM-5. |
The organization:
(a) Identifies [Assignment: organization-defined software programs not authorized to execute on the information system];
(b) Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and
(c) Reviews and updates the list of unauthorized software programs [Assignment: organization- defined frequency]. |
| CCI-001766 |
The organization identifies the organization-defined software programs not authorized to execute on the information system. |
The organization conducting the inspection/assessment obtains and examines the documented list of software programs not authorized to execute to ensure that list is defined.
The organization conducting the inspection/assessment reviews the list to ensure that any network capable software is included IAW DoDI 8551.01. |
The organization being inspected/assessed must define and document software programs not authorized to execute on the information system.
For network capable software, the organization-defined list must include all software programs as defined IAW DoDI 8551.01. |
Least Functionality | Unauthorized Software / Blacklisting |
CM-7 (4) |
CM-7(4).2 |
The process used to identify software programs that are not authorized to execute on organizational information systems is commonly referred to as blacklisting. Organizations can implement CM-7 (5) instead of this control enhancement if whitelisting (the stronger of the two policies) is the preferred approach for restricting software program execution. Related controls: CM-6, CM-8, PM-5. |
The organization:
(a) Identifies [Assignment: organization-defined software programs not authorized to execute on the information system];
(b) Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and
(c) Reviews and updates the list of unauthorized software programs [Assignment: organization- defined frequency]. |
| CCI-001767 |
The organization employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system. |
Within the DoD, this control cannot be implemented. |
Within the DoD, this control cannot be implemented. |
Least Functionality | Unauthorized Software / Blacklisting |
CM-7 (4) |
CM-7(4).3 |
The process used to identify software programs that are not authorized to execute on organizational information systems is commonly referred to as blacklisting. Organizations can implement CM-7 (5) instead of this control enhancement if whitelisting (the stronger of the two policies) is the preferred approach for restricting software program execution. Related controls: CM-6, CM-8, PM-5. |
The organization:
(a) Identifies [Assignment: organization-defined software programs not authorized to execute on the information system];
(b) Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and
(c) Reviews and updates the list of unauthorized software programs [Assignment: organization- defined frequency]. |
| CCI-001768 |
The organization defines the frequency on which it will review and update the list of unauthorized software programs. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as monthly. |
DoD has defined the frequency as monthly. |
Least Functionality | Unauthorized Software / Blacklisting |
CM-7 (4) |
CM-7(4).4 |
The process used to identify software programs that are not authorized to execute on organizational information systems is commonly referred to as blacklisting. Organizations can implement CM-7 (5) instead of this control enhancement if whitelisting (the stronger of the two policies) is the preferred approach for restricting software program execution. Related controls: CM-6, CM-8, PM-5. |
The organization:
(a) Identifies [Assignment: organization-defined software programs not authorized to execute on the information system];
(b) Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and
(c) Reviews and updates the list of unauthorized software programs [Assignment: organization- defined frequency]. |
| CCI-001769 |
The organization defines the frequency on which it will update the list of unauthorized software programs. |
|
|
|
|
|
|
|
| CCI-001770 |
The organization reviews and updates the list of unauthorized software programs per organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of reviews and updates to ensure that the organization being inspected/assessed reviews and updates the list of unauthorized software programs monthly.
DoD has defined the frequency as monthly. |
The organization being inspected/assessed documents and implements a process to review and update the list of unauthorized software programs monthly.
The organization must maintain an audit trail of the review and update activity.
DoD has defined the frequency as monthly. |
Least Functionality | Unauthorized Software / Blacklisting |
CM-7 (4) |
CM-7(4).5 |
The process used to identify software programs that are not authorized to execute on organizational information systems is commonly referred to as blacklisting. Organizations can implement CM-7 (5) instead of this control enhancement if whitelisting (the stronger of the two policies) is the preferred approach for restricting software program execution. Related controls: CM-6, CM-8, PM-5. |
The organization:
(a) Identifies [Assignment: organization-defined software programs not authorized to execute on the information system];
(b) Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and
(c) Reviews and updates the list of unauthorized software programs [Assignment: organization- defined frequency]. |
| CCI-001771 |
The organization updates the list of unauthorized software programs per organization-defined frequency. |
|
|
|
|
|
|
|
| CCI-001772 |
The organization defines the software programs authorized to execute on the information system. |
The organization conducting the inspection/assessment obtains and examines the documented list of software programs that are authorized to execute to ensure that list is defined.
DoD has determined that a comprehensive list of unauthorized software programs is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed must define and document software programs that are authorized to execute on the information system.
DoD has determined that a comprehensive list of unauthorized software programs is not appropriate to define at the Enterprise level. |
Least Functionality | Authorized Software / Whitelisting |
CM-7 (5) |
CM-7(5).1 |
The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Related controls: CM-2, CM-6, CM-8, PM-5, SA-10, SC-34, SI-7. |
The organization:
(a) Identifies [Assignment: organization-defined software programs authorized to execute on the information system];
(b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and
(c) Reviews and updates the list of authorized software programs [Assignment: organization- defined frequency]. |
| CCI-001773 |
The organization identifies the organization-defined software programs authorized to execute on the information system. |
The organization conducting the inspection/assessment obtains and examines the documented list of software programs that are authorized to execute to ensure that list is defined.
|
The organization being inspected/assessed must define and document software programs that are authorized to execute on the information system.
|
Least Functionality | Authorized Software / Whitelisting |
CM-7 (5) |
CM-7(5).2 |
The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Related controls: CM-2, CM-6, CM-8, PM-5, SA-10, SC-34, SI-7. |
The organization:
(a) Identifies [Assignment: organization-defined software programs authorized to execute on the information system];
(b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and
(c) Reviews and updates the list of authorized software programs [Assignment: organization- defined frequency]. |
| CCI-001774 |
The organization employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system. |
The organization conducting the inspection/assessment examines the information system to ensure that it is configured to deny-all and only permit by exception the execution of authorized software programs on the information system. |
The organization being inspected/assessed configures the information system to deny-all and only permit by exception the execution of authorized software programs on the information system. |
Least Functionality | Authorized Software / Whitelisting |
CM-7 (5) |
CM-7(5).3 |
The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Related controls: CM-2, CM-6, CM-8, PM-5, SA-10, SC-34, SI-7. |
The organization:
(a) Identifies [Assignment: organization-defined software programs authorized to execute on the information system];
(b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and
(c) Reviews and updates the list of authorized software programs [Assignment: organization- defined frequency]. |
| CCI-001775 |
The organization defines the frequency on which it will review and update the list of authorized software programs. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as monthly. |
DoD has defined the frequency as monthly. |
Least Functionality | Authorized Software / Whitelisting |
CM-7 (5) |
CM-7(5).4 |
The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Related controls: CM-2, CM-6, CM-8, PM-5, SA-10, SC-34, SI-7. |
The organization:
(a) Identifies [Assignment: organization-defined software programs authorized to execute on the information system];
(b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and
(c) Reviews and updates the list of authorized software programs [Assignment: organization- defined frequency]. |
| CCI-001776 |
The organization defines the frequency on which it will update the list of authorized software programs. |
|
|
|
|
|
|
|
| CCI-001777 |
The organization reviews and updates the list of authorized software programs per organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of reviews and updates to ensure that the organization being inspected/assessed reviews and updates the list of authorized software programs monthly.
DoD has defined the frequency as monthly. |
The organization being inspected/assessed documents and implements a process to review and update the list of authorized software programs monthly.
The organization must maintain an audit trail of the review and update activity.
DoD has defined the frequency as monthly. |
Least Functionality | Authorized Software / Whitelisting |
CM-7 (5) |
CM-7(5).5 |
The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Related controls: CM-2, CM-6, CM-8, PM-5, SA-10, SC-34, SI-7. |
The organization:
(a) Identifies [Assignment: organization-defined software programs authorized to execute on the information system];
(b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and
(c) Reviews and updates the list of authorized software programs [Assignment: organization- defined frequency]. |
| CCI-001778 |
The organization updates the list of authorized software programs per organization-defined frequency. |
|
|
|
|
|
|
|
| CCI-001779 |
The organization defines the frequency on which the information system component inventory is to be reviewed and updated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at a minimum, annually. |
DoD has defined the frequency as at a minimum, annually. |
Information System Component Inventory |
CM-8 |
CM-8.6 |
Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location. Related controls: CM-2, CM-6, PM-5. |
The organization:
a. Develops and documents an inventory of information system components that:
1. Accurately reflects the current information system;
2. Includes all components within the authorization boundary of the information system;
3. Is at the level of granularity deemed necessary for tracking and reporting; and
4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and
b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. |
| CCI-001780 |
The organization reviews and updates the information system component inventory per organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the documented process for reviews and updates as well as the audit trail of reviews and updates to ensure the organization being inspected/assessed reviews and updates the information system component inventory at a minimum, annually.
DoD has defined the frequency as at a minimum, annually. |
The organization being inspected/assessed documents and implements a process to review and update the information system component inventory at a minimum, annually.
The organization must maintain an audit trail of review and update activity.
DoD has defined the frequency as at a minimum, annually. |
Information System Component Inventory |
CM-8 |
CM-8.7 |
Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location. Related controls: CM-2, CM-6, PM-5. |
The organization:
a. Develops and documents an inventory of information system components that:
1. Accurately reflects the current information system;
2. Includes all components within the authorization boundary of the information system;
3. Is at the level of granularity deemed necessary for tracking and reporting; and
4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and
b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. |
| CCI-001781 |
The organization defines the frequency on which the information system component inventory is to be updated. |
|
|
|
|
|
|
|
| CCI-001782 |
The organization updates the information system component inventory per organization-defined frequency. |
|
|
|
|
|
|
|
| CCI-001783 |
The organization defines the personnel or roles to be notified when unauthorized hardware, software, and firmware components are detected within the information system. |
The organization conducting the inspection/assessment obtains and examines the documented list of personnel or roles to be notified when unauthorized hardware, software, and firmware components are detected within the information system to ensure the organization being inspected/assessed has either defined additional personnel or roles, or identified that there are no additional personnel or roles.
DoD has defined the personnel or roles as the ISSO and ISSM and others as the local organization deems appropriate. |
The organization being inspected/assessed defines and documents any personnel or roles, in addition to the ISSO or ISSM, to be notified when unauthorized hardware, software, and firmware components are detected within the information system. If there are no additional personnel or roles, the organization must also document that.
DoD has defined the personnel or roles as the ISSO and ISSM and others as the local organization deems appropriate. |
Information System Component Inventory | Automated Unauthorized Component Detection |
CM-8 (3) |
CM-8(3).3 |
This control enhancement is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms can be implemented within information systems or in other separate devices. Isolation can be achieved, for example, by placing unauthorized information system components in separate domains or subnets or otherwise quarantining such components. This type of component isolation is commonly referred to as sandboxing. Related controls: AC-17, AC-18, AC-19, CA-7, SI-3, SI-4, SI-7, RA-5. |
The organization:
(a) Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and
(b) Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]]. |
| CCI-001784 |
When unauthorized hardware, software, and firmware components are detected within the information system, the organization takes action to disable network access by such components, isolates the components, and/or notifies organization-defined personnel or roles. |
The organization conducting the inspection/assessment obtains and examines the documented process and audit trail for taking action upon detection of unauthorized components to ensure the organization being inspected/assessed takes action to disable network access by unauthorized software, hardware, and firmware components, isolate the components, and/or notify the ISSO and ISSM and others as the local organization deems appropriate.
DoD has defined the personnel or roles as the ISSO and ISSM and others as the local organization deems appropriate. |
The organization being inspected/assessed documents and implements a process to take action to disable network access by unauthorized software, hardware, and firmware components, isolate the components, and/or notify the ISSO and ISSM and others as the local organization deems appropriate.
The organization must maintain an audit trail of actions taken upon detection of unauthorized software, hardware, and firmware components.
DoD has defined the personnel or roles as the ISSO and ISSM and others as the local organization deems appropriate. |
Information System Component Inventory | Automated Unauthorized Component Detection |
CM-8 (3) |
CM-8(3).4 |
This control enhancement is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms can be implemented within information systems or in other separate devices. Isolation can be achieved, for example, by placing unauthorized information system components in separate domains or subnets or otherwise quarantining such components. This type of component isolation is commonly referred to as sandboxing. Related controls: AC-17, AC-18, AC-19, CA-7, SI-3, SI-4, SI-7, RA-5. |
The organization:
(a) Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and
(b) Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]]. |
| CCI-001785 |
The organization provides a centralized repository for the inventory of information system components. |
The organization conducting the inspection/assessment obtains and examines the documentation of a centralized repository to ensure the organization being inspected/assessed provides a centralized repository for the inventory of information system components. |
The organization being inspected/assessed documents and implements a centralized repository for the inventory of information system components. |
Information System Component Inventory | Centralized Repository |
CM-8 (7) |
CM-8(7).1 |
Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. Centralized repositories of information system component inventories provide opportunities for efficiencies in accounting for organizational hardware, software, and firmware assets. Such repositories may also help organizations rapidly identify the location and responsible individuals of system components that have been compromised, breached, or are otherwise in need of mitigation actions. Organizations ensure that the resulting centralized inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). |
The organization provides a centralized repository for the inventory of information system components. |
| CCI-001786 |
The organization employs automated mechanisms to support tracking of information system components by geographic location. |
The organization conducting the inspection/assessment obtains and examines the documentation of the automated mechanisms to ensure the organization being inspected/assessed employs automated mechanisms to support tracking of information system components by geographic location. |
The organization being inspected/assessed documents and implements automated mechanisms to support tracking of information system components by geographic location. |
Information System Component Inventory | Automated Location Tracking |
CM-8 (8) |
CM-8(8).1 |
The use of automated mechanisms to track the location of information system components can increase the accuracy of component inventories. Such capability may also help organizations rapidly identify the location and responsible individuals of system components that have been compromised, breached, or are otherwise in need of mitigation actions. |
The organization employs automated mechanisms to support tracking of information system components by geographic location. |
| CCI-001787 |
The organization defines the acquired information system components that are to be assigned to an information system. |
The organization conducting the inspection/assessment obtains and examines the documentation of acquired information system components to ensure the organization being inspected/assessed defines the acquired information system components that are to be assigned to an information system.
DoD has determined that the acquired information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the acquired information system components that are to be assigned to an information system.
At no lower than the AO level, the organization must define and document the criteria for or types of information system components where assignment must be tracked. For example, all information system components that collect, store, or process information and are not themselves simply a storage media.
DoD has determined that the acquired information system components are not appropriate to define at the Enterprise level. |
Information System Component Inventory | Assignment Of Components To Systems |
CM-8 (9) |
CM-8(9).1 |
Organizations determine the criteria for or types of information system components (e.g., microprocessors, motherboards, software, programmable logic controllers, and network devices) that are subject to this control enhancement. Related control: SA-4. |
The organization:
(a) Assigns [Assignment: organization-defined acquired information system components] to an information system; and
(b) Receives an acknowledgement from the information system owner of this assignment. |
| CCI-001788 |
The organization assigns organization-defined acquired information system components to an information system. |
The organization conducting the inspection/assessment obtains and examines the documentation pertaining to the acquisition of information system components to ensure the organization being inspected/assessed assigns acquired information system components, as defined in CM-8 (9), CCI 1787, to an information system. |
The organization being inspected/assessed assigns and documents the assignment of acquired information system components, as defined in CM-8 (9), CCI 1787, to an information system. |
Information System Component Inventory | Assignment Of Components To Systems |
CM-8 (9) |
CM-8(9).2 |
Organizations determine the criteria for or types of information system components (e.g., microprocessors, motherboards, software, programmable logic controllers, and network devices) that are subject to this control enhancement. Related control: SA-4. |
The organization:
(a) Assigns [Assignment: organization-defined acquired information system components] to an information system; and
(b) Receives an acknowledgement from the information system owner of this assignment. |
| CCI-001789 |
The organization receives an acknowledgement from the information system owner of the assignment of the acquired information system components to an information system. |
The organization conducting the inspection/assessment obtains and examines the documented process and audit trail of acknowledgements to ensure the organization being inspected/assessed receives an acknowledgement from the information system owner of the assignment of the acquired information system components to an information system. |
The organization being inspected/assessed documents and implements a process to ensure the organization receives an acknowledgement from the information system owner of the assignment of the acquired information system components to an information system.
The organization must maintain an audit trail of the acknowledgements. |
Information System Component Inventory | Assignment Of Components To Systems |
CM-8 (9) |
CM-8(9).3 |
Organizations determine the criteria for or types of information system components (e.g., microprocessors, motherboards, software, programmable logic controllers, and network devices) that are subject to this control enhancement. Related control: SA-4. |
The organization:
(a) Assigns [Assignment: organization-defined acquired information system components] to an information system; and
(b) Receives an acknowledgement from the information system owner of this assignment. |
| CCI-001790 |
The organization develops a configuration management plan for the information system that establishes a process for identifying configuration items throughout the system development life cycle. |
The organization conducting the inspection/assessment obtains and examines the configuration management plan to verify it establishes and documents a process for identifying configuration items throughout the system development life cycle. |
The organization being inspected/assessed will develop and document a configuration management plan for the information system that establishes a process for identifying configuration items throughout the system development life cycle. |
Configuration Management Plan |
CM-9 |
CM-9.3 |
Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10. |
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification. |
| CCI-001791 |
The organization documents a configuration management plan for the information system that establishes a process for identifying configuration items throughout the system development life cycle. |
|
|
|
|
|
|
|
| CCI-001792 |
The organization implements a configuration management plan for the information system that establishes a process for identifying configuration items throughout the system development life cycle. |
The organization conducting the inspection/assessment obtains and examines the configuration management plan as well as evidence of implementation (e.g., completed change requests, meeting minutes, and other relevant documents) to ensure the organization being inspected/assessed implements a configuration management plan for the information system that establishes a process for identifying configuration items throughout the system development life cycle.
Checks should include verification that items being processed for CM are the items identified and that identified configuration items have not been changed without going through the documented process. |
The organization being inspected/assessed will implement a configuration management plan for the information system that establishes a process for identifying configuration items throughout the system development life cycle. |
Configuration Management Plan |
CM-9 |
CM-9.4 |
Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10. |
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification. |
| CCI-001793 |
The organization develops a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items. |
The organization conducting the inspection/assessment obtains and examines the configuration management plan to ensure it establishes and documents a process for managing the configuration of the configuration items. |
The organization being inspected/assessed will develop and document a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items. |
Configuration Management Plan |
CM-9 |
CM-9.5 |
Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10. |
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification. |
| CCI-001794 |
The organization documents a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items. |
|
|
|
|
|
|
|
| CCI-001795 |
The organization implements a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items. |
The organization conducting the inspection/assessment obtains and examines the configuration management plan as well as evidence of implementation (e.g., completed change requests, meeting minutes, and other relevant documents) to ensure the organization being inspected/assessed implements a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items. |
The organization being inspected/assessed will implement a configuration management plan that has a process for controlling changes to configuration items. |
Configuration Management Plan |
CM-9 |
CM-9.6 |
Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10. |
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification. |
| CCI-001796 |
The organization develops a configuration management plan for the information system that places the configuration items under configuration management. |
The organization conducting the inspection/assessment obtains and examines the configuration management plan to ensure the organization being inspected/assessed documents that configuration items are placed under configuration management. |
The organization being inspected/assessed will develop and document a configuration management plan for the information system that places the configuration items under configuration management. |
Configuration Management Plan |
CM-9 |
CM-9.9 |
Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10. |
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification. |
| CCI-001797 |
The organization documents a configuration management plan for the information system that places the configuration items under configuration management. |
|
|
|
|
|
|
|
| CCI-001798 |
The organization implements a configuration management plan for the information system that places the configuration items under configuration management. |
The organization conducting the inspection/assessment obtains and examines the configuration management plan as well as evidence of implementation (e.g., completed change requests, meeting minutes, and other relevant documents) to ensure the organization being inspected/assessed implements a configuration management plan for the information system and that configuration items identified are under configuration management. |
The organization being inspected/assessed will implement a configuration management plan for the information system that places the configuration items under configuration management. |
Configuration Management Plan |
CM-9 |
CM-9.10 |
Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10. |
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification. |
| CCI-001799 |
The organization develops and documents a configuration management plan for the information system that protects the configuration management plan from unauthorized disclosure and modification. |
The organization conducting the inspection/assessment obtains and examines the configuration management plan to verify that it identifies the protection measures. |
The organization being inspected/assessed must develop and document a plan to protect the configuration management plan from unauthorized disclosure and modification.
Measures must include marking, labeling, and handling to prevent improper disclosure. The organization being inspected/assessed must ensure that all changes to the CM plan are approved. |
Configuration Management Plan |
CM-9 |
CM-9.11 |
Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10. |
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification. |
| CCI-001800 |
The organization documents a configuration management plan for the information system that protects the configuration management plan from unauthorized disclosure and modification. |
|
|
|
|
|
|
|
| CCI-001801 |
The organization implements a configuration management plan for the information system that protects the configuration management plan from unauthorized disclosure and modification. |
The organization conducting the inspection/assessment obtains and examines the configuration management plan to verify that the identified protection measures are implemented. |
The organization being inspected/assessed must implement a plan to protect the configuration management plan from unauthorized disclosure and modification.
Measures must include marking, labeling, and handling to prevent improper disclosure. The organization being inspected/assessed must ensure that all changes to the CM plan are approved. |
Configuration Management Plan |
CM-9 |
CM-9.12 |
Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10. |
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification. |
| CCI-001726 |
The organization uses software in accordance with contract agreements. |
The organization conducting the inspection/assessment obtains and examines a sampling of contract agreements and supporting evidence concerning the usage of software to ensure compliance with the contract agreements. |
The organization being inspected/assessed uses software in accordance with contract agreements. |
Software Usage Restrictions |
CM-10 |
CM-10.1 |
Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7. |
The organization:
a. Uses software and associated documentation in accordance with contract agreements and
copyright laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
| CCI-001727 |
The organization uses software documentation in accordance with contract agreements. |
The organization conducting the inspection/assessment obtains and examines a sampling of contract agreements associated with software documentation and supporting evidence concerning the usage of software documentation to ensure compliance with contract agreements. |
The organization being inspected/assessed uses software documentation in accordance with contract agreements. |
Software Usage Restrictions |
CM-10 |
CM-10.2 |
Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7. |
The organization:
a. Uses software and associated documentation in accordance with contract agreements and
copyright laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
| CCI-001728 |
The organization uses software in accordance with copyright laws. |
The organization conducting the inspection/assessment obtains and examines supporting evidence concerning the usage of software to ensure compliance with copyright laws. |
The organization being inspected/assessed uses software in accordance with copyright laws. |
Software Usage Restrictions |
CM-10 |
CM-10.3 |
Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7. |
The organization:
a. Uses software and associated documentation in accordance with contract agreements and
copyright laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
| CCI-001729 |
The organization uses software documentation in accordance with copyright laws. |
The organization conducting the inspection/assessment obtains and examines supporting evidence concerning the usage of software documentation to ensure compliance with copyright laws. |
The organization being inspected/assessed uses software documentation in accordance with copyright laws. |
Software Usage Restrictions |
CM-10 |
CM-10.4 |
Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7. |
The organization:
a. Uses software and associated documentation in accordance with contract agreements and
copyright laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
| CCI-001730 |
The organization tracks the use of software protected by quantity licenses to control copying of the software. |
The organization conducting the inspection/assessment obtains and examines the tracking records to ensure the organization being inspected/assessed tracks the use of software protected by quantity licenses to control copying of the software. |
The organization being inspected/assessed tracks the use of software protected by quantity licenses to control copying of the software.
Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. |
Software Usage Restrictions |
CM-10 |
CM-10.5 |
Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7. |
The organization:
a. Uses software and associated documentation in accordance with contract agreements and
copyright laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
| CCI-001731 |
The organization tracks the use of software documentation protected by quantity licenses to control distribution of the software documentation. |
The organization conducting the inspection/assessment obtains and examines the tracking records to ensure the organization being inspected/assessed tracks the use of software documentation protected by quantity licenses to control distribution of the software documentation. |
The organization being inspected/assessed tracks the use of software documentation protected by quantity licenses to control distribution of the software documentation.
Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. |
Software Usage Restrictions |
CM-10 |
CM-10.6 |
Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7. |
The organization:
a. Uses software and associated documentation in accordance with contract agreements and
copyright laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
| CCI-001732 |
The organization controls the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
The organization conducting the inspection/assessment obtains and examines the audit trail of peer-to-peer file sharing technology reviews and authorizations to ensure the organization being inspected/assessed controls the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
The organization being inspected/assessed reviews and authorizes in order to control the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
The organization must maintain an audit trail of peer-to-peer file sharing technology reviews and authorizations. |
Software Usage Restrictions |
CM-10 |
CM-10.9 |
Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7. |
The organization:
a. Uses software and associated documentation in accordance with contract agreements and
copyright laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
| CCI-001733 |
The organization documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
The organization conducting the inspection/assessment obtains and examines the documentation for the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
The organization being inspected/assessed documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
Software Usage Restrictions |
CM-10 |
CM-10.10 |
Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7. |
The organization:
a. Uses software and associated documentation in accordance with contract agreements and
copyright laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
| CCI-001734 |
The organization defines the restrictions to be followed on the use of open source software. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the restrictions as IAW DoD Memorandum "Clarifying Guidance Regarding Open Source Software (OSS)" 16 Oct 2009 (http://dodcio.defense.gov/Home/Issuances/DoDCIOMemorandums.aspx). |
DoD has defined the restrictions as IAW DoD Memorandum "Clarifying Guidance Regarding Open Source Software (OSS)" 16 Oct 2009 (http://dodcio.defense.gov/Home/Issuances/DoDCIOMemorandums.aspx). |
Software Usage Restrictions | Open Source Software |
CM-10 (1) |
CM-10(1).1 |
Open source software refers to software that is available in source code form. Certain software rights normally reserved for copyright holders are routinely provided under software license agreements that permit individuals to study, change, and improve the software. From a security perspective, the major advantage of open source software is that it provides organizations with the ability to examine the source code. However, there are also various licensing issues associated with open source software including, for example, the constraints on derivative use of such software. |
The organization establishes the following restrictions on the use of open source software: [Assignment: organization-defined restrictions]. |
| CCI-001735 |
The organization establishes organization-defined restrictions on the use of open source software. |
DoD Memorandum "Clarifying Guidance Regarding Open Source Software (OSS)" 16 Oct 2009 (http://dodcio.defense.gov/Home/Issuances/DoDCIOMemorandums.aspx) meets the DoD requirement for establishing restrictions on the use of open source software.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoD Memorandum "Clarifying Guidance Regarding Open Source Software (OSS)." |
DoD Memorandum "Clarifying Guidance Regarding Open Source Software (OSS)" 16 Oct 2009 (http://dodcio.defense.gov/Home/Issuances/DoDCIOMemorandums.aspx) meets the DoD requirement for establishing restrictions on the use of open source software.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoD Memorandum "Clarifying Guidance Regarding Open Source Software (OSS)." |
Software Usage Restrictions | Open Source Software |
CM-10 (1) |
CM-10(1).2 |
Open source software refers to software that is available in source code form. Certain software rights normally reserved for copyright holders are routinely provided under software license agreements that permit individuals to study, change, and improve the software. From a security perspective, the major advantage of open source software is that it provides organizations with the ability to examine the source code. However, there are also various licensing issues associated with open source software including, for example, the constraints on derivative use of such software. |
The organization establishes the following restrictions on the use of open source software: [Assignment: organization-defined restrictions]. |
| CCI-001802 |
The organization tracks the use of software documentation protected by quantity licenses to control copying of the software documentation. |
The organization conducting the inspection/assessment obtains and examines the tracking records to ensure the organization being inspected/assessed tracks the use of software documentation protected by quantity licenses to control copying of the software documentation. |
The organization being inspected/assessed tracks the use of software documentation protected by quantity licenses to control copying of the software documentation.
Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. |
Software Usage Restrictions |
CM-10 |
CM-10.7 |
Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7. |
The organization:
a. Uses software and associated documentation in accordance with contract agreements and
copyright laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
| CCI-001803 |
The organization tracks the use of software protected by quantity licenses to control distribution of the software. |
The organization conducting the inspection/assessment obtains and examines the tracking records to ensure the organization being inspected/assessed tracks the use of software protected by quantity licenses to control distribution of the software. |
The organization being inspected/assessed tracks the use of software protected by quantity licenses to control distribution of the software.
Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. |
Software Usage Restrictions |
CM-10 |
CM-10.8 |
Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7. |
The organization:
a. Uses software and associated documentation in accordance with contract agreements and
copyright laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
| CCI-001804 |
The organization defines the policies for governing the installation of software by users. |
The organization conducting the inspection/assessment obtains and examines policies governing the installation of software by users (e.g., user agreements, CM plan, etc.) to ensure the organization being inspected/assessed defines the policies for governing the installation of software by users.
DoD has determined the policies are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed must define policies governing the installation of software by users.
DoD has determined the policies are not appropriate to define at the Enterprise level. |
User-Installed Software |
CM-11 |
CM-11.1 |
If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both. Related controls: AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, PL-4. |
The organization:
a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforces software installation policies through [Assignment: organization-defined methods]; and
c. Monitors policy compliance at [Assignment: organization-defined frequency]. |
| CCI-001805 |
The organization establishes organization-defined policies governing the installation of software by users. |
The organization conducting the inspection/assessment obtains and examines documented policies governing the installation of software by users (e.g., user agreements, CM plan, etc.) to ensure the organization being inspected/assessed establishes policies governing the installation of software by users. |
The organization being inspected/assessed documents their policies governing the installation of software by users (e.g., user agreements, CM plan, etc.). |
User-Installed Software |
CM-11 |
CM-11.2 |
If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both. Related controls: AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, PL-4. |
The organization:
a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforces software installation policies through [Assignment: organization-defined methods]; and
c. Monitors policy compliance at [Assignment: organization-defined frequency]. |
| CCI-001806 |
The organization defines methods to be employed to enforce the software installation policies. |
The organization conducting the inspection/assessment obtains and examines documentation of the methods employed to ensure the organization being inspected/assessed defines methods to be employed to enforce the software installation policies.
DoD has determined the policies are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed must define and document the methods employed to enforce the software installation policies.
DoD has determined the policies are not appropriate to define at the Enterprise level. |
User-Installed Software |
CM-11 |
CM-11.3 |
If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both. Related controls: AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, PL-4. |
The organization:
a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforces software installation policies through [Assignment: organization-defined methods]; and
c. Monitors policy compliance at [Assignment: organization-defined frequency]. |
| CCI-001807 |
The organization enforces software installation policies through organization-defined methods. |
The organization conducting the inspection/assessment obtains and examines software installation policies defined in CM-11, CCI 1804 and inspects the methods defined in CM-11, CCI 1806 to verify they are properly implemented. |
The organization being inspected/assessed must enforce software installation policies as defined in CM-11, CCI 1804 through methods defined in CM-11, CCI 1806. |
User-Installed Software |
CM-11 |
CM-11.4 |
If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both. Related controls: AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, PL-4. |
The organization:
a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforces software installation policies through [Assignment: organization-defined methods]; and
c. Monitors policy compliance at [Assignment: organization-defined frequency]. |
| CCI-001808 |
The organization defines the frequency on which it will monitor software installation policy compliance. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at least monthly. |
DoD has defined the frequency as at least monthly. |
User-Installed Software |
CM-11 |
CM-11.5 |
If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both. Related controls: AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, PL-4. |
The organization:
a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforces software installation policies through [Assignment: organization-defined methods]; and
c. Monitors policy compliance at [Assignment: organization-defined frequency]. |
| CCI-001809 |
The organization monitors software installation policy compliance per an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit trails of monitoring activities to ensure the organization being inspected/assessed monitors software installation policy compliance at least monthly.
DoD has defined the frequency as at least monthly. |
The organization being inspected/assessed must monitor software installation policy compliance at least monthly.
The organization must maintain audit trails of monitoring activity.
DoD has defined the frequency as at least monthly. |
User-Installed Software |
CM-11 |
CM-11.6 |
If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both. Related controls: AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, PL-4. |
The organization:
a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforces software installation policies through [Assignment: organization-defined methods]; and
c. Monitors policy compliance at [Assignment: organization-defined frequency]. |
| CCI-001810 |
The organization defines the personnel or roles to be notified when unauthorized software is detected. |
The organization conducting the inspection/assessment obtains and examines the documentation of the personnel or roles to be notified when unauthorized software is detected to ensure that ISSO and ISSM and others as the local organization deems appropriate are defined.
DoD has defined the personnel or roles that must be notified when unauthorized software is detected as the ISSO and ISSM and others as the local organization deems appropriate. |
The organization being inspected/assessed must define and document the personnel or roles to be notified when unauthorized software is detected.
DoD has defined the personnel or roles that must be notified when unauthorized software is detected as the ISSO and ISSM and others as the local organization deems appropriate. |
User-Installed Software | Alerts For Unauthorized Installations |
CM-11 (1) |
CM-11(1).1 |
Related controls: CA-7, SI-4. |
The information system alerts [Assignment: organization-defined personnel or roles] when the unauthorized installation of software is detected. |
| CCI-001811 |
The information system alerts organization-defined personnel or roles when the unauthorized installation of software is detected. |
The organization conducting the inspection/assessment obtains and examines the configuration of the automated mechanism or evidence that alerts are occuring when unauthorized software is installed to ensure the information system alerts the ISSO and ISSM and others as the local organization deems appropriate when the unauthorized installation of software is detected.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1811.
DoD has defined the personnel or roles that must be notified when unauthorized software is detected as the ISSO and ISSM and others as the local organization deems appropriate. |
The organization being inspected/assessed must configure the information system to alert ISSO and ISSM and others as the local organization deems appropriate when the unauthorized installation of software is detected.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1811.
DoD has defined the personnel or roles that must be notified when unauthorized software is detected as the ISSO and ISSM and others as the local organization deems appropriate. |
User-Installed Software | Alerts For Unauthorized Installations |
CM-11 (1) |
CM-11(1).2 |
Related controls: CA-7, SI-4. |
The information system alerts [Assignment: organization-defined personnel or roles] when the unauthorized installation of software is detected. |
| CCI-001812 |
The information system prohibits user installation of software without explicit privileged status. |
The organization conducting the inspection/assessment obtains and examines the configuration of the information system components to ensure that installation of software without explicit privileged status is prohibited.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1812. |
The organization being inspected/assessed must configure the information system to prevent the installation of software by non-privileged users.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1812. |
User-Installed Software | Prohibit Installation Without Privileged Status |
CM-11 (2) |
CM-11(2).1 |
Privileged status can be obtained, for example, by serving in the role of system administrator. Related control: AC-6. |
The information system prohibits user installation of software without explicit privileged status. |
| CCI-002825 |
The organization defines personnel or roles to whom the contingency planning policy is to be disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as all stakeholders identified in the contingency plan. |
DoD has defined the personnel or roles as all stakeholders identified in the contingency plan. |
Contingency Planning Policy And Procedures |
CP-1 |
CP-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and
b. Reviews and updates the current:
1. Contingency planning policy [Assignment: organization-defined frequency]; and
2. Contingency planning procedures [Assignment: organization-defined frequency]. |
| CCI-002826 |
The organization defines personnel or roles to whom the contingency planning procedures are disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as all stakeholders identified in the contingency plan. |
DoD has defined the personnel or roles as all stakeholders identified in the contingency plan. |
Contingency Planning Policy And Procedures |
CP-1 |
CP-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and
b. Reviews and updates the current:
1. Contingency planning policy [Assignment: organization-defined frequency]; and
2. Contingency planning procedures [Assignment: organization-defined frequency]. |
| CCI-002827 |
The organization coordinates its contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied. |
The organization conducting the inspection/assessment obtains and examines service level agreements and/or memorandums of agreement with external service providers to ensure the organization being inspected/assessed coordinates with those providers. |
The organization being inspected/assessed implements service level agreements and/or memorandums of agreement with external service providers necessary for the conduct of contingency plans to ensure that contingency requirements can be satisfied. |
Contingency Plan | Coordinate With External Service Providers |
CP-2 (7) |
CP-2(7).1 |
When the capability of an organization to successfully carry out its core missions/business functions is dependent on external service providers, developing a timely and comprehensive contingency plan may become more challenging. In this situation, organizations coordinate contingency planning activities with the external entities to ensure that the individual plans reflect the overall contingency needs of the organization. Related control: SA-9. |
The organization coordinates its contingency plan with the contingency plans of external service providers to ensure contingency requirements can be satisfied. |
| CCI-002828 |
The organization identifies critical information system assets supporting essential missions. |
The organization conducting the inspection/assessment obtains and examines the documented list of critical information system assets supporting essential missions to ensure the organization being inspected/assessed identifies those assets. |
The organization being inspected/assessed identifies and documents critical information system assets supporting essential missions. |
Contingency Plan | Identify Critical Assets |
CP-2 (8) |
CP-2(8).1 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Organizations identify critical information system assets so that additional safeguards and countermeasures can be employed (above and beyond those safeguards and countermeasures routinely implemented) to help ensure that organizational missions/business functions can continue to be conducted during contingency operations. In addition, the identification of critical information assets facilitates the prioritization of organizational resources. Critical information system assets include technical and operational aspects. Technical aspects include, for example, information technology services, information system components, information technology products, and mechanisms. Operational aspects include, for example, procedures (manually executed operations) and personnel (individuals operating technical safeguards and/or executing manual procedures). Organizational program protection plans can provide assistance in identifying critical assets. Related controls: SA-14, SA-15. |
The organization identifies critical information system assets supporting essential missions and business functions. |
| CCI-002829 |
The organization identifies critical information system assets supporting essential business functions. |
The organization conducting the inspection/assessment obtains and examines the documented list of critical information system assets supporting essential business functions to ensure the organization being inspected/assessed identifies those assets. |
The organization being inspected/assessed identifies and documents critical information system assets supporting essential business functions. |
Contingency Plan | Identify Critical Assets |
CP-2 (8) |
CP-2(8).2 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Organizations identify critical information system assets so that additional safeguards and countermeasures can be employed (above and beyond those safeguards and countermeasures routinely implemented) to help ensure that organizational missions/business functions can continue to be conducted during contingency operations. In addition, the identification of critical information assets facilitates the prioritization of organizational resources. Critical information system assets include technical and operational aspects. Technical aspects include, for example, information technology services, information system components, information technology products, and mechanisms. Operational aspects include, for example, procedures (manually executed operations) and personnel (individuals operating technical safeguards and/or executing manual procedures). Organizational program protection plans can provide assistance in identifying critical assets. Related controls: SA-14, SA-15. |
The organization identifies critical information system assets supporting essential missions and business functions. |
| CCI-002830 |
The organization defines the personnel or roles who review and approve the contingency plan for the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as at a minimum, the ISSM and ISSO. |
DoD has defined the personnel or roles as at a minimum, the ISSM and ISSO. |
Contingency Plan |
CP-2 |
CP-2.16 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-002831 |
The organization defines a list of key contingency personnel (identified by name and/or by role) and organizational elements to whom contingency plan changes are to be communicated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the list as all stakeholders identified in the contingency plan |
DoD has defined the list as all stakeholders identified in the contingency plan |
Contingency Plan |
CP-2 |
CP-2.27 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-002832 |
The organization protects the contingency plan from unauthorized disclosure and modification. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed protects the contingency plan from unauthorized disclosure and modification. |
The organization being inspected/assessed documents and implements a process to protect the contingency plan from unauthorized disclosure and modification. |
Contingency Plan |
CP-2 |
CP-2.28 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-002833 |
The organization defines the time period that contingency training is to be provided to information system users consistent with assigned roles and responsibilities within assuming a contingency role or responsibility. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as at a maximum, 10 working days. |
DoD has defined the time period as at a maximum, 10 working days. |
Contingency Training |
CP-3 |
CP-3.2 |
Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles/responsibilities reflects the specific continuity requirements in the contingency plan. Related controls: AT-2, AT-3, CP-2, IR-2. |
The organization provides contingency training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-002834 |
The organization provides contingency training to information system users consistent with assigned roles and responsibilities when required by information system changes. |
The organization conducting the inspection/assessment obtains and examines training materials and documentation of training activities to determine whether the materials are accurate in consideration of the state of the information system and content of the contingency plan. The organization ensures that training is provided to users consistent with assigned roles and responsibilities. |
The organization being inspected/assessed will update contingency training materials when required by information system changes and provide that training to personnel with contingency roles and responsibilities IAW CP-2, CCI 449.
The organization will maintain documentation of the training activity dates, location, and personnel for audit trail purposes and future reference (e.g., scheduling refresher training, etc.). |
Contingency Training |
CP-3 |
CP-3.3 |
Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles/responsibilities reflects the specific continuity requirements in the contingency plan. Related controls: AT-2, AT-3, CP-2, IR-2. |
The organization provides contingency training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-002835 |
The organization tests the contingency plan at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations. |
The organization conducting the inspection/assessment obtains and examines the test results to ensure the organization being inspected/assessed tests the contingency plan at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations. |
The organization being inspected/assessed will perform contingency plan testing at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations.
The organization must maintain a record of test results. |
Contingency Plan Testing | Alternate Processing Site |
CP-4 (2) |
CP-4(2).2 |
Related control: CP-7. |
The organization tests the contingency plan at the alternate processing site:
(a) To familiarize contingency personnel with the facility and available resources; and
(b) To evaluate the capabilities of the alternate processing site to support contingency operations. |
| CCI-002836 |
The organization ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site. |
The organization conducting the inspection/assessment obtains and examines the documentation of the primary/alternate site information security safeguards that are in place as well as evidence that the alternate site was approved based on an assessment that security is equivalent at the alternate site. |
The organization being inspected/assessed documents the information security safeguards that are in place at both the primary and alternate sites and evidence that the alternate site was approved based on an assessment that security is equivalent at the alternate site. |
Alternate Storage Site |
CP-6 |
CP-6.2 |
Alternate storage sites are sites that are geographically distinct from primary storage sites. An alternate storage site maintains duplicate copies of information and data in the event that the primary storage site is not available. Items covered by alternate storage site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination of delivery/retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-7, CP-9, CP-10, MP-4. |
The organization:
a. Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and
b. Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site. |
| CCI-002837 |
The organization plans for circumstances that preclude returning to the primary processing site. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed plans for circumstances that preclude returning to the primary processing site. |
The organization being inspected/assessed documents a process to be followed in the event of circumstances that preclude returning to the primary processing site. |
Alternate Processing Site | Inability To Return To Primary Site |
CP-7 (6) |
CP-7(6).1 |
|
The organization plans and prepares for circumstances that preclude returning to the primary processing site. |
| CCI-002838 |
The organization prepares for circumstances that preclude returning to the primary processing site. |
The organization conducting the inspection/assessment obtains and examines system resource lists or agreements with external support providers to ensure the organization being inspected/assessed prepares for circumstances that preclude returning to the primary processing site. |
The organization being inspected/assessed makes the resources available necessary to implement the plan documented IAW CP-7 (6), CCI 2837. |
Alternate Processing Site | Inability To Return To Primary Site |
CP-7 (6) |
CP-7(6).2 |
|
The organization plans and prepares for circumstances that preclude returning to the primary processing site. |
| CCI-002839 |
The organization defines information system operations that are permitted to transfer and resume at an alternate processing site for essential missions/business functions when the primary processing capabilities are unavailable. |
The organization conducting the inspection/assessment obtains and examines the documented information system operations to ensure the organization being inspected/assessed defines information system operations that are permitted to transfer and resume at an alternate processing sites for essential missions/business functions when the primary processing capabilities are unavailable.
DoD has determined the information system operations are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents information system operations that are permitted to transfer and resume at an alternate processing sites for essential missions/business functions when the primary processing capabilities are unavailable.
DoD has determined the information system operations are not appropriate to define at the Enterprise level. |
Alternate Processing Site |
CP-7 |
CP-7.4 |
Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6. |
The organization:
a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and
c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. |
| CCI-002840 |
The organization defines the information system operations to be resumed for essential missions within the organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. |
The organization conducting the inspection/assessment obtains and examines the documented information system operations to ensure the organization being inspected/assessed defines the information system operations to be resumed for essential missions within the organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
DoD has determined the information system operations are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system operations to be resumed for essential missions within the organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
DoD has determined the information system operations are not appropriate to define at the Enterprise level. |
Telecommunications Services |
CP-8 |
CP-8.5 |
This control applies to telecommunications services (data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions/business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary/alternate sites. Alternate telecommunications services include, for example, additional organizational or commercial ground-based circuits/lines or satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements. Related controls: CP-2, CP-6, CP-7. |
The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization- defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. |
| CCI-002841 |
The organization defines the information system operations to be resumed for essential business functions within the organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. |
The organization conducting the inspection/assessment obtains and examines the documented information system operations to ensure the organization being inspected/assessed defines the information system operations to be resumed for essential business functions within the organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
DoD has determined the information system operations are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system operations to be resumed for essential business functions within the organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
DoD has determined the information system operations are not appropriate to define at the Enterprise level. |
Telecommunications Services |
CP-8 |
CP-8.6 |
This control applies to telecommunications services (data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions/business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary/alternate sites. Alternate telecommunications services include, for example, additional organizational or commercial ground-based circuits/lines or satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements. Related controls: CP-2, CP-6, CP-7. |
The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization- defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. |
| CCI-002842 |
The organization reviews provider contingency plans to ensure that the plans meet organizational contingency requirements. |
The organization conducting the inspection/assessment obtains and examines the audit trail of reviews to ensure the organization being inspected/assessed reviews provider contingency plans to ensure that the plans meet organizational contingency requirements. |
The organization being inspected/assessed obtains and examines provider contingency plans to ensure the plans meet organizational contingency requirements.
The organization must maintain an audit trail of reviews. |
Telecommunications Services | Provider Contingency Plan |
CP-8 (4) |
CP-8(4).3 |
Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security, state, and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training. |
The organization:
(a) Requires primary and alternate telecommunications service providers to have contingency plans;
(b) Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and
(c) Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency]. |
| CCI-002843 |
The organization defines the frequency with which to obtain evidence of contingency testing by providers. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at least annually. |
DoD has defined the frequency as at least annually. |
Telecommunications Services | Provider Contingency Plan |
CP-8 (4) |
CP-8(4).4 |
Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security, state, and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training. |
The organization:
(a) Requires primary and alternate telecommunications service providers to have contingency plans;
(b) Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and
(c) Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency]. |
| CCI-002844 |
The organization defines the frequency with which to obtain evidence of contingency training by providers. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at least annually. |
DoD has defined the frequency as at least annually. |
Telecommunications Services | Provider Contingency Plan |
CP-8 (4) |
CP-8(4).5 |
Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security, state, and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training. |
The organization:
(a) Requires primary and alternate telecommunications service providers to have contingency plans;
(b) Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and
(c) Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency]. |
| CCI-002845 |
The organization obtains evidence of contingency testing by providers in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the evidence of contingency testing to ensure that the organization being inspected/assessed obtains evidence that contingency testing is conducted by providers at least annually.
DoD has defined the frequency as at least annually. |
The organization being inspected/assessed obtains and maintains evidence of contingency testing by providers to ensure that the training is tested at least annually.
DoD has defined the frequency as at least annually. |
Telecommunications Services | Provider Contingency Plan |
CP-8 (4) |
CP-8(4).6 |
Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security, state, and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training. |
The organization:
(a) Requires primary and alternate telecommunications service providers to have contingency plans;
(b) Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and
(c) Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency]. |
| CCI-002846 |
The organization obtains evidence of contingency training by providers in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the evidence of contingency training to ensure that the organization being inspected/assessed obtains evidence that contingency training is conducted by providers at least annually.
DoD has defined the frequency as at least annually. |
The organization being inspected/assessed obtains and maintains evidence of contingency training by providers to ensure that the training is provided at least annually.
DoD has defined the frequency as at least annually. |
Telecommunications Services | Provider Contingency Plan |
CP-8 (4) |
CP-8(4).7 |
Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security, state, and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training. |
The organization:
(a) Requires primary and alternate telecommunications service providers to have contingency plans;
(b) Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and
(c) Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency]. |
| CCI-002847 |
The organization defines the frequency with which to test alternate telecommunication services. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level
DoD has defined the frequency as at least annually. |
DoD has defined the frequency as at least annually. |
Telecommunications Services | Alternate Telecommunication Service Testing |
CP-8 (5) |
CP-8(5).1 |
|
The organization tests alternate telecommunication services [Assignment: organization-defined frequency]. |
| CCI-002848 |
The organization tests alternate telecommunication services per organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of tests to ensure the organization being inspected/assessed tests alternate telecommunication services at least annually.
DoD has defined the frequency as at least annually. |
The organization being inspected/assessed documents and implements a process to test alternate telecommunication services at least annually.
The organization must maintain a record of tests.
DoD has defined the frequency as at least annually. |
Telecommunications Services | Alternate Telecommunication Service Testing |
CP-8 (5) |
CP-8(5).2 |
|
The organization tests alternate telecommunication services [Assignment: organization-defined frequency]. |
| CCI-002849 |
The organization defines critical information system software and other security-related information, of which backup copies must be stored in a separate facility or in a fire-rated container. |
The organization conducting the inspection/assessment obtains and examines the documented critical information system software and other security-related information to ensure the organization being inspected/assessed defines critical information system software and other security-related information which backup copies must be stored in a separate facility or in a fire-rated container.
DoD has determined the critical information system software and other security-related information is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents critical information system software and other security-related information which backup copies must be stored in a separate facility or in a fire-rated container.
DoD has determined the critical information system software and other security-related information is not appropriate to define at the Enterprise level. |
Information System Backup | Separate Storage For Critical Information |
CP-9 (3) |
CP-9(3).1 |
Critical information system software includes, for example, operating systems, cryptographic key management systems, and intrusion detection/prevention systems. Security-related information includes, for example, organizational inventories of hardware, software, and firmware components. Alternate storage sites typically serve as separate storage facilities for organizations. Related controls: CM-2, CM-8. |
The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system. |
| CCI-002850 |
The organization stores backup copies of organization-defined critical information system software and other security-related information in a separate facility or in a fire-rated container that is not collocated with the operational system. |
The organization conducting the inspection/assessment obtains and examines the record of where software is stored to ensure the organization being inspected/assessed stores backup copies of critical information system software and other security-related information defined in CP-9 (3), CCI 2849 in a separate facility or in a fire-rated container that is not collocated with the operational system. |
The organization being inspected/assessed stores backup copies of critical information system software and other security-related information defined in CP-9 (3), CCI 2849 in a separate facility or in a fire-rated container that is not collocated with the operational system.
The organization must maintain a record of where software is stored. |
Information System Backup | Separate Storage For Critical Information |
CP-9 (3) |
CP-9(3).2 |
Critical information system software includes, for example, operating systems, cryptographic key management systems, and intrusion detection/prevention systems. Security-related information includes, for example, organizational inventories of hardware, software, and firmware components. Alternate storage sites typically serve as separate storage facilities for organizations. Related controls: CM-2, CM-8. |
The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system. |
| CCI-002851 |
The organization defines the backup information that requires dual authorization for deletion or destruction. |
The organization conducting the inspection/assessment obtains and examines the documented backup information to ensure the organization being inspected/assessed defines the backup information that requires dual authorization for deletion or destruction.
DoD has determined the backup information is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the backup information that requires dual authorization for deletion or destruction.
DoD has determined the backup information is not appropriate to define at the Enterprise level. |
Information System Backup | Dual Authorization |
CP-9 (7) |
CP-9(7).1 |
Dual authorization ensures that the deletion or destruction of backup information cannot occur unless two qualified individuals carry out the task. Individuals deleting/destroying backup information possess sufficient skills/expertise to determine if the proposed deletion/destruction of backup information reflects organizational policies and procedures. Dual authorization may also be known as two-person control. Related controls: AC-3, MP-2. |
The organization enforces dual authorization for the deletion or destruction of [Assignment: organization-defined backup information]. |
| CCI-002852 |
The organization enforces dual authorization for the deletion or destruction of organization-defined backup information. |
The organization conducting the inspection/assessment obtains and examines the documented process and record of deletion and destruction to ensure the organization being inspected/assessed enforces dual authorization for the deletion or destruction of backup information defined in CP-9 (7), CCI 2851. |
The organization being inspected/assessed documents and implements a process for dual authorization for the deletion or destruction of backup information defined in CP-9 (7), CCI 2851.
The organization must maintain a record of deletion or destruction of information defined in CP-9 (7), CCI 2851. |
Information System Backup | Dual Authorization |
CP-9 (7) |
CP-9(7).2 |
Dual authorization ensures that the deletion or destruction of backup information cannot occur unless two qualified individuals carry out the task. Individuals deleting/destroying backup information possess sufficient skills/expertise to determine if the proposed deletion/destruction of backup information reflects organizational policies and procedures. Dual authorization may also be known as two-person control. Related controls: AC-3, MP-2. |
The organization enforces dual authorization for the deletion or destruction of [Assignment: organization-defined backup information]. |
| CCI-002853 |
The information system provides the capability to employ organization-defined alternative communications protocols in support of maintaining continuity of operations. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide the capability to employ alternative communications protocols defined in CP-11, CCI 2854 in support of maintaining continuity of operations.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2853. |
The organization being inspected/assessed configures the information system to provide the capability to employ alternative communications protocols defined in CP-11, CCI 2854 in support of maintaining continuity of operations.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2853. |
Alternate Communications Protocols |
CP-11 |
CP-11.1 |
Contingency plans and the associated training and testing for those plans, incorporate an alternate communications protocol capability as part of increasing the resilience of organizational information systems. Alternate communications protocols include, for example, switching from Transmission Control Protocol/Internet Protocol (TCP/IP) Version 4 to TCP/IP Version 6. Switching communications protocols may affect software applications and therefore, the potential side effects of introducing alternate communications protocols are analyzed prior to implementation. |
The information system provides the capability to employ [Assignment: organization-defined alternative communications protocols] in support of maintaining continuity of operations. |
| CCI-002854 |
The organization defines the alternative communications protocols the information system must be capable of providing in support of maintaining continuity of operations. |
The organization conducting the inspection/assessment obtains and examines the documented alternative communications protocols to ensure the organization being inspected/assessed defines the alternative communications protocols the information systems must be capable of providing in support of maintaining continuity of operations.
DoD has determined the alternative communications protocols are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the alternative communications protocols the information systems must be capable of providing in support of maintaining continuity of operations.
DoD has determined the alternative communications protocols are not appropriate to define at the Enterprise level. |
Alternate Communications Protocols |
CP-11 |
CP-11.2 |
Contingency plans and the associated training and testing for those plans, incorporate an alternate communications protocol capability as part of increasing the resilience of organizational information systems. Alternate communications protocols include, for example, switching from Transmission Control Protocol/Internet Protocol (TCP/IP) Version 4 to TCP/IP Version 6. Switching communications protocols may affect software applications and therefore, the potential side effects of introducing alternate communications protocols are analyzed prior to implementation. |
The information system provides the capability to employ [Assignment: organization-defined alternative communications protocols] in support of maintaining continuity of operations. |
| CCI-002855 |
The information system, when organization-defined conditions are detected, enters a safe mode of operation with organization-defined restrictions of safe mode of operation. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enter a safe mode of operation with restrictions of safe mode of operation defined in CP-12, CCI 2857 when conditions defined in CP-12, CCI 2856 are detected.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2855. |
The organization being inspected/assessed configures the information system to enter a safe mode of operation with restrictions of safe mode of operation defined in CP-12, CCI 2857 when conditions defined in CP-12, CCI 2856 are detected.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2855. |
Safe Mode |
CP-12 |
CP-12.1 |
For information systems supporting critical missions/business functions including, for example, military operations and weapons systems, civilian space operations, nuclear power plant operations, and air traffic control operations (especially real-time operational environments), organizations may choose to identify certain conditions under which those systems revert to a predefined safe mode of operation. The safe mode of operation, which can be activated automatically or manually, restricts the types of activities or operations information systems could execute when those conditions are encountered. Restriction includes, for example, allowing only certain functions that could be carried out under limited power or with reduced communications bandwidth. |
The information system, when [Assignment:organization-defined conditions] are detected, enters a safe mode of operation with [Assignment: organization-defined restrictions of safe mode of operation]. |
| CCI-002856 |
The organization defines the conditions that, when detected, the information system enters a safe mode of operation with organization-defined restrictions of safe mode of operation. |
The organization conducting the inspection/assessment obtains and examines the documented conditions to ensure the organization being inspected/assessed defines the conditions, that when detected, the information system enters a safe mode of operation with organization-defined restrictions of safe mode of operation.
DoD has determined the conditions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the conditions, that when detected, the information system enters a safe mode of operation with organization-defined restrictions of safe mode of operation.
DoD has determined the conditions are not appropriate to define at the Enterprise level. |
Safe Mode |
CP-12 |
CP-12.2 |
For information systems supporting critical missions/business functions including, for example, military operations and weapons systems, civilian space operations, nuclear power plant operations, and air traffic control operations (especially real-time operational environments), organizations may choose to identify certain conditions under which those systems revert to a predefined safe mode of operation. The safe mode of operation, which can be activated automatically or manually, restricts the types of activities or operations information systems could execute when those conditions are encountered. Restriction includes, for example, allowing only certain functions that could be carried out under limited power or with reduced communications bandwidth. |
The information system, when [Assignment:organization-defined conditions] are detected, enters a safe mode of operation with [Assignment: organization-defined restrictions of safe mode of operation]. |
| CCI-002857 |
The organization defines the restrictions of the safe mode of operation that the information system will enter when organization-defined conditions are detected. |
The organization conducting the inspection/assessment obtains and examines the documented restrictions to ensure the organization being inspected/assessed defines the restrictions of safe mode of operation that the information system will enter when organization-defined conditions are detected.
DoD has determined the restrictions on safe mode of operation are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the restrictions of safe mode of operation that the information system will enter when organization-defined conditions are detected.
DoD has determined the restrictions on safe mode of operation are not appropriate to define at the Enterprise level. |
Safe Mode |
CP-12 |
CP-12.3 |
For information systems supporting critical missions/business functions including, for example, military operations and weapons systems, civilian space operations, nuclear power plant operations, and air traffic control operations (especially real-time operational environments), organizations may choose to identify certain conditions under which those systems revert to a predefined safe mode of operation. The safe mode of operation, which can be activated automatically or manually, restricts the types of activities or operations information systems could execute when those conditions are encountered. Restriction includes, for example, allowing only certain functions that could be carried out under limited power or with reduced communications bandwidth. |
The information system, when [Assignment:organization-defined conditions] are detected, enters a safe mode of operation with [Assignment: organization-defined restrictions of safe mode of operation]. |
| CCI-002858 |
The organization employs organization-defined alternative or supplemental security mechanisms for satisfying organization-defined security functions when the primary means of implementing the security function is unavailable or compromised. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed employs alternative or supplemental security mechanisms defined in CP-13, CCI 2859 for satisfying security functions defined in CP-13, CCI 2860 when the primary means of implementing the security function is unavailable or compromised. |
The organization being inspected/assessed documents and implement a process to employ alternative or supplemental security mechanisms defined in CP-13, CCI 2859 for satisfying security functions defined in CP-13, CCI 2860 when the primary means of implementing the security function is unavailable or compromised. |
Alternative Security Mechanisms |
CP-13 |
CP-13.1 |
This control supports information system resiliency and contingency planning/continuity of operations. To ensure mission/business continuity, organizations can implement alternative or supplemental security mechanisms. These mechanisms may be less effective than the primary mechanisms (e.g., not as easy to use, not as scalable, or not as secure). However, having the capability to readily employ these alternative/supplemental mechanisms enhances overall mission/business continuity that might otherwise be adversely impacted if organizational operations had to be curtailed until the primary means of implementing the functions was restored. Given the cost and level of effort required to provide such alternative capabilities, this control would typically be applied only to critical security capabilities provided by information systems, system components, or information system services. For example, an organization may issue to senior executives and system administrators one-time pads in case multifactor tokens, the organization's standard means for secure remote authentication, is compromised. Related control: CP-2. |
The organization employs [Assignment:organization-defined alternative or supplemental security mechanisms] for satisfying [Assignment: organization-defined security functions] when the primary means of implementing the security function is unavailable or compromised. |
| CCI-002859 |
The organization defines the alternative or supplemental security mechanisms that will be employed for satisfying organization-defined security functions when the primary means of implementing the security function is unavailable or compromised. |
The organization conducting the inspection/assessment obtains and examines the documented alternative or supplemental security mechanisms to ensure the organization being inspected/assessed defines the alternative or supplemental security mechanisms that will be employed for satisfying organization-defined security functions when the primary means of implementing the security function is unavailable or compromised.
DoD has determined the alternative or supplemental security mechanisms are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the alternative or supplemental security mechanisms that will be employed for satisfying organization-defined security functions when the primary means of implementing the security function is unavailable or compromised.
DoD has determined the alternative or supplemental security mechanisms are not appropriate to define at the Enterprise level. |
Alternative Security Mechanisms |
CP-13 |
CP-13.2 |
This control supports information system resiliency and contingency planning/continuity of operations. To ensure mission/business continuity, organizations can implement alternative or supplemental security mechanisms. These mechanisms may be less effective than the primary mechanisms (e.g., not as easy to use, not as scalable, or not as secure). However, having the capability to readily employ these alternative/supplemental mechanisms enhances overall mission/business continuity that might otherwise be adversely impacted if organizational operations had to be curtailed until the primary means of implementing the functions was restored. Given the cost and level of effort required to provide such alternative capabilities, this control would typically be applied only to critical security capabilities provided by information systems, system components, or information system services. For example, an organization may issue to senior executives and system administrators one-time pads in case multifactor tokens, the organization's standard means for secure remote authentication, is compromised. Related control: CP-2. |
The organization employs [Assignment:organization-defined alternative or supplemental security mechanisms] for satisfying [Assignment: organization-defined security functions] when the primary means of implementing the security function is unavailable or compromised. |
| CCI-002860 |
The organization defines the security functions that must be satisfied when the primary means of implementing the security function is unavailable or compromised. |
The organization conducting the inspection/assessment obtains and examines the documented security functions to ensure the organization being inspected/assessed defines the security functions that must be satisfied when the primary means of implementing the security function is unavailable or compromised.
DoD has determined the security functions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security functions that must be satisfied when the primary means of implementing the security function is unavailable or compromised.
DoD has determined the security functions are not appropriate to define at the Enterprise level. |
Alternative Security Mechanisms |
CP-13 |
CP-13.3 |
This control supports information system resiliency and contingency planning/continuity of operations. To ensure mission/business continuity, organizations can implement alternative or supplemental security mechanisms. These mechanisms may be less effective than the primary mechanisms (e.g., not as easy to use, not as scalable, or not as secure). However, having the capability to readily employ these alternative/supplemental mechanisms enhances overall mission/business continuity that might otherwise be adversely impacted if organizational operations had to be curtailed until the primary means of implementing the functions was restored. Given the cost and level of effort required to provide such alternative capabilities, this control would typically be applied only to critical security capabilities provided by information systems, system components, or information system services. For example, an organization may issue to senior executives and system administrators one-time pads in case multifactor tokens, the organization's standard means for secure remote authentication, is compromised. Related control: CP-2. |
The organization employs [Assignment:organization-defined alternative or supplemental security mechanisms] for satisfying [Assignment: organization-defined security functions] when the primary means of implementing the security function is unavailable or compromised. |
| CCI-001932 |
The organization documents an identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
|
|
|
|
|
|
|
| CCI-001933 |
The organization defines the personnel or roles to be recipients of the identification and authentication policy and the procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8520.02 and DoDI 8520.03.
DoD has defined the roles to be recipients of the identification and authentication policy and the procedures as the ISSO and ISSM and others as the local organization deems appropriate. |
DoD has defined the roles to be recipients of the identification and authentication policy and the procedures as the ISSO and ISSM and others as the local organization deems appropriate.
DoDI 8520.02 and DoDI 8520.03 meet the DoD requirement for Identification and Authentication policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 8520.02 and DoDI 8520.03. |
Identification And Authentication Policy And Procedures |
IA-1 |
IA-1.1 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and
b. Reviews and updates the current:
1. Identification and authentication policy [Assignment: organization-defined frequency]; and
2. Identification and authentication procedures [Assignment: organization-defined frequency]. |
| CCI-001934 |
The organization documents procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls. |
|
|
|
|
|
|
|
| CCI-001935 |
The organization defines the strength of mechanism requirements for the device that is separate from the system gaining access to privileged accounts. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
For the strength of mechanism requirements DoD has defined requirements as DoD PKI or a technology approved by their Authorizing Official, FIPS 140-2, NIAP Certification, or NSA approval. |
For the strength of mechanism requirements DoD has defined requirements as DoD PKI or a technology approved by their Authorizing Official, FIPS 140-2, NIAP Certification, or NSA approval. |
Identification And Authentication | Network Access To Privileged Accounts - Separate Device |
IA-2 (6) |
IA-2(6).1 |
Related control: AC-6. |
The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. |
| CCI-001936 |
The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1936. |
The organization being inspected/assessed configures the information system to implement multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1936. |
Identification And Authentication | Network Access To Privileged Accounts - Separate Device |
IA-2 (6) |
IA-2(6).2 |
Related control: AC-6. |
The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. |
| CCI-001937 |
The device used in the information system implementation of multifactor authentication for network access to privileged accounts meets organization-defined strength of mechanism requirements. |
The organization conducting the inspection/assessment obtains and examines the device used to ensure that the device implemented for multifactor authentication for network access to privileged accounts meets Federal standards for authentication such as FIPS 140-2, NIAP Certification, or NSA approval.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1937. |
The organization being inspected/assessed will use DoD PKI or a technology approved by their Authorizing Official that meet Federal standards for authentication such as FIPS 140-2, NIAP Certification, or NSA approval.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1937. |
Identification And Authentication | Network Access To Privileged Accounts - Separate Device |
IA-2 (6) |
IA-2(6).3 |
Related control: AC-6. |
The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. |
| CCI-001938 |
The organization defines the strength of mechanism requirements for the device that is separate from the system gaining access to non-privileged accounts. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
For the strength of mechanism requirements DoD has defined requirements as DoD PKI or a technology approved by their Authorizing Official, FIPS 140-2, NIAP Certification, or NSA approval. |
For the strength of mechanism requirements DoD has defined requirements as DoD PKI or a technology approved by their Authorizing Official, FIPS 140-2, NIAP Certification, or NSA approval. |
Identification And Authentication | Network Access To Non-Privileged Accounts - Separate Device |
IA-2 (7) |
IA-2(7).1 |
Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators. |
The information system implements multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. |
| CCI-001939 |
The information system implements multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1939, |
The organization being inspected/assessed configures the information system to implement multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1939. |
Identification And Authentication | Network Access To Non-Privileged Accounts - Separate Device |
IA-2 (7) |
IA-2(7).2 |
Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators. |
The information system implements multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. |
| CCI-001940 |
The device used in the information system implementation of multifactor authentication for network access to non-privileged accounts meets organization-defined strength of mechanism requirements. |
The organization conducting the inspection/assessment obtains and examines the device used to ensure that the device implemented for multifactor authentication for network access to non-privileged accounts meets Federal standards for authentication such as FIPS 140-2, NIAP Certification, or NSA approval.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1940. |
The organization being inspected/assessed will use DoD PKI or a technology approved by their Authorizing Official that meet Federal standards for authentication such as FIPS 140-2, NIAP Certification, or NSA approval.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1940. |
Identification And Authentication | Network Access To Non-Privileged Accounts - Separate Device |
IA-2 (7) |
IA-2(7).3 |
Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators. |
The information system implements multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. |
| CCI-001941 |
The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement replay-resistant authentication mechanisms for network access to privileged accounts.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1941. |
The organization being inspected/assessed configures the information system to implement replay-resistant authentication mechanisms for network access to privileged accounts.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1941. |
Identification And Authentication | Network Access To Privileged Accounts - Replay Resistant |
IA-2 (8) |
IA-2(8).1 |
|
The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. |
| CCI-001942 |
The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement replay-resistant authentication mechanisms for network access to non-privileged accounts.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1942. |
The organization being inspected/assessed configures the information system to implement replay-resistant authentication mechanisms for network access to non-privileged accounts.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1942. |
Identification And Authentication | Network Access To Non-Privileged Accounts - Replay Resistant |
IA-2 (9) |
IA-2(9).1 |
Authentication processes resist replay attacks if it is impractical to achieve successful authentications by recording/replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators. |
The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts. |
| CCI-001943 |
The organization defines the information system accounts for which single sign-on capability will be provided. |
The organization conducting the inspection/assessment obtains and examines the documented list of system accounts to ensure the organization being inspected/assessed defines any accounts for which a single sign-on capability is provided.
DoD has determined the system services are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents any accounts for which a single sign-on capability is provided.
For single sign-on providers (creator/maintainer of the single sign-on user accounts) this will be a list of accounts or groups that are authorized to use single sign-on capability.
For single sign-on services this will be a per provider list of accounts or groups authorized to use the service.
DoD has determined the system services are not appropriate to define at the Enterprise level. |
Identification And Authentication | Single Sign-On |
IA-2 (10) |
IA-2(10).1 |
Single sign-on enables users to log in once and gain access to multiple information system resources. Organizations consider the operational efficiencies provided by single sign-on capabilities with the increased risk from disclosures of single authenticators providing access to multiple system resources. |
The information system provides a single sign-on capability for [Assignment: organization-defined list of information system accounts and services]. |
| CCI-001944 |
The organization defines the information system services for which single sign-on capability will be provided. |
The organization conducting the inspection/assessment obtains and examines the documented system services to ensure the organization being inspected/assessed defines any services (e.g., websites) for which a single sign-on capability is provided.
DoD has determined the system services are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents any services (e.g., websites) for which a single sign-on capability is provided.
DoD has determined the system services are not appropriate to define at the Enterprise level. |
Identification And Authentication | Single Sign-On |
IA-2 (10) |
IA-2(10).2 |
Single sign-on enables users to log in once and gain access to multiple information system resources. Organizations consider the operational efficiencies provided by single sign-on capabilities with the increased risk from disclosures of single authenticators providing access to multiple system resources. |
The information system provides a single sign-on capability for [Assignment: organization-defined list of information system accounts and services]. |
| CCI-001945 |
The information system provides a single sign-on capability for an organization-defined list of information system accounts. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide a single sign-on capability for the list of information system accounts defined in IA-2 (10), CCI 1943.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1945. |
The organization being inspected/assessed configures the information system to provide a single sign-on capability for the list of information system accounts defined in IA-2 (10), CCI 1943.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1945. |
Identification And Authentication | Single Sign-On |
IA-2 (10) |
IA-2(10).3 |
Single sign-on enables users to log in once and gain access to multiple information system resources. Organizations consider the operational efficiencies provided by single sign-on capabilities with the increased risk from disclosures of single authenticators providing access to multiple system resources. |
The information system provides a single sign-on capability for [Assignment: organization-defined list of information system accounts and services]. |
| CCI-001946 |
The information system provides a single sign-on capability for an organization-defined list of information system services. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide a single sign-on capability for the list of information system services defined in IA-2 (10), CCI 1944.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1946. |
The organization being inspected/assessed configures the information system to provide a single sign-on capability for the list of information system services defined in IA-2 (10), CCI 1944.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1946. |
Identification And Authentication | Single Sign-On |
IA-2 (10) |
IA-2(10).4 |
Single sign-on enables users to log in once and gain access to multiple information system resources. Organizations consider the operational efficiencies provided by single sign-on capabilities with the increased risk from disclosures of single authenticators providing access to multiple system resources. |
The information system provides a single sign-on capability for [Assignment: organization-defined list of information system accounts and services]. |
| CCI-001947 |
The organization defines the strength of mechanism requirements for the device that is separate from the system gaining access and is to provide one factor of a multifactor authentication for remote access to privileged accounts. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
For the strength of mechanism requirements DoD has defined requirements as DoD PKI or a technology approved by their Authorizing Official, FIPS 140-2, NIAP Certification, or NSA approval. |
For the strength of mechanism requirements DoD has defined requirements as DoD PKI or a technology approved by their Authorizing Official, FIPS 140-2, NIAP Certification, or NSA approval. |
Identification And Authentication | Remote Access - Separate Device |
IA-2 (11) |
IA-2(11).1 |
For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users. Related control: AC-6. |
The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. |
| CCI-001948 |
The information system implements multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1948. |
The organization being inspected/assessed configures the information system to implement multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1948. |
Identification And Authentication | Remote Access - Separate Device |
IA-2 (11) |
IA-2(11).2 |
For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users. Related control: AC-6. |
The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. |
| CCI-001949 |
The device used in the information system implementation of multifactor authentication for remote access to privileged accounts meets organization-defined strength of mechanism requirements. |
The organization conducting the inspection/assessment obtains and examines the device used to ensure that the device implemented for multifactor authentication for remote access to privileged accounts meets Federal standards for authentication such as FIPS 140-2, NIAP Certification, or NSA approval.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1949. |
The organization being inspected/assessed will use DoD PKI or a technology approved by their Authorizing Official that meet Federal standards for authentication such as FIPS 140-2, NIAP Certification, or NSA approval.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1949. |
Identification And Authentication | Remote Access - Separate Device |
IA-2 (11) |
IA-2(11).3 |
For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users. Related control: AC-6. |
The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. |
| CCI-001950 |
The organization defines the strength of mechanism requirements for the device that is separate from the system gaining access and is to provide one factor of a multifactor authentication for remote access to non-privileged accounts. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
For the strength of mechanism requirements DoD has defined requirements as DoD PKI or a technology approved by their Authorizing Official, FIPS 140-2, NIAP Certification, or NSA approval. |
For the strength of mechanism requirements DoD has defined requirements as DoD PKI or a technology approved by their Authorizing Official, FIPS 140-2, NIAP Certification, or NSA approval. |
Identification And Authentication | Remote Access - Separate Device |
IA-2 (11) |
IA-2(11).4 |
For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users. Related control: AC-6. |
The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. |
| CCI-001951 |
The information system implements multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1951. |
The organization being inspected/assessed configures the information system to implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1951. |
Identification And Authentication | Remote Access - Separate Device |
IA-2 (11) |
IA-2(11).5 |
For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users. Related control: AC-6. |
The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. |
| CCI-001952 |
The device used in the information system implementation of multifactor authentication for remote access to non-privileged accounts meets organization-defined strength of mechanism requirements. |
The organization conducting the inspection/assessment obtains and examines the device used to ensure that the device implemented for multifactor authentication for remote access to non-privileged accounts meets Federal standards for authentication such as FIPS 140-2, NIAP Certification, or NSA approval.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1952. |
The organization being inspected/assessed will use DoD PKI or a technology approved by their Authorizing Official that meet Federal standards for authentication such as FIPS 140-2, NIAP Certification, or NSA approval.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1952. |
Identification And Authentication | Remote Access - Separate Device |
IA-2 (11) |
IA-2(11).6 |
For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users. Related control: AC-6. |
The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. |
| CCI-001953 |
The information system accepts Personal Identity Verification (PIV) credentials. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to accept PIV/CAC authentication.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1953. |
The organization being inspected/assessed configures the information system to accept PIV/CAC authentication.
This control enhancement applies to organizations implementing logical access control systems (LACS) and physical access control systems (PACS).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1953 |
Identification And Authentication | Acceptance Of Piv Credentials |
IA-2 (12) |
IA-2(12).1 |
This control enhancement applies to organizations implementing logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials. Related controls: AU-2, PE-3, SA-4. |
The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials. |
| CCI-001954 |
The information system electronically verifies Personal Identity Verification (PIV) credentials. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to verify PIV/CAC authentication.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1954. |
The organization being inspected/assessed configures the information system to verify PIV/CAC authentication.
This control enhancement applies to organizations implementing logical access control systems (LACS) and physical access control systems (PACS).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1954. |
Identification And Authentication | Acceptance Of Piv Credentials |
IA-2 (12) |
IA-2(12).2 |
This control enhancement applies to organizations implementing logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials. Related controls: AU-2, PE-3, SA-4. |
The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials. |
| CCI-001955 |
The organization defines the out-of-band authentication to be implemented by the information system under organization-defined conditions. |
The organization conducting the inspection/assessment obtains and examines the documented out-of-band authentication to ensure the organization being inspected/assessed defines the out-of-band authentication to be implemented by the information system under organization-defined conditions.
DoD has determined the out-of-band authentication is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the out-of-band authentication to be implemented by the information system under organization-defined conditions.
DoD has determined the out-of-band authentication is not appropriate to define at the Enterprise level. |
Identification And Authentication | Out-Of-Band Authentication |
IA-2 (13) |
IA-2(13).1 |
Out-of-band authentication (OOBA) refers to the use of two separate communication paths to identify and authenticate users or devices to an information system. The first path (i.e., the in-band path), is used to identify and authenticate users or devices, and generally is the path through which information flows. The second path (i.e., the out-of-band path) is used to independently verify the authentication and/or requested action. For example, a user authenticates via a notebook computer to a remote server to which the user desires access, and requests some action of the server via that communication path. Subsequently, the server contacts the user via the user's cell phone to verify that the requested action originated from the user. The user may either confirm the intended action to an individual on the telephone or provide an authentication code via the telephone. This type of authentication can be employed by organizations to mitigate actual or suspected man-in the-middle attacks. The conditions for activation can include, for example, suspicious activities, new threat indicators or elevated threat levels, or the impact level or classification level of information in requested transactions. Related controls: IA-10, IA-11, SC-37. |
The information system implements [Assignment: organization-defined out-of-band authentication] under [Assignment: organization-defined conditions]. |
| CCI-001956 |
The organization defines the conditions for which the information system implements organization-defined out-of-band authentication. |
The organization conducting the inspection/assessment obtains and examines the documented conditions to ensure the organization being inspected/assessed defines the conditions for which the information system implements organization-defined out-of-band authentication.
DoD has determined the conditions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the conditions for which the information system implements organization-defined out-of-band authentication.
DoD has determined the conditions are not appropriate to define at the Enterprise level. |
Identification And Authentication | Out-Of-Band Authentication |
IA-2 (13) |
IA-2(13).2 |
Out-of-band authentication (OOBA) refers to the use of two separate communication paths to identify and authenticate users or devices to an information system. The first path (i.e., the in-band path), is used to identify and authenticate users or devices, and generally is the path through which information flows. The second path (i.e., the out-of-band path) is used to independently verify the authentication and/or requested action. For example, a user authenticates via a notebook computer to a remote server to which the user desires access, and requests some action of the server via that communication path. Subsequently, the server contacts the user via the user's cell phone to verify that the requested action originated from the user. The user may either confirm the intended action to an individual on the telephone or provide an authentication code via the telephone. This type of authentication can be employed by organizations to mitigate actual or suspected man-in the-middle attacks. The conditions for activation can include, for example, suspicious activities, new threat indicators or elevated threat levels, or the impact level or classification level of information in requested transactions. Related controls: IA-10, IA-11, SC-37. |
The information system implements [Assignment: organization-defined out-of-band authentication] under [Assignment: organization-defined conditions]. |
| CCI-001957 |
The information system implements organization-defined out-of-band authentication under organization-defined conditions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement out-of-band authentication defined in IA-2 (13), CCI 1955 under conditions defined in IA-2 (13), CCI 1956.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1957. |
The organization being inspected/assessed configures the information system to implement out-of-band authentication defined in IA-2 (13), CCI 1955 under conditions defined in IA-2 (13), CCI 1956.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1957. |
Identification And Authentication | Out-Of-Band Authentication |
IA-2 (13) |
IA-2(13).3 |
Out-of-band authentication (OOBA) refers to the use of two separate communication paths to identify and authenticate users or devices to an information system. The first path (i.e., the in-band path), is used to identify and authenticate users or devices, and generally is the path through which information flows. The second path (i.e., the out-of-band path) is used to independently verify the authentication and/or requested action. For example, a user authenticates via a notebook computer to a remote server to which the user desires access, and requests some action of the server via that communication path. Subsequently, the server contacts the user via the user's cell phone to verify that the requested action originated from the user. The user may either confirm the intended action to an individual on the telephone or provide an authentication code via the telephone. This type of authentication can be employed by organizations to mitigate actual or suspected man-in the-middle attacks. The conditions for activation can include, for example, suspicious activities, new threat indicators or elevated threat levels, or the impact level or classification level of information in requested transactions. Related controls: IA-10, IA-11, SC-37. |
The information system implements [Assignment: organization-defined out-of-band authentication] under [Assignment: organization-defined conditions]. |
| CCI-001958 |
The information system authenticates an organization-defined list of specific and/or types of devices before establishing a local, remote, or network connection. |
The organization conducting the inspection/assessment examine a sampling of the network infrastructure device configurations to ensure devices connecting to the infrastructure are uniquely authenticated.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1958. |
The organization being inspected/assessed configures the network infrastructure to authenticate all mobiles devices and network connected endpoint devices (including but not limited to: workstations, printers, servers (outside a datacenter), VoIP Phones, VTC CODECs) before establishing a local, remote, network connection.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1958.
DoD has defined the value as all mobile devices and network connected endpoint devices (including but not limited to: workstations, printers, servers (outside a datacenter), VoIP Phones, VTC CODECs). |
Device Identification And Authentication |
IA-3 |
IA-3.3 |
Organizational devices requiring unique device-to-device identification and authentication may be defined by type, by device, or by a combination of type/device. Information systems typically use either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify/authenticate devices on local and/or wide area networks. Organizations determine the required strength of authentication mechanisms by the security categories of information systems. Because of the challenges of applying this control on large scale, organizations are encouraged to only apply the control to those limited number (and type) of devices that truly need to support this capability. Related controls: AC-17, AC-18, AC-19, CA-3, IA-4, IA-5. |
The information system uniquely identifies and authenticates [Assignment: organization defined specific and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection. |
| CCI-001959 |
The organization defines the specific devices and/or type of devices the information system is to authenticate before establishing a connection. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the value as all network connected endpoint devices (including but not limited to: workstations, printers, servers (outside a datacenter), VoIP Phones, VTC CODECs). |
DoD has defined the value as all network connected endpoint devices (including but not limited to: workstations, printers, servers (outside a datacenter), VoIP Phones, VTC CODECs). |
Device Identification And Authentication | Cryptographic Bidirectional Authentication |
IA-3 (1) |
IA-3(1).1 |
A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk (e.g., remote connections). Related controls: SC-8, SC-12, SC-13. |
The information system authenticates [Assignment: organization-defined specific devices and/or types of devices] before establishing [Selection (one or more): local; remote; network] connection using bidirectional authentication that is cryptographically based. |
| CCI-001960 |
The organization defines the lease information to be assigned to devices. |
The organization conducting the inspection/assessment obtains and examines the documented lease information assigned to devices.
DoD has determined the lease information is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the lease information to be assigned to devices.
DoD has determined the lease information is not appropriate to define at the Enterprise level. |
Device Identification And Authentication | Dynamic Address Allocation |
IA-3 (3) |
IA-3(3).1 |
DHCP-enabled clients obtaining leases for IP addresses from DHCP servers, is a typical example of dynamic address allocation for devices. Related controls: AU-2, AU-3, AU-6, AU-12. |
The organization:
(a) Standardizes dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and
(b) Audits lease information when assigned to a device. |
| CCI-001961 |
The organization defines the lease duration to be assigned to devices. |
The organization conducting the inspection/assessment obtains and examines the documented lease duration to ensure the organization being inspected/assessed defines the lease duration to be assigned to devices.
DoD has determined the lease duration is not appropriate to define at the Enterprise level |
The organization being inspected/assessed defines and documents the lease duration to be assigned to devices.
DoD has determined the lease duration is not appropriate to define at the Enterprise level. |
Device Identification And Authentication | Dynamic Address Allocation |
IA-3 (3) |
IA-3(3).2 |
DHCP-enabled clients obtaining leases for IP addresses from DHCP servers, is a typical example of dynamic address allocation for devices. Related controls: AU-2, AU-3, AU-6, AU-12. |
The organization:
(a) Standardizes dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and
(b) Audits lease information when assigned to a device. |
| CCI-001962 |
The organization standardizes dynamic address allocation lease information assigned to devices in accordance with organization-defined lease information. |
The organization conducting the inspection/assessment examines the information system granting the lease to ensure the organization configures the information system to implement dynamic address allocation in accordance with CCI 1961.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1962. |
The organization being inspected/assessed configures the information system to grant leases containing organization defined lease information.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1962. |
Device Identification And Authentication | Dynamic Address Allocation |
IA-3 (3) |
IA-3(3).3 |
DHCP-enabled clients obtaining leases for IP addresses from DHCP servers, is a typical example of dynamic address allocation for devices. Related controls: AU-2, AU-3, AU-6, AU-12. |
The organization:
(a) Standardizes dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and
(b) Audits lease information when assigned to a device. |
| CCI-001963 |
The organization standardizes dynamic address allocation lease duration assigned to devices in accordance with organization-defined lease duration. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to grant the leases assigned to devices in accordance with organization-defined lease duration.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1963. |
The organization being inspected/assessed configures the information system to grant the leases assigned to devices in accordance with organization-defined lease duration.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1963. |
Device Identification And Authentication | Dynamic Address Allocation |
IA-3 (3) |
IA-3(3).4 |
DHCP-enabled clients obtaining leases for IP addresses from DHCP servers, is a typical example of dynamic address allocation for devices. Related controls: AU-2, AU-3, AU-6, AU-12. |
The organization:
(a) Standardizes dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and
(b) Audits lease information when assigned to a device. |
| CCI-001964 |
The organization defines the configuration management process that is to handle the device identification procedures. |
|
|
|
|
|
|
|
| CCI-001965 |
The organization defines the configuration management process that is to handle the device authentication procedures. |
The organization conducting the inspection/assessment obtains and examines the documented configuration management process to ensure the organization being inspected/assessed defines the configuration management process that is to handle the device authentication procedures.
DoD has determined the configuration management process is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the configuration management process that is to handle the device authentication procedures.
DoD has determined the configuration management process is not appropriate to define at the Enterprise level. |
Device Identification And Authentication | Device Attestation |
IA-3 (4) |
IA-3(4).1 |
Device attestation refers to the identification and authentication of a device based on its configuration and known operating state. This might be determined via some cryptographic hash of the device. If device attestation is the means of identification and authentication, then it is important that patches and updates to the device are handled via a configuration management process such that the those patches/updates are done securely and at the same time do not disrupt the identification and authentication to other devices. |
The organization ensures that device identification and authentication based on attestation is handled by [Assignment: organization-defined configuration management process]. |
| CCI-001966 |
The organization ensures that device identification based on attestation is handled by the organization-defined configuration management process. |
The organization conducting the inspection/assessment obtains and examines the documented configuration management process to ensure the organization being inspected/assessed has device identification based on attestation handled via the configuration management process. |
The organization being inspected/assessed ensures that device identification based on attestation is handled by the configuration management process defined in IA-3 (4), CCI 1968. |
Device Identification And Authentication | Device Attestation |
IA-3 (4) |
IA-3(4).2 |
Device attestation refers to the identification and authentication of a device based on its configuration and known operating state. This might be determined via some cryptographic hash of the device. If device attestation is the means of identification and authentication, then it is important that patches and updates to the device are handled via a configuration management process such that the those patches/updates are done securely and at the same time do not disrupt the identification and authentication to other devices. |
The organization ensures that device identification and authentication based on attestation is handled by [Assignment: organization-defined configuration management process]. |
| CCI-001967 |
The information system authenticates organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. |
The organization conducting the inspection/assessment examine a sampling of the network infrastructure device configurations to ensure devices connecting to the infrastructure use cryptographically based bidirectional authentication.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1967. |
The organization being inspected/assessed configures the information system to use cryptographically based bidirectional authentication.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1967. |
Device Identification And Authentication | Cryptographic Bidirectional Authentication |
IA-3 (1) |
IA-3(1).2 |
A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk (e.g., remote connections). Related controls: SC-8, SC-12, SC-13. |
The information system authenticates [Assignment: organization-defined specific devices and/or types of devices] before establishing [Selection (one or more): local; remote; network] connection using bidirectional authentication that is cryptographically based. |
| CCI-001968 |
The organization defines the configuration management process that is to handle the device identification procedures. |
The organization conducting the inspection/assessment obtains and examines the documented configuration management process to ensure the organization being inspected/assessed defines the configuration management process that is to handle the device identification procedures.
DoD has determined the configuration management process is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the configuration management process that is to handle the device identification procedures.
DoD has determined the configuration management process is not appropriate to define at the Enterprise level. |
Device Identification And Authentication | Device Attestation |
IA-3 (4) |
IA-3(4).3 |
Device attestation refers to the identification and authentication of a device based on its configuration and known operating state. This might be determined via some cryptographic hash of the device. If device attestation is the means of identification and authentication, then it is important that patches and updates to the device are handled via a configuration management process such that the those patches/updates are done securely and at the same time do not disrupt the identification and authentication to other devices. |
The organization ensures that device identification and authentication based on attestation is handled by [Assignment: organization-defined configuration management process]. |
| CCI-001969 |
The organization ensures that device authentication based on attestation is handled by the organization-defined configuration management process. |
The organization conducting the inspection/assessment obtains and examines the documented configuration management process to ensure the organization being inspected/assessed has device authentication based on attestation handled via the configuration management process. |
The organization being inspected/assessed ensures that device authentication based on attestation is handled by the configuration management process defined in IA-3 (4), CCI 1965. |
Device Identification And Authentication | Device Attestation |
IA-3 (4) |
IA-3(4).4 |
Device attestation refers to the identification and authentication of a device based on its configuration and known operating state. This might be determined via some cryptographic hash of the device. If device attestation is the means of identification and authentication, then it is important that patches and updates to the device are handled via a configuration management process such that the those patches/updates are done securely and at the same time do not disrupt the identification and authentication to other devices. |
The organization ensures that device identification and authentication based on attestation is handled by [Assignment: organization-defined configuration management process]. |
| CCI-001970 |
The organization defines the personnel or roles that authorize the assignment of individual, group, role, and device identifiers. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as the ISSM or ISSO. |
DoD has defined the personnel or roles as the ISSM or ISSO. |
Identifier Management |
IA-4 |
IA-4.1 |
Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices. Related controls: AC-2, IA-2, IA-3, IA-5, IA-8, SC-37. |
The organization manages information system identifiers by:
a. Receiving authorization from [Assignment: organization-defined personnel] to assign an individual, group, role, or device identifier;
b. Selecting an identifier that identifies an individual, group, role, or device;
c. Assigning the identifier to the intended individual, group, role, or device;
d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and
e. Disabling the identifier after [Assignment: organization-defined time period of inactivity]. |
| CCI-001971 |
The organization manages information system identifiers by receiving authorization from organization-defined personnel or roles to assign an individual, group, role, or device identifier. |
The organization conducting the inspection/assessment obtains and examines documentation and system configuration information to ensure the organization being inspected/assessed manages information system identifiers by receiving authorization from the ISSM or ISSO to assign an individual, group, role or device identifier.
DoD has defined the personnel or roles as the ISSM or ISSO. |
The organization being inspected/assessed implements a process to manage information system identifiers by receiving authorization from the ISSM or ISSO to assign an individual, group, role or device identifier.
DoD has defined the personnel or roles as the ISSM or ISSO. |
Identifier Management |
IA-4 |
IA-4.2 |
Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices. Related controls: AC-2, IA-2, IA-3, IA-5, IA-8, SC-37. |
The organization manages information system identifiers by:
a. Receiving authorization from [Assignment: organization-defined personnel] to assign an individual, group, role, or device identifier;
b. Selecting an identifier that identifies an individual, group, role, or device;
c. Assigning the identifier to the intended individual, group, role, or device;
d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and
e. Disabling the identifier after [Assignment: organization-defined time period of inactivity]. |
| CCI-001972 |
The organization manages information system identifiers by selecting an identifier that identifies an individual, group, role, or device. |
The organization conducting the inspection/assessment obtains and examines documentation or system configuration information to ensure the organization being inspected/assessed manages information system identifiers by selecting an identifier that identifies an individual, group, role, or device. |
The organization being inspected/assessed implements a process to manage information system identifiers by selecting an identifier that identifies an individual, group, role, or device. |
Identifier Management |
IA-4 |
IA-4.3 |
Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices. Related controls: AC-2, IA-2, IA-3, IA-5, IA-8, SC-37. |
The organization manages information system identifiers by:
a. Receiving authorization from [Assignment: organization-defined personnel] to assign an individual, group, role, or device identifier;
b. Selecting an identifier that identifies an individual, group, role, or device;
c. Assigning the identifier to the intended individual, group, role, or device;
d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and
e. Disabling the identifier after [Assignment: organization-defined time period of inactivity]. |
| CCI-001973 |
The organization manages information system identifiers by assigning the identifier to the intended individual, group, role, or device. |
The organization conducting the inspection/assessment obtains and examines documentation or system configuration information to ensure the organization being inspected/assessed manages information system identifiers by assigning the identifier to the intended individual, group, role, or device. |
The organization being inspected/assessed implements a process to manage information system identifiers by assigning the identifier to the intended individual, group, role, or device. |
Identifier Management |
IA-4 |
IA-4.4 |
Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices. Related controls: AC-2, IA-2, IA-3, IA-5, IA-8, SC-37. |
The organization manages information system identifiers by:
a. Receiving authorization from [Assignment: organization-defined personnel] to assign an individual, group, role, or device identifier;
b. Selecting an identifier that identifies an individual, group, role, or device;
c. Assigning the identifier to the intended individual, group, role, or device;
d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and
e. Disabling the identifier after [Assignment: organization-defined time period of inactivity]. |
| CCI-001974 |
The organization defines the time period for which the reuse of identifiers is prohibited. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 1 year for user identifiers (DoD is not going to specify value for device identifier). |
DoD has defined the time period as 1 year for user identifiers (DoD is not going to specify value for device identifier). |
Identifier Management |
IA-4 |
IA-4.5 |
Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices. Related controls: AC-2, IA-2, IA-3, IA-5, IA-8, SC-37. |
The organization manages information system identifiers by:
a. Receiving authorization from [Assignment: organization-defined personnel] to assign an individual, group, role, or device identifier;
b. Selecting an identifier that identifies an individual, group, role, or device;
c. Assigning the identifier to the intended individual, group, role, or device;
d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and
e. Disabling the identifier after [Assignment: organization-defined time period of inactivity]. |
| CCI-001975 |
The organization manages information system identifiers by preventing reuse of identifiers for an organization-defined time period. |
The organization conducting the inspection/assessment obtains and examines documentation or system configuration information to ensure the organization being inspected/assessed prevents the reuse of identifiers for 1 year for user identifiers (DoD is not going to specify value for device identifier).
DoD has defined the time period as 1 year for user identifiers (DoD is not going to specify value for device identifier). |
The organization being inspected/assessed implements a process for information system identifiers to prevent reuse of identifiers for 1 year for user identifiers (DoD is not going to specify value for device identifier).
DoD has defined the time period as 1 year for user identifiers (DoD is not going to specify value for device identifier). |
Identifier Management |
IA-4 |
IA-4.6 |
Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices. Related controls: AC-2, IA-2, IA-3, IA-5, IA-8, SC-37. |
The organization manages information system identifiers by:
a. Receiving authorization from [Assignment: organization-defined personnel] to assign an individual, group, role, or device identifier;
b. Selecting an identifier that identifies an individual, group, role, or device;
c. Assigning the identifier to the intended individual, group, role, or device;
d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and
e. Disabling the identifier after [Assignment: organization-defined time period of inactivity]. |
| CCI-001976 |
The information system dynamically manages identifiers. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to dynamically manage identifiers.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1976. |
The organization being inspected/assessed configures the information system to dynamically manage identifiers.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1976. |
Identifier Management | Dynamic Management |
IA-4 (5) |
IA-4(5).1 |
In contrast to conventional approaches to identification which presume static accounts for preregistered users, many distributed information systems including, for example, service-oriented architectures, rely on establishing identifiers at run time for entities that were previously unknown. In these situations, organizations anticipate and provision for the dynamic establishment of identifiers. Preestablished trust relationships and mechanisms with appropriate authorities to validate identities and related credentials are essential. Related control: AC-16. |
The information system dynamically manages identifiers. |
| CCI-001977 |
The organization defines the external organizations with which it will coordinate for cross-management of identifiers. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the external organizations as any external organization that shares cross-organizational identifiers. |
DoD has defined the external organizations as any external organization that shares cross-organizational identifiers. |
Identifier Management | Cross-Organization Management |
IA-4 (6) |
IA-4(6).1 |
Cross-organization identifier management provides the capability for organizations to appropriately identify individuals, groups, roles, or devices when conducting cross-organization activities involving the processing, storage, or transmission of information. |
The organization coordinates with [Assignment: organization-defined external organizations] for cross-organization management of identifiers. |
| CCI-001978 |
The organization coordinates with organization-defined external organizations for cross-organization management of identifiers. |
The organization conducting the inspection/assessment obtains and examines the documentation (e.g., Service Level Agreements (SLAs), Memorandum of Understanding (MOU), Memorandum of Agreement (MOA), contracts, etc.) to ensure the organization being inspected/assessed implements a process to coordinate with any external organization that shares cross-organizational identifiers.
DoD has defined the external organizations as any external organization that shares cross-organizational identifiers. |
The organization being inspected/assessed documents and implements a process to coordinate with any external organization that shares cross-organizational identifiers.
DoD has defined the external organizations as any external organization that shares cross-organizational identifiers. |
Identifier Management | Cross-Organization Management |
IA-4 (6) |
IA-4(6).2 |
Cross-organization identifier management provides the capability for organizations to appropriately identify individuals, groups, roles, or devices when conducting cross-organization activities involving the processing, storage, or transmission of information. |
The organization coordinates with [Assignment: organization-defined external organizations] for cross-organization management of identifiers. |
| CCI-001979 |
The organization requires the registration process to receive an individual identifier be conducted in person before a designated registration authority. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed requires the registration process to receive an individual identifier be conducted in person before a designated registration authority. |
The organization being inspected/assessed documents and implements a process to require the registration process to receive an individual identifier be conducted in person before a designated registration authority. |
Identifier Management | In-Person Registration |
IA-4 (7) |
IA-4(7).1 |
In-person registration reduces the likelihood of fraudulent identifiers being issued because it requires the physical presence of individuals and actual face-to-face interactions with designated registration authorities. |
The organization requires that the registration process to receive an individual identifier be conducted in person before a designated registration authority. |
| CCI-002040 |
The organization requires that the registration process to receive an individual identifier includes supervisor authorization. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed requires supervisor authorization to assign individual identifiers. |
The organization being inspected/assessed documents and implements a process that requires supervisor authorization to assign individual identifiers. |
Identifier Management | Supervisor Authorization |
IA-4 (2) |
IA-4(2).1 |
|
The organization requires that the registration process to receive an individual identifier includes supervisor authorization. |
| CCI-001980 |
The organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator. |
The organization conducting the inspection/assessment obtains and examines the documented procedures for the secure distribution of authenticators to ensure they have been defined and that they include a method to verify the identify of the individual, group, role, or device receiving the authenticator. |
The organization being inspected/assessed defines and documents procedures for the secure distribution of authenticators. The process shall include verification of the identify of the individual, group, role, or device receiving the authenticator. |
Authenticator Management |
IA-5 |
IA-5.1 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-001981 |
The organization manages information system authenticators by establishing administrative procedures for initial authenticator distribution. |
The organization conducting the inspection/assessment obtains and examines the documented procedures for the secure distribution of authenticators to ensure they have been defined. |
The organization being inspected/assessed defines and documents procedures for the secure distribution of authenticators. |
Authenticator Management |
IA-5 |
IA-5.4 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-001982 |
The organization manages information system authenticators by establishing administrative procedures for lost/compromised authenticators. |
The organization conducting the inspection/assessment obtains and examines the documented procedures for lost/compromised authenticators to ensure they have been defined. |
The organization being inspected/assessed defines and documents procedures for lost/compromised authenticators. |
Authenticator Management |
IA-5 |
IA-5.5 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-001983 |
The organization manages information system authenticators by establishing administrative procedures for damaged authenticators. |
The organization conducting the inspection/assessment obtains and examines the documented procedures for the secure disposal of damaged authenticators to ensure they have been defined. |
The organization being inspected/assessed defines and documents procedures for the secure disposal of damaged authenticators. |
Authenticator Management |
IA-5 |
IA-5.6 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-001984 |
The organization manages information system authenticators by establishing administrative procedures for revoking authenticators. |
The organization conducting the inspection/assessment obtains and examines the documented procedures for revoking authenticators to ensure the procedures are defined. |
The organization being inspected/assessed defines and documents procedures for revoking authenticators. |
Authenticator Management |
IA-5 |
IA-5.7 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-001985 |
The organization manages information system authenticators by implementing administrative procedures for initial authenticator distribution. |
The organization conducting the inspection/assessment obtains and examines records of initial authenticator distribution and interviews individuals responsible for authenticator distribution to ensure that the organization being inspected/assessed implements the process as defined in IA-5, CCIs 1980 & 1981. |
The organization being inspected/assessed implements administrative procedures for initial authenticator distribution as documented in IA-5, CCIs 1980 & 1981. |
Authenticator Management |
IA-5 |
IA-5.8 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-001986 |
The organization manages information system authenticators by implementing administrative procedures for lost/compromised authenticators. |
The organization conducting the inspection/assessment obtains and examines documented procedures for the response to lost/compromised authenticators to ensure that the organization being inspected/assessed implements the process as defined in IA-5, CCI 1982. |
The organization being inspected/assessed implements administrative procedures for the response to lost/compromised authenticators as documented in IA-5, CCI 1982. |
Authenticator Management |
IA-5 |
IA-5.9 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-001987 |
The organization manages information system authenticators by implementing administrative procedures for damaged authenticators. |
The organization conducting the inspection/assessment obtains and examines documented procedures for the response to damaged authenticators to ensure that the organization being inspected/assessed implements the process as defined in IA-5, CCI 1983. |
The organization being inspected/assessed implements administrative procedures for the response to damaged authenticators as documented in IA-5, CCI 1983. |
Authenticator Management |
IA-5 |
IA-5.10 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-001988 |
The organization manages information system authenticators by implementing administrative procedures for revoking authenticators. |
The organization conducting the inspection/assessment obtains and examines the documented requirements placed upon developers/installers of information system components to ensure that there is a documented requirement to provide unique authenticators or change default authenticators prior to delivery/installation. |
The organization being inspected/assessed documents and enforces a requirement for developers/installers of information system components to provide unique authenticators or change default authenticators prior to delivery/installation. |
Authenticator Management | Change Authenticators Prior To Delivery |
IA-5 (5) |
IA-5.11 |
This control enhancement extends the requirement for organizations to change default authenticators upon information system installation, by requiring developers and/or installers to provide unique authenticators or change default authenticators for system components prior to delivery and/or installation. However, it typically does not apply to the developers of commercial off-the-shelve information technology products. Requirements for unique authenticators can be included in acquisition documents prepared by organizations when procuring information systems or system components. |
The organization requires developers/installers of information system components to provide unique authenticators or change default authenticators prior to delivery/installation. |
| CCI-001989 |
The organization manages information system authenticators by changing default content of authenticators prior to information system installation. |
The organization conducting the inspection/assessment obtains and examines the documented procedures to change default authenticators to ensure the procedures are defined.
The organization conducting the inspection/assessment obtains and examines a sampling of authenticator age data for default accounts to ensure that default authenticators are changed prior to installation. |
The organization being inspected/assessed documents and implements a procedures to change default authenticators prior to information system installation. |
Authenticator Management |
IA-5 |
IA-5.12 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-001990 |
The organization manages information system authenticators by changing authenticators for group/role accounts when membership to those accounts changes. |
The organization conducting the inspection/assessment obtains and examines the documented procedures for group/role authenticator change to ensure the procedures are defined and applied when membership to those accounts changes.
The organization conducting the inspection/assessment obtains and examines a sampling of authenticator age data and documentation of personnel role changes to ensure that group/role authenticators are changed when membership changes. |
The organization being inspected/assessed documents and implements procedures for changing authenticators for group/role accounts when membership to those accounts changes. |
Authenticator Management |
IA-5 |
IA-5.22 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-001991 |
The information system, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to locally cache revocation data (CRLs and/or OCSP responses) to support path discovery and validation in case of inability to access revocation information via the network.
The organization conducting the inspection/assessment examines the information system to ensure that revocation data is cached for all PKIs serving known or anticipated users of the information system.
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured a process for the information system to refresh cached revocation data prior to the data's expiration.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1991. |
The information system must be configured to locally cache revocation data to support path discovery and validation in case of inability to access revocation information via the network. The information system may meet this requirement by locally caching certificate revocation lists (CRLs), Online Certificate Status Protocol (OCSP) responses, or a combination thereof.
Cached revocation data must include revocation information from all PKIs serving known or anticipated users of the information system. Cached data must be refreshed with a frequency shorter than the life of the data (e.g. if a CRL is valid for 7 days, a new CRL must be retrieved and cached more frequently than every 7 days) to ensure that cached data is valid and not expired.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1991. |
Authenticator Management | PKI-Based Authentication |
IA-5 (2) |
IA-5(2).4 |
Status information for certification paths includes, for example, certificate revocation lists or certificate status protocol responses. For PIV cards, validation of certifications involves the construction and verification of a certification path to the Common Policy Root trust anchor including certificate policy processing. Related control: IA-6. |
The information system, for PKI-based authentication:
(a) Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;
(b) Enforces authorized access to the corresponding private key;
(c) Maps the authenticated identity to the account of the individual or group; and
(d) Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network. |
| CCI-001992 |
The organization defines the personnel or roles responsible for authorizing the organization^s registration authority accountable for the authenticator registration process. |
The DoD PKI RA–LRA CPS defines the nomination process for DoD PKI RAs. The NSS PKI DoD RPS defines the nomination process for NSS PKI RAs for DoD.
DoD Components are automatically compliant with this CCI because they are covered by the DoD PKI RA-LRA CPS and NSS PKI DoD RPS. |
The DoD PKI Registration Authority (RA) – Local Registration Authority (LRA) Certification Practice Statement (CPS) defines the nomination process for DoD PKI RAs. The NSS PKI DoD Registration Practice Statement (RPS) defines the nomination process for NSS PKI RAs for DoD.
DoD Components are automatically compliant with this CCI because they are covered by the DoD PKI RA-LRA CPS and NSS PKI DoD RPS. |
Authenticator Management | In-Person Or Trusted Third-Party Registration |
IA-5 (3) |
IA-5(3).1 |
|
The organization requires that the registration process to receive [Assignment: organization-defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted third party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles]. |
| CCI-001993 |
The organization defines the registration authority accountable for the authenticator registration process. |
The DoD PKI CP defines the role and responsibilities of a DoD PKI Registration Authority (RA). The NSS PKI CP defines the role and responsibilities of an NSS PKI RA.
DoD Components are automatically compliant with this CCI because they are covered by the DoD PKI CP and NSS PKI CP. |
The DoD PKI Certificate Policy (CP) defines the role and responsibilities of a DoD PKI Registration Authority (RA). The NSS PKI CP defines the role and responsibilities of an NSS PKI RA.
DoD Components are automatically compliant with this CCI because they are covered by the DoD PKI CP and NSS PKI CP. |
Authenticator Management | In-Person Or Trusted Third-Party Registration |
IA-5 (3) |
IA-5(3).2 |
|
The organization requires that the registration process to receive [Assignment: organization-defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted third party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles]. |
| CCI-001994 |
The organization defines the types of and/or specific authenticators that are subject to the authenticator registration process. |
The DoD PKI CP defines DoD PKI subscribers and the authentication requirements for issuance of credentials to subscribers. The NSS PKI CP defines NSS PKI subscribers and the authentication requirements for issuance of credentials to subscribers.
DoD Components are automatically compliant with this CCI because they are covered by the DoD PKI CP and NSS PKI CP. |
The DoD PKI Certificate Policy (CP) defines DoD PKI subscribers (entities identified as the subject of PKI certificates) and the authentication requirements for issuance of credentials to subscribers. The NSS PKI CP defines NSS PKI subscribers and the authentication requirements for issuance of credentials to subscribers.
DoD Components are automatically compliant with this CCI because they are covered by the DoD PKI CP and NSS PKI CP. |
Authenticator Management | In-Person Or Trusted Third-Party Registration |
IA-5 (3) |
IA-5(3).3 |
|
The organization requires that the registration process to receive [Assignment: organization-defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted third party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles]. |
| CCI-001995 |
The organization requires that the registration process, to receive organization-defined types of and/or specific authenticators, be conducted in person, or by a trusted third-party, before an organization-defined registration authority with authorization by organization-defined personnel or roles. |
The DoD PKI CP requires in-person authentication of DoD PKI applicants in accordance with each CMA's CPS prior to issuance of credentials. The NSS PKI CP requires in-person authentication of NSS PKI applicants by an RA or TA prior to issuance of credentials.
DoD Components are automatically compliant with this CCI because they are covered by the DoD PKI CP and NSS PKI CP. |
The DoD PKI Certificate Policy (CP) requires in-person authentication of DoD PKI applicants in accordance with each Certificate Management Authority's (CMA's) Certification Practice Statement (CPS) prior to issuance of credentials. The NSS PKI CP requires in-person authentication of NSS PKI applicants by a Registration Authority (RA) or Trusted Agent (TA) prior to issuance of credentials.
DoD Components are automatically compliant with this CCI because they are covered by the DoD PKI CP and NSS PKI CP. |
Authenticator Management | In-Person Or Trusted Third-Party Registration |
IA-5 (3) |
IA-5(3).4 |
|
The organization requires that the registration process to receive [Assignment: organization-defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted third party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles]. |
| CCI-001996 |
The organization defines the requirements required by the automated tools to determine if password authenticators are sufficiently strong. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the requirements as the complexity as identified in IA-5 (1) Part A. |
DoD has defined the requirements as the complexity as identified in IA-5 (1) Part A. |
Authenticator Management | Automated Support For Password Strength Determination |
IA-5 (4) |
IA-5(4).1 |
This control enhancement focuses on the creation of strong passwords and the characteristics of such passwords (e.g., complexity) prior to use, the enforcement of which is carried out by organizational information systems in IA-5 (1). Related controls: CA-2, CA-7, RA-5. |
The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements]. |
| CCI-001997 |
The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy organization-defined requirements. |
The organization conducting the inspection/assessment examines the automated tools and inspects the configuration of the automated tools to ensure that they are implemented to check password strength per the complexity requirements defined in IA-5 (1) Part A. |
The organization being inspected/assessed implements automated tools to check passwords strength per the complexity requirements defined in IA-5 (1) Part A. |
Authenticator Management | Automated Support For Password Strength Determination |
IA-5 (4) |
IA-5(4).2 |
This control enhancement focuses on the creation of strong passwords and the characteristics of such passwords (e.g., complexity) prior to use, the enforcement of which is carried out by organizational information systems in IA-5 (1). Related controls: CA-2, CA-7, RA-5. |
The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements]. |
| CCI-001998 |
The organization requires developers/installers of information system components to provide unique authenticators or change default authenticators prior to delivery/installation. |
The organization conducting the inspection/assessment obtains and examines documented procedures for revoking authenticators to ensure that the organization being inspected/assessed implements the process as defined in IA-5, CCI 1984. |
The organization being inspected/assessed implements administrative procedures for revoking authenticators as documented in IA-5, CCI 1984. |
Authenticator Management |
IA-5 |
IA-5(5).1 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-001999 |
The organization defines the external organizations to be coordinated with for cross-organization management of credentials. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the external organizations as any external organization that shares cross-organizational identifiers. |
DoD has defined the external organizations as any external organization that shares cross-organizational identifiers. |
Authenticator Management | Cross-Organization Credential Management |
IA-5 (9) |
IA-5(9).2 |
Cross-organization management of credentials provides the capability for organizations to appropriately authenticate individuals, groups, roles, or devices when conducting cross-organization activities involving the processing, storage, or transmission of information. |
The organization coordinates with [Assignment: organization-defined external organizations] for cross-organization management of credentials. |
| CCI-002000 |
The organization coordinates with organization-defined external organizations for cross-organization management of credentials. |
The organization conducting the inspection/assessment obtains and examines the documented process and a sampling of coordination records to ensure the organization being inspected/assessed coordinates with external organizations defined in IA-5 (9), CCI 1999 for cross-organization management of credentials. |
The organization being inspected/assessed documents and implements a process to coordinate with external organizations defined in IA-5 (9), CCI 1999 for cross-organization management of credentials.
The organization maintains records of coordination. |
Authenticator Management | Cross-Organization Credential Management |
IA-5 (9) |
IA-5(9).1 |
Cross-organization management of credentials provides the capability for organizations to appropriately authenticate individuals, groups, roles, or devices when conducting cross-organization activities involving the processing, storage, or transmission of information. |
The organization coordinates with [Assignment: organization-defined external organizations] for cross-organization management of credentials. |
| CCI-002001 |
The information system dynamically provisions identities. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to dynamically provision identities.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2001. |
The organization being inspected/assessed configures the information system to dynamically provision identities.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2001. |
Authenticator Management | Dynamic Credential Association |
IA-5 (10) |
IA-5(10).1 |
Authentication requires some form of binding between an identity and the authenticator used to confirm the identity. In conventional approaches, this binding is established by pre-provisioning both the identity and the authenticator to the information system. For example, the binding between a username (i.e., identity) and a password (i.e., authenticator) is accomplished by provisioning the identity and authenticator as a pair in the information system. New authentication techniques allow the binding between the identity and the authenticator to be implemented outside an information system. For example, with smartcard credentials, the identity and the authenticator are bound together on the card. Using these credentials, information systems can authenticate identities that have not been pre-provisioned, dynamically provisioning the identity after authentication. In these situations, organizations can anticipate the dynamic provisioning of identities. Preestablished trust relationships and mechanisms with appropriate authorities to validate identities and related credentials are essential. |
The information system dynamically provisions identities. |
| CCI-002002 |
The organization defines the token quality requirements to be employed by the information system mechanisms for token-based authentication. |
DoDI 8520.03 defines types of authentication credentials that are acceptable for authentication to different systems based on the systems' information sensitivity levels and the users' access environments. The definitions for credential strengths D, E and H found in DoDI 8520.03 Enclosure 3, Section 3 specifically deal with acceptable types of hardware PKI credentials.
DoD Components are automatically compliant with this CCI because they are covered by the DoD-level policy, DoDI 8520.03. |
DoDI 8520.03 defines types of authentication credentials that are acceptable for authentication to different systems based on the systems' information sensitivity levels and the users' access environments. The definitions for credential strengths D, E and H found in DoDI 8520.03 Enclosure 3, Section 3 specifically deal with acceptable types of hardware PKI credentials.
DoD Components are automatically compliant with this CCI because they are covered by the DoD-level policy, DoDI 8520.03. |
Authenticator Management | Hardware Token-Based Authentication |
IA-5 (11) |
IA-5(11).1 |
Hardware token-based authentication typically refers to the use of PKI-based tokens, such as the U.S. Government Personal Identity Verification (PIV) card. Organizations define specific requirements for tokens, such as working with a particular PKI. |
The information system, for hardware token-based authentication, employs mechanisms that satisfy [Assignment: organization-defined token quality requirements]. |
| CCI-002003 |
The information system, for token-based authentication, employs mechanisms that satisfy organization-defined token quality requirements. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to accept only DoD-approved PKI credentials in accordance with (IAW) DoDI 8520.02 and DoDI 8520.03.
If the information system accepts DoD-approved external PKI credentials, the organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to accept only DoD-approved external PKI credentials that assert an approved Certificate Policy OID and reject credentials issued off of DoD-approved external PKIs that do not assert an approved OID. |
The information system performing hardware token-based authentication must be configured to accept only DoD-approved PKI credentials in accordance with DoDI 8520.02 and DoDI 8520.03. For unclassified systems, DoD-approved PKI credentials include DoD PKI credentials, External Certification Authority (ECA) PKI credentials, and DoD-approved external PKI credentials. For SIPRNet, DoD-approved PKI credentials include DoD PKI credentials and NSS PKI credentials.
If the information system accepts DoD-approved external PKI credentials, the information system must be configured to accept only certificates at approved assurance levels, as represented by the Certificate Policy Object Identifiers (OIDs) asserted in the certificate. The current list of DoD-approved external PKIs and acceptable Object Identifiers (OIDs) for each approved external PKI is available at http://iase.disa.mil/pki-pke/interoperability. |
Authenticator Management | Hardware Token-Based Authentication |
IA-5 (11) |
IA-5(11).2 |
Hardware token-based authentication typically refers to the use of PKI-based tokens, such as the U.S. Government Personal Identity Verification (PIV) card. Organizations define specific requirements for tokens, such as working with a particular PKI. |
The information system, for hardware token-based authentication, employs mechanisms that satisfy [Assignment: organization-defined token quality requirements]. |
| CCI-002004 |
The organization defines the biometric quality requirements to be employed by the information system mechanisms for biometric-based authentication. |
The organization conducting the inspection/assessment obtains and examines documented requirements to ensure they have been defined and include minimum requirements for accurate identification.
DoD has determined the biometric quality requirements are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents quality requirements to be employed by the information system mechanisms. Quality requirements shall include minimum requirements for accurate identification.
NIST has draft documentation for biometrics available at http://csrc.nist.gov/publications/PubsSPs.html.
DoD has determined the biometric quality requirements are not appropriate to define at the Enterprise level. |
Authenticator Management | Biometric Authentication |
IA-5 (12) |
IA-5(12).1 |
Unlike password-based authentication which provides exact matches of user-input passwords to stored passwords, biometric authentication does not provide such exact matches. Depending upon the type of biometric and the type of collection mechanism, there is likely to be some divergence from the presented biometric and stored biometric which serves as the basis of comparison. There will likely be both false positives and false negatives when making such comparisons. The rate at which the false accept and false reject rates are equal is known as the crossover rate. Biometric quality requirements include, for example, acceptable crossover rates, as that essentially reflects the accuracy of the biometric. |
The information system, for biometric-based authentication, employs mechanisms that satisfy [Assignment: organization-defined biometric quality requirements]. |
| CCI-002005 |
The information system, for biometric-based authentication, employs mechanisms that satisfy organization-defined biometric quality requirements. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to employ mechanisms that satisfy biometric quality requirements as defined in IA-5 (12), CCI 2004 for biometric-based authentication.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2005. |
The organization being inspected/assessed configures the information system to employ mechanisms that satisfy biometric quality requirements as defined in IA-5 (12), CCI 2004 for biometric-based authentication.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2005. |
Authenticator Management | Biometric Authentication |
IA-5 (12) |
IA-5(12).2 |
Unlike password-based authentication which provides exact matches of user-input passwords to stored passwords, biometric authentication does not provide such exact matches. Depending upon the type of biometric and the type of collection mechanism, there is likely to be some divergence from the presented biometric and stored biometric which serves as the basis of comparison. There will likely be both false positives and false negatives when making such comparisons. The rate at which the false accept and false reject rates are equal is known as the crossover rate. Biometric quality requirements include, for example, acceptable crossover rates, as that essentially reflects the accuracy of the biometric. |
The information system, for biometric-based authentication, employs mechanisms that satisfy [Assignment: organization-defined biometric quality requirements]. |
| CCI-002006 |
The organization defines the time period after which the use of cached authenticators is prohibited. |
The organization conducting the inspection/assessment obtains and examines the documented time period to ensure it has been defined.
DoD has determined the time period is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the time period after which the use of cached authenticators are prohibited.
DoD has determined the time period is not appropriate to define at the Enterprise level. |
Authenticator Management | Expiration Of Cached Authenticators |
IA-5 (13) |
IA-5(13).1 |
|
The information system prohibits the use of cached authenticators after [Assignment: organization-defined time period]. |
| CCI-002007 |
The information system prohibits the use of cached authenticators after an organization-defined time period. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prohibit the use of cached authenticators after an organization defined time period.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2007. |
The organization being inspected/assessed configures the information system to prohibit the use of cached authenticators after an organization defined time period.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2007. |
Authenticator Management | Expiration Of Cached Authenticators |
IA-5 (13) |
IA-5(13).2 |
|
The information system prohibits the use of cached authenticators after [Assignment: organization-defined time period]. |
| CCI-002008 |
The organization, for PKI-based authentication, employs a deliberate organization-wide methodology for managing the content of PKI trust stores installed across all platforms including networks, operating systems, browsers, and applications. |
DoD trust store management requirements are defined in information system components' applicable STIGs and SRGs. All information systems are required to undergo a STIG compliance review as part of their certification and accreditation process prior to being granted an authority to operate.
DoD Components are automatically compliant with this CCI because they are covered by the DoD-level STIGs and SRGs. |
DoD trust store management requirements are defined in information system components' applicable STIGs and SRGs. All information systems are required to undergo a STIG compliance review as part of their certification and accreditation process prior to being granted an authority to operate.
DoD Components are automatically compliant with this CCI because they are covered by the DoD-level STIGs and SRGs. |
Authenticator Management | Managing Content Of PKI Trust Stores |
IA-5 (14) |
IA-5(14).1 |
|
The organization, for PKI-based authentication, employs a deliberate organization-wide methodology for managing the content of PKI trust stores installed across all platforms including networks, operating systems, browsers, and applications. |
| CCI-002041 |
The information system allows the use of a temporary password for system logons with an immediate change to a permanent password. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to allow the use of a temporary password for system logons with an immediate change to a permanent password.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2041. |
The organization being inspected/assessed configures the information system to allow the use of a temporary password for system logons with an immediate change to a permanent password.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2041. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).20 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-002042 |
The organization manages information system authenticators by protecting authenticator content from unauthorized modification. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to manage information system authenticators by protecting authenticator content from unauthorized modification.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2042. |
The organization being inspected/assessed configures the information system to manage information system authenticators by protecting authenticator content from unauthorized modification.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2042. |
Authenticator Management |
IA-5 |
IA-5.18 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-002043 |
The organization uses only FICAM-approved path discovery and validation products and services. |
The organization conducting the inspection/assessment obtains and examines the list of path discovery and validation products and services in use to ensure the organization being inspected/assessed uses only FICAM-approved path discovery and validation products and services. |
The organization being inspected/assessed uses only Federal Identity,
Credential, and Access Management (FICAM)-approved path discovery and validation products and services.
FICAM Guidance is available at http://www.idmanagement.gov. |
Authenticator Management | FICAM-Approved Products And Services |
IA-5 (15) |
IA-5(15).1 |
Federal Identity, Credential, and Access Management (FICAM)-approved path discovery and validation products and services are those products and services that have been approved through the FICAM conformance program, where applicable. |
The organization uses only FICAM-approved path discovery and validation products and services. |
| CCI-002365 |
The organization manages information system authenticators by requiring individuals to take specific security safeguards to protect authenticators. |
The organization conducting the inspection/assessment obtains and examines the user agreements of the organization being inspected/assessed to ensure that there are requirements for individuals to safeguard authenticators. |
The organization being inspected/assessed documents within user agreements that individuals shall safeguard authenticators. |
Authenticator Management |
IA-5 |
IA-5.20 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-002366 |
The organization manages information system authenticators by having devices implement specific security safeguards to protect authenticators. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to manage information system authenticators by having devices implement, specific security safeguards to protect authenticators.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2366. |
The organization being inspected/assessed configures the information system to manage information system authenticators by having devices implement, specific security safeguards to protect authenticators.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2366. |
Authenticator Management |
IA-5 |
IA-5.21 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-002367 |
The organization ensures unencrypted static authenticators are not embedded in applications. |
The organization conducting the inspection/assessment obtains and examines the requirements that static authenticators are not embedded in applications to ensure the organization being inspected/assessed ensures unencrypted static authenticators are not embedded in applications. |
The organization being inspected/assessed documents and implements requirements that static authenticators are not embedded in applications. |
Authenticator Management | No Embedded Unencrypted Static Authenticators |
IA-5 (7) |
IA-5(7).3 |
Organizations exercise caution in determining whether embedded or stored authenticators are in encrypted or unencrypted form. If authenticators are used in the manner stored, then those representations are considered unencrypted authenticators. This is irrespective of whether that representation is perhaps an encrypted version of something else (e.g., a password). |
The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys. |
| CCI-002009 |
The information system accepts Personal Identity Verification (PIV) credentials from other federal agencies. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to accept DoD-approved external PKI PIV credentials in accordance with DoDI 8520.02 and DoDI 8520.03.
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to accept only DoD-approved external PKI PIV credentials that assert an approved Certificate Policy OID and reject credentials issued off of DoD-approved external PKIs that do not assert an approved OID.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2009. |
The information system performing hardware token-based authentication must be configured to accept DoD-approved external PKI PIV credentials to authenticate federal agency users in accordance with DoDI 8520.02 and DoDI 8520.03. The information system must be configured to accept only certificates at approved assurance levels, as represented by the Certificate Policy Object Identifiers (OIDs) asserted in the certificate. The current list of DoD-approved external PKIs and acceptable Object Identifiers (OIDs) for each approved external PKI is available at http://iase.disa.mil/pki-pke/interoperability.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2009. |
Identification And Authentication | Acceptance Of Piv Credentials From Other Agencies |
IA-8 (1) |
IA-8(1).1 |
This control enhancement applies to logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials. Related controls: AU-2, PE-3, SA-4. |
The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies. |
| CCI-002010 |
The information system electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to validate DoD-approved external PKI PIV credentials in accordance with RFC 5280.
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to perform a revocation check as part of the certificate validation process.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2010. |
The information system performing hardware token-based authentication must be configured to validate DoD-approved external PKI PIV credentials to authenticate federal agency users in accordance with RFC 5280.
The information system must be configured to perform a revocation check as part of the certificate validation process. Revocation checking may be performed using certificate revocation lists (CRLs) published by the issuing PKI or Online Certificate Status Protocol (OCSP) services.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2010. |
Identification And Authentication | Acceptance Of Piv Credentials From Other Agencies |
IA-8 (1) |
IA-8(1).2 |
This control enhancement applies to logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials. Related controls: AU-2, PE-3, SA-4. |
The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies. |
| CCI-002011 |
The information system accepts FICAM-approved third-party credentials. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to accept FICAM-approved third-party credentials
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2011. |
The organization being inspected/assessed configures the information system to accept Federal Identity, Credential, and Access Management (FICAM)-approved third-party credentials.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2011.
FICAM Guidance is available at http://www.idmanagement.gov. |
Identification And Authentication | Acceptance Of Third-Party Credentials |
IA-8 (2) |
IA-8(2).1 |
This control enhancement typically applies to organizational information systems that are accessible to the general public, for example, public-facing websites. Third-party credentials are those credentials issued by nonfederal government entities approved by the Federal Identity, Credential, and Access Management (FICAM) Trust Framework Solutions initiative. Approved third-party credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. This allows federal government relying parties to trust such credentials at their approved assurance levels. Related control: AU-2. |
The information system accepts only FICAM-approved third-party credentials. |
| CCI-002012 |
The organization defines the information systems which will employ only FICAM-approved information system components. |
The organization conducting the inspection/assessment obtains and examines the documented information systems to ensure they have been defined.
DoD has determined the information systems are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information systems which will employ only Federal Identity, Credential, and Access Management (FICAM)-approved information system components.
DoD has determined the information systems are not appropriate to define at the Enterprise level. |
Identification And Authentication | Use Of FICAM-Approved Products |
IA-8 (3) |
IA-8(3).1 |
This control enhancement typically applies to information systems that are accessible to the general public, for example, public-facing websites. FICAM-approved information system components include, for example, information technology products and software libraries that have been approved by the Federal Identity, Credential, and Access Management conformance program. Related control: SA-4. |
The organization employs only FICAM-approved information system components in [Assignment: organization-defined information systems] to accept third-party credentials. |
| CCI-002013 |
The organization employs only FICAM-approved information system components in organization-defined information systems to accept third-party credentials. |
The organization conducting the inspection/assessment obtains and examines the list of information system components in use to ensure the organization being inspected/assessed uses only FICAM-approved components in information systems defined in IA-8 (3), CCI 2012. |
The organization being inspected/assessed employs only Federal Identity,
Credential, and Access Management (FICAM)-approved information system components to accept third-party credentials in information systems defined in IA-8 (3), CCI 2012.
FICAM Guidance is available at http://www.idmanagement.gov. |
Identification And Authentication | Use Of FICAM-Approved Products |
IA-8 (3) |
IA-8(3).2 |
This control enhancement typically applies to information systems that are accessible to the general public, for example, public-facing websites. FICAM-approved information system components include, for example, information technology products and software libraries that have been approved by the Federal Identity, Credential, and Access Management conformance program. Related control: SA-4. |
The organization employs only FICAM-approved information system components in [Assignment: organization-defined information systems] to accept third-party credentials. |
| CCI-002014 |
The information system conforms to FICAM-issued profiles. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to conform to FICAM-issued profiles.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2014. |
The organization being inspected/assessed configures the information system to conform to Federal Identity, Credential, and Access Management (FICAM)-issued profiles.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2014.
FICAM Guidance is available at http://www.idmanagement.gov. |
Identification And Authentication | Use Of FICAM-Issued Profiles |
IA-8 (4) |
IA-8(4).1 |
This control enhancement addresses open identity management standards. To ensure that these standards are viable, robust, reliable, sustainable (e.g., available in commercial information technology products), and interoperable as documented, the United States Government assesses and scopes identity management standards and technology implementations against applicable federal legislation, directives, policies, and requirements. The result is FICAM-issued implementation profiles of approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute Exchange). Related control: SA-4. |
The information system conforms to FICAM-issued profiles. |
| CCI-002015 |
The information system accepts Personal Identity Verification-I (PIV-I) credentials. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to accept DoD-approved external PKI PIV-I credentials in accordance with DoDI 8520.02, DoDI 8520.03, and DoD CIO Memorandum “Department of Defense Requirements for Accepting Non-Federally Issued Identity Credentials” dated 24 January 2013.
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to accept only DoD-approved external PKI PIV-I credentials that assert an approved Certificate Policy OID and reject credentials issued off of DoD-approved external PKIs that do not assert an approved OID.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2015. |
The information system performing hardware token-based authentication must be configured to accept DoD-approved external PKI PIV-I credentials in accordance with DoDI 8520.02, DoDI 8520.03, and DoD CIO Memorandum “Department of Defense Requirements for Accepting Non-Federally Issued Identity Credentials” dated 24 January 2013. The information system must be configured to accept only certificates at approved assurance levels, as represented by the Certificate Policy Object Identifiers (OIDs) asserted in the certificate. The current list of DoD-approved external PKIs and acceptable Object Identifiers (OIDs) for each approved external PKI is available at http://iase.disa.mil/pki-pke/interoperability.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2015. |
Identification And Authentication | Acceptance Of Piv-I Credentials |
IA-8 (5) |
IA-8(5).1 |
This control enhancement: (i) applies to logical and physical access control systems; and (ii) addresses Non-Federal Issuers (NFIs) of identity cards that desire to interoperate with United States Government Personal Identity Verification (PIV) information systems and that can be trusted by federal government-relying parties. The X.509 certificate policy for the Federal Bridge Certification Authority (FBCA) addresses PIV-I requirements. The PIV-I card is suitable for Assurance Level 4 as defined in OMB Memorandum 04-04 and NIST Special Publication 800-63, and multifactor authentication as defined in NIST Special Publication 800-116. PIV-I credentials are those credentials issued by a PIV-I provider whose PIV-I certificate policy maps to the Federal Bridge PIV-I Certificate Policy. A PIV-I provider is cross-certified (directly or through another PKI bridge) with the FBCA with policies that have been mapped and approved as meeting the requirements of the PIV-I policies defined in the FBCA certificate policy. Related control: AU-2. |
The information system accepts and electronically verifies Personal Identity Verification-I (PIV-I) credentials. |
| CCI-002016 |
The information system electronically verifies Personal Identity Verification-I (PIV-I) credentials. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to validate DoD-approved external PKI PIV-I credentials in accordance with RFC 5280.
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to perform a revocation check as part of the certificate validation process.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2016. |
The information system performing hardware token-based authentication must be configured to validate DoD-approved external PKI PIV-I credentials in accordance with RFC 5280.
The information system must be configured to perform a revocation check as part of the certificate validation process. Revocation checking may be performed using certificate revocation lists (CRLs) published by the issuing PKI or Online Certificate Status Protocol (OCSP) services.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2016. |
Identification And Authentication | Acceptance Of Piv-I Credentials |
IA-8 (5) |
IA-8(5).2 |
This control enhancement: (i) applies to logical and physical access control systems; and (ii) addresses Non-Federal Issuers (NFIs) of identity cards that desire to interoperate with United States Government Personal Identity Verification (PIV) information systems and that can be trusted by federal government-relying parties. The X.509 certificate policy for the Federal Bridge Certification Authority (FBCA) addresses PIV-I requirements. The PIV-I card is suitable for Assurance Level 4 as defined in OMB Memorandum 04-04 and NIST Special Publication 800-63, and multifactor authentication as defined in NIST Special Publication 800-116. PIV-I credentials are those credentials issued by a PIV-I provider whose PIV-I certificate policy maps to the Federal Bridge PIV-I Certificate Policy. A PIV-I provider is cross-certified (directly or through another PKI bridge) with the FBCA with policies that have been mapped and approved as meeting the requirements of the PIV-I policies defined in the FBCA certificate policy. Related control: AU-2. |
The information system accepts and electronically verifies Personal Identity Verification-I (PIV-I) credentials. |
| CCI-002017 |
The organization defines the information system services requiring identification. |
The organization conducting the inspection/assessment obtains and examines the documented information system services to ensure they have been defined.
DoD has determined the information system services are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system services requiring identification.
DoD has determined the information system services are not appropriate to define at the Enterprise level. |
Service Identification And Authentication |
IA-9 |
IA-9.1 |
This control supports service-oriented architectures and other distributed architectural approaches requiring the identification and authentication of information system services. In such architectures, external services often appear dynamically. Therefore, information systems should be able to determine in a dynamic manner, if external providers and associated services are authentic. Safeguards implemented by organizational information systems to validate provider and service authenticity include, for example, information or code signing, provenance graphs, and/or electronic signatures indicating or including the sources of services. |
The organization identifies and authenticates [Assignment: organization-defined information system services] using [Assignment: organization-defined security safeguards]. |
| CCI-002018 |
The organization defines the information system services requiring authentication. |
The organization conducting the inspection/assessment obtains and examines the documented information system services to ensure they have been defined.
DoD has determined the information system services are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system services requiring authentication.
DoD has determined the information system services are not appropriate to define at the Enterprise level. |
Service Identification And Authentication |
IA-9 |
IA-9.2 |
This control supports service-oriented architectures and other distributed architectural approaches requiring the identification and authentication of information system services. In such architectures, external services often appear dynamically. Therefore, information systems should be able to determine in a dynamic manner, if external providers and associated services are authentic. Safeguards implemented by organizational information systems to validate provider and service authenticity include, for example, information or code signing, provenance graphs, and/or electronic signatures indicating or including the sources of services. |
The organization identifies and authenticates [Assignment: organization-defined information system services] using [Assignment: organization-defined security safeguards]. |
| CCI-002019 |
The organization defines the security safeguards to be used when identifying information system services. |
The organization conducting the inspection/assessment obtains and examines the documented security safeguards to ensure they have been defined and offers sufficient security.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security safeguards to be used when identifying information system services.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
Service Identification And Authentication |
IA-9 |
IA-9.3 |
This control supports service-oriented architectures and other distributed architectural approaches requiring the identification and authentication of information system services. In such architectures, external services often appear dynamically. Therefore, information systems should be able to determine in a dynamic manner, if external providers and associated services are authentic. Safeguards implemented by organizational information systems to validate provider and service authenticity include, for example, information or code signing, provenance graphs, and/or electronic signatures indicating or including the sources of services. |
The organization identifies and authenticates [Assignment: organization-defined information system services] using [Assignment: organization-defined security safeguards]. |
| CCI-002020 |
The organization defines the security safeguards to be used when authenticating information system services. |
The organization conducting the inspection/assessment obtains and examines the documented security safeguards to ensure they have been defined and offers sufficient security.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security safeguards to be used when authenticating information system services.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
Service Identification And Authentication |
IA-9 |
IA-9.4 |
This control supports service-oriented architectures and other distributed architectural approaches requiring the identification and authentication of information system services. In such architectures, external services often appear dynamically. Therefore, information systems should be able to determine in a dynamic manner, if external providers and associated services are authentic. Safeguards implemented by organizational information systems to validate provider and service authenticity include, for example, information or code signing, provenance graphs, and/or electronic signatures indicating or including the sources of services. |
The organization identifies and authenticates [Assignment: organization-defined information system services] using [Assignment: organization-defined security safeguards]. |
| CCI-002021 |
The organization identifies organization-defined information system services using organization-defined security safeguards. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed identifies information system services defined in IA-9, CCIs 2017 & 2018 using security safeguards defined in IA-9, CCIs 2019-2020. |
The organization being inspected/assessed documents and implements a process to identify information system services defined in IA-9, CCIs 2017 & 2018 using security safeguards defined in IA-9, CCIs 2019-2020. |
Service Identification And Authentication |
IA-9 |
IA-9.5 |
This control supports service-oriented architectures and other distributed architectural approaches requiring the identification and authentication of information system services. In such architectures, external services often appear dynamically. Therefore, information systems should be able to determine in a dynamic manner, if external providers and associated services are authentic. Safeguards implemented by organizational information systems to validate provider and service authenticity include, for example, information or code signing, provenance graphs, and/or electronic signatures indicating or including the sources of services. |
The organization identifies and authenticates [Assignment: organization-defined information system services] using [Assignment: organization-defined security safeguards]. |
| CCI-002022 |
The organization authenticates organization-defined information system services using organization-defined security safeguards. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed authenticates information system services defined in IA-9, CCIs 2017 & 2018 using security safeguards defined in IA-9, CCIs 2019-2020. |
The organization being inspected/assessed documents and implements a process to authenticate information system services defined in IA-9, CCIs 2017 & 2018 using security safeguards defined in IA-9, CCIs 2019-2020. |
Service Identification And Authentication |
IA-9 |
IA-9.6 |
This control supports service-oriented architectures and other distributed architectural approaches requiring the identification and authentication of information system services. In such architectures, external services often appear dynamically. Therefore, information systems should be able to determine in a dynamic manner, if external providers and associated services are authentic. Safeguards implemented by organizational information systems to validate provider and service authenticity include, for example, information or code signing, provenance graphs, and/or electronic signatures indicating or including the sources of services. |
The organization identifies and authenticates [Assignment: organization-defined information system services] using [Assignment: organization-defined security safeguards]. |
| CCI-002023 |
The organization ensures that service providers receive identification information. |
The organization conducting the inspection/assessment reviews the process to ensure that service providers receive identification information to ensure the process is effectively implemented. |
The organization being inspected/assessed implements a process to ensure that service providers receive identification information. |
Service Identification And Authentication | Information Exchange |
IA-9 (1) |
IA-9(1).1 |
|
The organization ensures that service providers receive, validate, and transmit identification and authentication information. |
| CCI-002024 |
The organization ensures that service providers validate identification information. |
The organization conducting the inspection/assessment reviews the process to ensure that service providers validate identification information to ensure the process is effectively implemented. |
The organization being inspected/assessed implements a process to ensure that service providers validate identification information. |
Service Identification And Authentication | Information Exchange |
IA-9 (1) |
IA-9(1).2 |
|
The organization ensures that service providers receive, validate, and transmit identification and authentication information. |
| CCI-002025 |
The organization ensures that service providers transmit identification information. |
The organization conducting the inspection/assessment reviews the process to ensure that service providers transmit identification information to ensure the process is effectively implemented. |
The organization being inspected/assessed implements a process to ensure that service providers transmit identification information. |
Service Identification And Authentication | Information Exchange |
IA-9 (1) |
IA-9(1).3 |
|
The organization ensures that service providers receive, validate, and transmit identification and authentication information. |
| CCI-002026 |
The organization ensures that service providers receive authentication information. |
The organization conducting the inspection/assessment reviews the process to ensure that service providers receive authentication information to ensure the process is effectively implemented. |
The organization being inspected/assessed implements a process to ensure that service providers receive authentication information. |
Service Identification And Authentication | Information Exchange |
IA-9 (1) |
IA-9(1).4 |
|
The organization ensures that service providers receive, validate, and transmit identification and authentication information. |
| CCI-002027 |
The organization ensures that service providers validate authentication information. |
The organization conducting the inspection/assessment reviews the process to ensure that service providers validate authentication information to ensure the process is effectively implemented. |
The organization being inspected/assessed implements a process to ensure that service providers validate authentication information. |
Service Identification And Authentication | Information Exchange |
IA-9 (1) |
IA-9(1).5 |
|
The organization ensures that service providers receive, validate, and transmit identification and authentication information. |
| CCI-002028 |
The organization ensures that service providers transmit authentication information. |
The organization conducting the inspection/assessment reviews the process to ensure that service providers transmit authentication information to ensure the process is effectively implemented. |
The organization being inspected/assessed implements a process to ensure that service providers transmit authentication information. |
Service Identification And Authentication | Information Exchange |
IA-9 (1) |
IA-9(1).6 |
|
The organization ensures that service providers receive, validate, and transmit identification and authentication information. |
| CCI-002029 |
The organization defines the services between which identification decisions are to be transmitted. |
The organization conducting the inspection/assessment obtains and examines the documented services to ensure they have been defined.
DoD has determined the services are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the services between which identification decisions are to be transmitted.
DoD has determined the services are not appropriate to define at the Enterprise level. |
Service Identification And Authentication | Transmission Of Decisions |
IA-9 (2) |
IA-9(2).1 |
For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of identification and authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide the identification and authentication decisions (as opposed to the actual identifiers and authenticators) to the services that need to act on those decisions. Related control: SC-8. |
The organization ensures that identification and authentication decisions are transmitted between [Assignment: organization-defined services] consistent with organizational policies. |
| CCI-002030 |
The organization defines the services between which authentication decisions are to be transmitted. |
The organization conducting the inspection/assessment obtains and examines the documented services to ensure they have been defined.
DoD has determined the services are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the services between which authentication decisions are to be transmitted.
DoD has determined the services are not appropriate to define at the Enterprise level. |
Service Identification And Authentication | Transmission Of Decisions |
IA-9 (2) |
IA-9(2).2 |
For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of identification and authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide the identification and authentication decisions (as opposed to the actual identifiers and authenticators) to the services that need to act on those decisions. Related control: SC-8. |
The organization ensures that identification and authentication decisions are transmitted between [Assignment: organization-defined services] consistent with organizational policies. |
| CCI-002031 |
The organization ensures that identification decisions are transmitted between organization-defined services consistent with organizational policies. |
The organization conducting the inspection/assessment reviews the process to ensure the organization being inspected/assessed implements policies for transmitting identification decisions between services defined in IA-9 (2), CCI 2029. |
The organization being inspected/assessed implements a process to ensure that identification decisions are transmitted between services defined in IA-9 (2), CCI 2029 consistent with organizational policies. |
Service Identification And Authentication | Transmission Of Decisions |
IA-9 (2) |
IA-9(2).3 |
For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of identification and authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide the identification and authentication decisions (as opposed to the actual identifiers and authenticators) to the services that need to act on those decisions. Related control: SC-8. |
The organization ensures that identification and authentication decisions are transmitted between [Assignment: organization-defined services] consistent with organizational policies. |
| CCI-002032 |
The organization ensures that authentication decisions are transmitted between organization-defined services consistent with organizational policies. |
The organization conducting the inspection/assessment reviews the process to ensure the organization being inspected/assessed implements policies for transmitting authentication decisions between services defined in IA-9 (2), CCI 2030. |
The organization being inspected/assessed implements a process to ensure that authentication decisions are transmitted between services defined in IA-9 (2), CCI 2030 consistent with organizational policies. |
Service Identification And Authentication | Transmission Of Decisions |
IA-9 (2) |
IA-9(2).4 |
For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of identification and authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide the identification and authentication decisions (as opposed to the actual identifiers and authenticators) to the services that need to act on those decisions. Related control: SC-8. |
The organization ensures that identification and authentication decisions are transmitted between [Assignment: organization-defined services] consistent with organizational policies. |
| CCI-002033 |
The organization defines the specific circumstances or situations when individuals accessing an information system employ organization-defined supplemental authentication techniques or mechanisms. |
The organization conducting the inspection/assessment obtains and examines the documented circumstances or situations to ensure they have been defined.
DoD has determined the circumstances or situations are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the specific circumstances or situations when individuals accessing an information system employ organization-defined supplemental authentication techniques or mechanisms.
DoD has determined the circumstances or situations are not appropriate to define at the Enterprise level. |
Adaptive Identification And Authentication |
IA-10 |
IA-10.1 |
Adversaries may compromise individual authentication mechanisms and subsequently attempt to impersonate legitimate users. This situation can potentially occur with any authentication mechanisms employed by organizations. To address this threat, organizations may employ specific techniques/mechanisms and establish protocols to assess suspicious behavior (e.g., individuals accessing information that they do not typically access as part of their normal duties, roles, or responsibilities, accessing greater quantities of information than the individuals would routinely access, or attempting to access information from suspicious network addresses). In these situations when certain preestablished conditions or triggers occur, organizations can require selected individuals to provide additional authentication information. Another potential use for adaptive identification and authentication is to increase the strength of mechanism based on the number and/or types of records being accessed. Related controls: AU-6, SI-4. |
The organization requires that individuals accessing the information system employ [Assignment: organization-defined supplemental authentication techniques or mechanisms] under specific [Assignment: organization-defined circumstances or situations]. |
| CCI-002034 |
The organization defines the supplemental authentication techniques or mechanisms to be employed in specific organization-defined circumstances or situations by individuals accessing the information system. |
The organization conducting the inspection/assessment obtains and examines the documented supplemental authentication techniques or mechanisms to ensure they have been defined.
DoD has determined the supplemental authentication techniques or mechanisms are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the supplemental authentication techniques or mechanisms to be employed in specific organization-defined circumstances or situations by individuals accessing the information system.
DoD has determined the supplemental authentication techniques or mechanisms are not appropriate to define at the Enterprise level. |
Adaptive Identification And Authentication |
IA-10 |
IA-10.2 |
Adversaries may compromise individual authentication mechanisms and subsequently attempt to impersonate legitimate users. This situation can potentially occur with any authentication mechanisms employed by organizations. To address this threat, organizations may employ specific techniques/mechanisms and establish protocols to assess suspicious behavior (e.g., individuals accessing information that they do not typically access as part of their normal duties, roles, or responsibilities, accessing greater quantities of information than the individuals would routinely access, or attempting to access information from suspicious network addresses). In these situations when certain preestablished conditions or triggers occur, organizations can require selected individuals to provide additional authentication information. Another potential use for adaptive identification and authentication is to increase the strength of mechanism based on the number and/or types of records being accessed. Related controls: AU-6, SI-4. |
The organization requires that individuals accessing the information system employ [Assignment: organization-defined supplemental authentication techniques or mechanisms] under specific [Assignment: organization-defined circumstances or situations]. |
| CCI-002035 |
The organization requires that individuals accessing the information system employ organization-defined supplemental authentication techniques or mechanisms under specific organization-defined circumstances or situations. |
The organization conducting the inspection/assessment reviews the process to ensure the organization being inspected/assessed requires that individuals accessing the information system employ supplemental authentication techniques or mechanisms defined in IA-10, CCI 2034 under specific circumstances or situations defined in IA-10, CCI 2033. |
The organization being inspected/assessed implements a process to require that individuals accessing the information system employ supplemental authentication techniques or mechanisms defined in IA-10, CCI 2034 under specific circumstances or situations defined in IA-10, CCI 2033. |
Adaptive Identification And Authentication |
IA-10 |
IA-10.3 |
Adversaries may compromise individual authentication mechanisms and subsequently attempt to impersonate legitimate users. This situation can potentially occur with any authentication mechanisms employed by organizations. To address this threat, organizations may employ specific techniques/mechanisms and establish protocols to assess suspicious behavior (e.g., individuals accessing information that they do not typically access as part of their normal duties, roles, or responsibilities, accessing greater quantities of information than the individuals would routinely access, or attempting to access information from suspicious network addresses). In these situations when certain preestablished conditions or triggers occur, organizations can require selected individuals to provide additional authentication information. Another potential use for adaptive identification and authentication is to increase the strength of mechanism based on the number and/or types of records being accessed. Related controls: AU-6, SI-4. |
The organization requires that individuals accessing the information system employ [Assignment: organization-defined supplemental authentication techniques or mechanisms] under specific [Assignment: organization-defined circumstances or situations]. |
| CCI-002036 |
The organization defines the circumstances or situations under which users will be required to reauthenticate. |
The organization conducting the inspection/assessment obtains and examines the documented circumstances or situations to ensure they have been defined.
DoD has determined the circumstances or situations are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the circumstances or situations when users will be required to reauthenticate.
DoD has determined the circumstances or situations are not appropriate to define at the Enterprise level. |
Re-Authentication |
IA-11 |
IA-11.1 |
In addition to the re-authentication requirements associated with session locks, organizations may require re-authentication of individuals and/or devices in other situations including, for example: (i) when authenticators change; (ii), when roles change; (iii) when security categories of information systems change; (iv), when the execution of privileged functions occurs; (v) after a fixed period of time; or (vi) periodically. Related control: AC-11. |
The organization requires users and devices to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication]. |
| CCI-002037 |
The organization defines the circumstances or situations under which devices will be required to reauthenticate. |
The organization conducting the inspection/assessment obtains and examines the documented circumstances or situations to ensure they have been defined.
DoD has determined the circumstances or situations are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the circumstances or situations when devices will be required to reauthenticate.
DoD has determined the circumstances or situations are not appropriate to define at the Enterprise level. |
Re-Authentication |
IA-11 |
IA-11.2 |
In addition to the re-authentication requirements associated with session locks, organizations may require re-authentication of individuals and/or devices in other situations including, for example: (i) when authenticators change; (ii), when roles change; (iii) when security categories of information systems change; (iv), when the execution of privileged functions occurs; (v) after a fixed period of time; or (vi) periodically. Related control: AC-11. |
The organization requires users and devices to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication]. |
| CCI-002038 |
The organization requires users to reauthenticate upon organization-defined circumstances or situations requiring reauthentication. |
The organization conducting the inspection/assessment reviews the process to ensure the organization being inspected/assessed requires users to reauthenticate when circumstances or situations requiring reauthentication as defined in IA-11, CCI 2036. |
The organization being inspected/assessed implements a process to require users to reauthenticate when circumstances or situations requiring reauthentication as defined in IA-11, CCI 2036. |
Re-Authentication |
IA-11 |
IA-11.3 |
In addition to the re-authentication requirements associated with session locks, organizations may require re-authentication of individuals and/or devices in other situations including, for example: (i) when authenticators change; (ii), when roles change; (iii) when security categories of information systems change; (iv), when the execution of privileged functions occurs; (v) after a fixed period of time; or (vi) periodically. Related control: AC-11. |
The organization requires users and devices to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication]. |
| CCI-002039 |
The organization requires devices to reauthenticate upon organization-defined circumstances or situations requiring reauthentication. |
The organization conducting the inspection/assessment reviews the process to ensure the organization being inspected/assessed requires devices to reauthenticate when circumstances or situations requiring reauthentication as defined in IA-11, CCI 2037. |
The organization being inspected/assessed implements a process to require devices to reauthenticate when circumstances or situations requiring reauthentication as defined in IA-11, CCI 2037. |
Re-Authentication |
IA-11 |
IA-11.4 |
In addition to the re-authentication requirements associated with session locks, organizations may require re-authentication of individuals and/or devices in other situations including, for example: (i) when authenticators change; (ii), when roles change; (iii) when security categories of information systems change; (iv), when the execution of privileged functions occurs; (v) after a fixed period of time; or (vi) periodically. Related control: AC-11. |
The organization requires users and devices to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication]. |
| CCI-002776 |
The organization defines the personnel or roles to whom the incident response policy is disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the roles as all personnel identified as stakeholders in the incident response process, as well as the ISSM and ISSO. |
DoD has defined the roles as all personnel identified as stakeholders in the incident response process, as well as the ISSM and ISSO. |
Incident Response Policy And Procedures |
IR-1 |
IR-1.1 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and
b. Reviews and updates the current:
1. Incident response policy [Assignment: organization-defined frequency]; and
2. Incident response procedures [Assignment: organization-defined frequency]. |
| CCI-002777 |
The organization defines the personnel or roles to whom the incident response procedures are disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the roles as all personnel identified as stakeholders in the incident response process, as well as the ISSM and ISSO. |
DoD has defined the roles as all personnel identified as stakeholders in the incident response process, as well as the ISSM and ISSO. |
Incident Response Policy And Procedures |
IR-1 |
IR-1.2 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and
b. Reviews and updates the current:
1. Incident response policy [Assignment: organization-defined frequency]; and
2. Incident response procedures [Assignment: organization-defined frequency]. |
| CCI-002778 |
The organization defines the time period in which information system users who assume an incident response role or responsibility receive incident response training. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 30 working days. |
DoD has defined the time period as 30 working days. |
Incident Response Training |
IR-2 |
IR-2.2 |
Incident response training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the information system; system administrators may require additional training on how to handle/remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification and reporting of suspicious activities, both from external and internal sources. Related controls: AT-3, CP-3, IR-8. |
The organization provides incident response training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-002779 |
The organization provides incident response training to information system users consistent with assigned roles and responsibilities when required by information system changes. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as training records for a sampling of information system users to ensure the organization being inspected/assessed provides incident response training to information system users, other than general users, consistent with assigned roles and responsibilities when required by information system changes.
For general users, DoD components are automatically compliant with the requirement based on DoDD 8570.01 requirements for IA awareness training. |
The organization being inspected/assessed documents and implements a process to provide incident response training to information system users, other than general users, consistent with assigned roles and responsibilities when required by information system changes.
For general users, DoD components are automatically compliant with the requirement based on DoDD 8570.01 requirements for IA awareness training.
The organization must maintain a record of training. |
Incident Response Training |
IR-2 |
IR-2.5 |
Incident response training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the information system; system administrators may require additional training on how to handle/remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification and reporting of suspicious activities, both from external and internal sources. Related controls: AT-3, CP-3, IR-8. |
The organization provides incident response training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-002780 |
The organization coordinates incident response testing with organizational elements responsible for related plans. |
The organization conducting the inspection/assessment obtains and examines the incident response testing plan to ensure the organization being inspected/assessed coordinates incident response testing with organizational elements responsible for related plans. |
The organization being inspected/assessed documents within their incident response testing plan, the necessary support from all responsible organizational elements for incident response testing. |
Incident Response Testing | Coordination With Related Plans |
IR-3 (2) |
IR-3(2).1 |
Organizational plans related to incident response testing include, for example, Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, and Occupant Emergency Plans. |
The organization coordinates incident response testing with organizational elements responsible for related plans. |
| CCI-002781 |
The organization defines the information system components for dynamic reconfiguration as part of the incident response capability. |
The organization conducting the inspection/assessment obtains and examines the documented information system components to ensure the organization being inspected/assessed defines the information system components for dynamic reconfiguration as part of the incident response capability. |
The organization being inspected/assessed defines and documents the information system components for dynamic reconfiguration as part of the incident response capability.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
Incident Handling | Dynamic Reconfiguration |
IR-4 (2) |
IR-4(2).2 |
Dynamic reconfiguration includes, for example, changes to router rules, access control lists, intrusion detection/prevention system parameters, and filter rules for firewalls and gateways. Organizations perform dynamic reconfiguration of information systems, for example, to stop attacks, to misdirect attackers, and to isolate components of systems, thus limiting the extent of the damage from breaches or compromises. Organizations include time frames for achieving the reconfiguration of information systems in the definition of the reconfiguration capability, considering the potential need for rapid response in order to effectively address sophisticated cyber threats. Related controls: AC-2, AC-4, AC-16, CM-2, CM-3, CM-4. |
The organization includes dynamic reconfiguration of [Assignment: organization-defined information system components] as part of the incident response capability. |
| CCI-002782 |
The organization implements an incident handling capability for insider threats. |
The organization conducting the inspection/assessment obtains and examines the incident response plan as well as a sampling of incident after action reports to ensure the organization being inspected/assessed implements incident handling capability for insider threats. |
The organization being inspected/assessed documents within their incident response plan and implements plans to respond to incidents related to insider threats. |
Incident Handling | Insider Threats - Specific Capabilities |
IR-4 (6) |
IR-4(6).1 |
While many organizations address insider threat incidents as an inherent part of their organizational incident response capability, this control enhancement provides additional emphasis on this type of threat and the need for specific incident handling capabilities (as defined within organizations) to provide appropriate and timely responses. |
The organization implements incident handling capability for insider threats. |
| CCI-002783 |
The organization coordinates an incident handling capability for insider threats across organization-defined components or elements of the organization. |
The organization conducting the inspection/assessment obtains and examines the incident response plan to ensure the organization being inspected/assessed coordinates incident handling capability for insider threats across components or elements of the organization defined in IR-4 (7), CCI 2784. |
The organization being inspected/assessed documents within their incident response plan, the responsibilities of each element of the organization defined in IR-4 (7), CCI 2784. |
Incident Handling | Insider Threats - Intra-Organization Coordination |
IR-4 (7) |
IR-4(7).1 |
Incident handling for insider threat incidents (including preparation, detection and analysis, containment, eradication, and recovery) requires close coordination among a variety of organizational components or elements to be effective. These components or elements include, for example, mission/business owners, information system owners, human resources offices, procurement offices, personnel/physical security offices, operations personnel, and risk executive (function). In addition, organizations may require external support from federal, state, and local law enforcement agencies. |
The organization coordinates incident handling capability for insider threats across [Assignment: organization-defined components or elements of the organization]. |
| CCI-002784 |
The organization defines components or elements of the organization across which an incident handling capability for insider threats will be coordinated. |
The organization conducting the inspection/assessment obtains and examines the documented components or elements to ensure the organization being inspected/assessed defines components or elements of the organization in which incident handling capability for insider threats will be coordinated.
DoD has determined the components or elements are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents components or elements of the organization in which incident handling capability for insider threats will be coordinated.
DoD has determined the components or elements are not appropriate to define at the Enterprise level. |
Incident Handling | Insider Threats - Intra-Organization Coordination |
IR-4 (7) |
IR-4(7).2 |
Incident handling for insider threat incidents (including preparation, detection and analysis, containment, eradication, and recovery) requires close coordination among a variety of organizational components or elements to be effective. These components or elements include, for example, mission/business owners, information system owners, human resources offices, procurement offices, personnel/physical security offices, operations personnel, and risk executive (function). In addition, organizations may require external support from federal, state, and local law enforcement agencies. |
The organization coordinates incident handling capability for insider threats across [Assignment: organization-defined components or elements of the organization]. |
| CCI-002785 |
The organization coordinates with organization-defined external organizations to correlate and share organization-defined incident information to achieve a cross-organization perspective on incident awareness and more effective incident responses. |
The organization conducting the inspection/assessment obtains and examines reports, meeting minutes, or other evidence that the organization being inspected/assessed is coordinating with external organizations defined in IR-4 (8), CCI 2786 to correlate and share incident information defined in IR-4 (8), CCI 2787 to achieve a cross-organization perspective on incident awareness and more effective incident responses. |
The organization being inspected/assessed coordinates with external organizations defined in IR-4 (8), CCI 2786 to correlate and share incident information defined in IR-4 (8), CCI 2787 to achieve a cross-organization perspective on incident awareness and more effective incident responses.
|
Incident Handling | Correlation With External Organizations |
IR-4 (8) |
IR-4(8).1 |
The coordination of incident information with external organizations including, for example, mission/business partners, military/coalition partners, customers, and multitiered developers, can provide significant benefits. Cross-organizational coordination with respect to incident handling can serve as an important risk management capability. This capability allows organizations to leverage critical information from a variety of sources to effectively respond to information security-related incidents potentially affecting the organization's operations, assets, and individuals. |
The organization coordinates with [Assignment: organization-defined external organizations] to correlate and share [Assignment: organization-defined incident information] to achieve a crossorganization perspective on incident awareness and more effective incident responses. |
| CCI-002786 |
The organization defines external organizations with which to correlate and share organization-defined incident information. |
The organization conducting the inspection/assessment obtains and examines the documented external organizations to ensure the organization being inspected/assessed defines external organizations to correlate and share organization-defined incident information.
DoD has determined the external organizations are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents external organizations with whom they will correlate and share organization-defined incident information.
DoD has determined the external organizations are not appropriate to define at the Enterprise level. |
Incident Handling | Correlation With External Organizations |
IR-4 (8) |
IR-4(8).2 |
The coordination of incident information with external organizations including, for example, mission/business partners, military/coalition partners, customers, and multitiered developers, can provide significant benefits. Cross-organizational coordination with respect to incident handling can serve as an important risk management capability. This capability allows organizations to leverage critical information from a variety of sources to effectively respond to information security-related incidents potentially affecting the organization's operations, assets, and individuals. |
The organization coordinates with [Assignment: organization-defined external organizations] to correlate and share [Assignment: organization-defined incident information] to achieve a crossorganization perspective on incident awareness and more effective incident responses. |
| CCI-002787 |
The organization defines incident information to correlate and share with organization-defined external organizations. |
The organization conducting the inspection/assessment obtains and examines the documented incident information to ensure the organization being inspected/assessed defines what incident information will be correlated and shared with each external organization defined in IR-4 (8), CCI 2786.
DoD has determined the incident information is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents what incident information will be correlated and shared with each external organization defined in IR-4 (8), CCI 2786.
DoD has determined the incident information is not appropriate to define at the Enterprise level. |
Incident Handling | Correlation With External Organizations |
IR-4 (8) |
IR-4(8).3 |
The coordination of incident information with external organizations including, for example, mission/business partners, military/coalition partners, customers, and multitiered developers, can provide significant benefits. Cross-organizational coordination with respect to incident handling can serve as an important risk management capability. This capability allows organizations to leverage critical information from a variety of sources to effectively respond to information security-related incidents potentially affecting the organization's operations, assets, and individuals. |
The organization coordinates with [Assignment: organization-defined external organizations] to correlate and share [Assignment: organization-defined incident information] to achieve a crossorganization perspective on incident awareness and more effective incident responses. |
| CCI-002788 |
The organization employs organization-defined dynamic response capabilities to effectively respond to security incidents. |
The organization conducting the inspection/assessment obtains and examines incident response logs to ensure that they reflect the use of at a minimum, the appropriate CIRT/CERT (such as US-CERT, DoD CERT, IC CERT).
DoD has defined the dynamic response capabilities as at a minimum, the appropriate CIRT/CERT (such as US-CERT, DoD CERT, IC CERT).
|
The organization being inspected/assessed implements at a minimum, the appropriate CIRT/CERT (such as US-CERT, DoD CERT, IC CERT) to effectively respond to security incidents.
DoD has defined the dynamic response capabilities as at a minimum, the appropriate CIRT/CERT (such as US-CERT, DoD CERT, IC CERT).
|
Incident Handling | Dynamic Response Capability |
IR-4 (9) |
IR-4(9).1 |
This control enhancement addresses the deployment of replacement or new capabilities in a timely manner in response to security incidents (e.g., adversary actions during hostile cyber attacks). This includes capabilities implemented at the mission/business process level (e.g., activating alternative mission/business processes) and at the information system level. Related control: CP-10. |
The organization employs [Assignment: organization-defined dynamic response capabilities] to effectively respond to security incidents. |
| CCI-002789 |
The organization defines dynamic response capabilities to effectively respond to security incidents. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the dynamic response capabilities as at a minimum, the appropriate CIRT/CERT (such as US-CERT, DoD CERT, IC CERT). |
DoD has defined the dynamic response capabilities as at a minimum, the appropriate CIRT/CERT (such as US-CERT, DoD CERT, IC CERT). |
Incident Handling | Dynamic Response Capability |
IR-4 (9) |
IR-4(9).2 |
This control enhancement addresses the deployment of replacement or new capabilities in a timely manner in response to security incidents (e.g., adversary actions during hostile cyber attacks). This includes capabilities implemented at the mission/business process level (e.g., activating alternative mission/business processes) and at the information system level. Related control: CP-10. |
The organization employs [Assignment: organization-defined dynamic response capabilities] to effectively respond to security incidents. |
| CCI-002790 |
The organization coordinates incident handling activities involving supply chain events with other organizations involved in the supply chain. |
The organization conducting the inspection/assesment obtains and examines the documented process to ensure the organization being inspected/assessed coordinates incident handling activities involving supply chain events with other organizations involved in the supply chain. |
The organization being inspected/assessed documents and implements a process to coordinate incident handling activities involving supply chain events with other organizations involved in the supply chain. |
Incident Handling | Supply Chain Coordination |
IR-4 (10) |
IR-4(10).1 |
Organizations involved in supply chain activities include, for example, system/product developers, integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Supply chain incidents include, for example, compromises/breaches involving information system components, information technology products, development processes or personnel, and distribution processes or warehousing facilities. |
The organization coordinates incident-handling activities involving supply chain events with other organizations involved in the supply chain. |
| CCI-002791 |
The organization defines authorities to whom security incident information is reported. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the authorities as the appropriate CIRT/CERT (such as US-CERT, DoD CERT, IC CERT). |
DoD has defined the authorities as the appropriate CIRT/CERT (such as US-CERT, DoD CERT, IC CERT). |
Incident Reporting |
IR-6 |
IR-6.4 |
The intent of this control is to address both specific incident reporting requirements within an organization and the formal incident reporting requirements for federal agencies and their subordinate organizations. Suspected security incidents include, for example, the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Current federal policy requires that all federal agencies (unless specifically exempted from such requirements) report security incidents to the United States Computer Emergency Readiness Team (US-CERT) within specified time frames designated in the US-CERT Concept of Operations for Federal Cyber Security Incident Handling. Related controls: IR-4, IR-5, IR-8. |
The organization:
a. Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time-period]; and
b. Reports security incident information to [Assignment: organization-defined authorities]. |
| CCI-002792 |
The organization defines personnel or roles to whom information system vulnerabilities associated with reported security incident information are reported. |
The organization conducting the inspection/assessment obtains and examines the documented personnel to ensure the organization being inspected/assessed defines personnel or roles to whom information system vulnerabilities associated with reported security incident information are reported IAW CJCSM 6510.01B. |
The organization being inspected/assessed defines and documents personnel or roles to whom information system vulnerabilities associated with reported security incident information are reported. The personnel shall be identified IAW CJCSM 6510.01B.
DoD has determined the personnel are not appropriate to define at the Enterprise level. |
Incident Reporting | Vulnerabilities Related To Incidents |
IR-6 (2) |
IR-6(2).2 |
|
The organization reports information system vulnerabilities associated with reported security incidents to [Assignment: organization-defined personnel]. |
| CCI-002793 |
The organization provides security incident information to other organizations involved in the supply chain for information systems or information system components related to the incident. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed provides security incident information to other organizations involved in the supply chain for information systems or information system components related to the incident. |
The organization being inspected/assessed documents and implement a process to provide security incident information to other organizations involved in the supply chain for information systems or information system components related to the incident. |
Incident Reporting | Coordination With Supply Chain |
IR-6 (3) |
IR-6(3).1 |
Organizations involved in supply chain activities include, for example, system/product developers, integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Supply chain incidents include, for example, compromises/breaches involving information system components, information technology products, development processes or personnel, and distribution processes or warehousing facilities. Organizations determine the appropriate information to share considering the value gained from support by external organizations with the potential for harm due to sensitive information being released to outside organizations of perhaps questionable trustworthiness. |
The organization provides security incident information to other organizations involved in the supply chain for information systems or information system components related to the incident. |
| CCI-002794 |
The organization develops an incident response plan. |
The organization conducting the inspection/assessment obtains and examines the documented incident response plan to ensure the organization being inspected/assessed develops an incident response plan. |
The organization being inspected/assessed develops and documents an incident response plan. |
Incident Response Plan |
IR-8 |
IR-8.1 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-002795 |
The organization^s incident response plan provides the organization with a roadmap for implementing its incident response capability. |
The organization conducting the inspection/assessment obtains and examines the incident response plan to ensure the organization being inspected/assessed provides within their plan, a roadmap for implementing its incident response capability. |
The organization being inspected/assessed defines and documents within their incident response plan, a roadmap for implementing its incident response capability. |
Incident Response Plan |
IR-8 |
IR-8.2 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-002796 |
The organization^s incident response plan describes the structure and organization of the incident response capability. |
The organization conducting the inspection/assessment obtains and examines the incident response plan to ensure the organization being inspected/assessed describes within their plan, the structure and organization of the incident response capability. |
The organization being inspected/assessed defines and documents within their incident response plan, the structure and organization of the incident response capability. |
Incident Response Plan |
IR-8 |
IR-8.3 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-002797 |
The organization^s incident response plan provides a high-level approach for how the incident response capability fits into the overall organization. |
The organization conducting the inspection/assessment obtains and examines the incident response plan to ensure the organization being inspected/assessed provides within their plan, a high-level approach for how the incident response capability fits into the overall organization. |
The organization being inspected/assessed defines and documents within their incident response plan, a high-level approach for how the incident response capability fits into the overall organization. |
Incident Response Plan |
IR-8 |
IR-8.4 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-002798 |
The organization^s incident response plan meets the unique requirements of the organization, which relate to mission, size, structure, and functions. |
The organization conducting the inspection/assessment obtains and examines the incident response plan to ensure it meets the unique requirements of the organization being inspected/assessed, which relate to mission, size, structure, and functions. |
The organization being inspected/assessed will ensure their incident response plan meets the unique requirements of the organization, which relate to mission, size, structure, and functions. |
Incident Response Plan |
IR-8 |
IR-8.5 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-002799 |
The organization^s incident response plan defines reportable incidents. |
The organization conducting the inspection/assessment obtains and examines the incident response plan to ensure the organization being inspected/assessed defines reportable incidents IAW CJCSM 6510.01B Table B-A-2. |
The organization being inspected/assessed defines and document within their incident response plan, reportable incidents IAW CJCSM 6510.01B Table B-A-2. |
Incident Response Plan |
IR-8 |
IR-8.6 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-002800 |
The organization^s incident response plan provides metrics for measuring the incident response capability within the organization. |
The organization conducting the inspection/assessment obtains and examines the incident response plan to ensure the organization being inspected/assessed defines metrics for measuring the incident response capability within the organization IAW CJCSM 6510.01B, Enclosure A. |
The organization being inspected/assessed defines and documents within their incident response plan, metrics for measuring the incident response capability within the organization IAW CJCSM 6510.01B, Enclosure A. |
Incident Response Plan |
IR-8 |
IR-8.7 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-002801 |
The organization^s incident response plan defines the resources and management support needed to effectively maintain and mature an incident response capability. |
The organization conducting the inspection/assessment obtains and examines the incident response plan to ensure the organization being inspected/assessed defines within their plan, the resources and management support needed to effectively maintain and mature an incident response capability. |
The organization being inspected/assessed defines and documents within their incident response plan, the resources and management support needed to effectively maintain and mature an incident response capability. |
Incident Response Plan |
IR-8 |
IR-8.8 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-002802 |
The organization defines personnel or roles to review and approve the incident response plan. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as at a minimum, the ISSM and ISSO. |
DoD has defined the personnel or roles as at a minimum, the ISSM and ISSO. |
Incident Response Plan |
IR-8 |
IR-8.9 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-002803 |
The organization defines incident response personnel (identified by name and/or by role) and organizational elements to whom incident response plan changes will be communicated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the incident response personnel as all stakeholders identified in the incident response plan, not later than 30 days after the change is made. |
DoD has defined the incident response personnel as all stakeholders identified in the incident response plan, not later than 30 days after the change is made. |
Incident Response Plan |
IR-8 |
IR-8.17 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-002804 |
The organization protects the incident response plan from unauthorized disclosure and modification. |
The organization conducting the inspection/assessment obtains and examines artifacts which identify how the incident response plan is protected to ensure the organization being inspected/assessed protects the incident response plan from unauthorized disclosure and modification. |
The organization being inspected/assessed protects the incident response plan from unauthorized disclosure and modification. |
Incident Response Plan |
IR-8 |
IR-8.18 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-002805 |
The organization responds to information spills by identifying the specific information involved in the information system contamination. |
The organization conducting the inspection/assessment obtains and examines the incident response plan as well as after action reports of incidents to ensure that specific information involved in the information system contamination is identified. |
The organization being inspected/assessed documents within their incident response plan, a process to identify the specific information involved in the information system contamination.
|
Information Spillage Response |
IR-9 |
IR-9.1 |
Information spillage refers to instances where either classified or sensitive information is inadvertently placed on information systems that are not authorized to process such information. Such information spills often occur when information that is initially thought to be of lower sensitivity is transmitted to an information system and then is subsequently determined to be of higher sensitivity. At that point, corrective action is required. The nature of the organizational response is generally based upon the degree of sensitivity of the spilled information (e.g., security category or classification level), the security capabilities of the information system, the specific nature of contaminated storage media, and the access authorizations (e.g., security clearances) of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated. |
The organization responds to information spills by:
a. Identifying the specific information causing the information system contamination;
b. Alerting [Assignment: organization-defined personnel] of the information spill using a secure
method of communication;
c. Isolating the contaminated information system;
d. Eradicating the information from the contaminated information system;
e. Identifying other information systems that may have been subsequently contaminated; and
f. Performing other [Assignment: organization-defined actions]. |
| CCI-002806 |
The organization responds to information spills by alerting organization-defined personnel or roles of the information spill using a method of communication not associated with the spill. |
The organization conducting the inspection/assessment obtains and examines the incident response plan as well as after action reports of incidents to ensure that at a minimum, the OCA, the information owner/originator, the ISSM, the activity security manager, and the responsible computer incident response center were alerted of the information spill using a method of communication not associated with the spill.
DoD has defined the personnel or roles as at a minimum, the OCA, the information owner/originator, the ISSM, the activity security
manager, and the responsible computer incident response center. |
The organization being inspected/assessed documents within their incident response plan, a process to alert at a minimum, the Originating Classification Authority (OCA), the information owner/originator, the ISSM, the activity security manager, and the responsible computer incident response center of the information spill using a method of communication not associated with the spill.
DoD has defined the personnel or roles as at a minimum, the OCA, the information owner/originator, the ISSM, the activity security
manager, and the responsible computer incident response center.
|
Information Spillage Response |
IR-9 |
IR-9.2 |
Information spillage refers to instances where either classified or sensitive information is inadvertently placed on information systems that are not authorized to process such information. Such information spills often occur when information that is initially thought to be of lower sensitivity is transmitted to an information system and then is subsequently determined to be of higher sensitivity. At that point, corrective action is required. The nature of the organizational response is generally based upon the degree of sensitivity of the spilled information (e.g., security category or classification level), the security capabilities of the information system, the specific nature of contaminated storage media, and the access authorizations (e.g., security clearances) of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated. |
The organization responds to information spills by:
a. Identifying the specific information causing the information system contamination;
b. Alerting [Assignment: organization-defined personnel] of the information spill using a secure
method of communication;
c. Isolating the contaminated information system;
d. Eradicating the information from the contaminated information system;
e. Identifying other information systems that may have been subsequently contaminated; and
f. Performing other [Assignment: organization-defined actions]. |
| CCI-002807 |
The organization defines personnel or roles to be alerted of information spills using a method of communication not associated with the spill. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as at a minimum, the OCA, the information owner/originator, the ISSM, the activity security
manager, and the responsible computer incident response center.
|
DoD has defined the personnel or roles as at a minimum, the OCA, the information owner/originator, the ISSM, the activity security
manager, and the responsible computer incident response center.
|
Information Spillage Response |
IR-9 |
IR-9.3 |
Information spillage refers to instances where either classified or sensitive information is inadvertently placed on information systems that are not authorized to process such information. Such information spills often occur when information that is initially thought to be of lower sensitivity is transmitted to an information system and then is subsequently determined to be of higher sensitivity. At that point, corrective action is required. The nature of the organizational response is generally based upon the degree of sensitivity of the spilled information (e.g., security category or classification level), the security capabilities of the information system, the specific nature of contaminated storage media, and the access authorizations (e.g., security clearances) of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated. |
The organization responds to information spills by:
a. Identifying the specific information causing the information system contamination;
b. Alerting [Assignment: organization-defined personnel] of the information spill using a secure
method of communication;
c. Isolating the contaminated information system;
d. Eradicating the information from the contaminated information system;
e. Identifying other information systems that may have been subsequently contaminated; and
f. Performing other [Assignment: organization-defined actions]. |
| CCI-002808 |
The organization responds to information spills by isolating the contaminated information system or system component. |
The organization conducting the inspection/assessment obtains and examines the incident response plan as well as after action reports of incidents to ensure that the organization being inspected/assessed isolates contaminated information system or system component.
|
The organization being inspected/assessed documents within their incident response plan, a process to isolate the contaminated information system or system component.
|
Information Spillage Response |
IR-9 |
IR-9.4 |
Information spillage refers to instances where either classified or sensitive information is inadvertently placed on information systems that are not authorized to process such information. Such information spills often occur when information that is initially thought to be of lower sensitivity is transmitted to an information system and then is subsequently determined to be of higher sensitivity. At that point, corrective action is required. The nature of the organizational response is generally based upon the degree of sensitivity of the spilled information (e.g., security category or classification level), the security capabilities of the information system, the specific nature of contaminated storage media, and the access authorizations (e.g., security clearances) of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated. |
The organization responds to information spills by:
a. Identifying the specific information causing the information system contamination;
b. Alerting [Assignment: organization-defined personnel] of the information spill using a secure
method of communication;
c. Isolating the contaminated information system;
d. Eradicating the information from the contaminated information system;
e. Identifying other information systems that may have been subsequently contaminated; and
f. Performing other [Assignment: organization-defined actions]. |
| CCI-002809 |
The organization responds to information spills by eradicating the information from the contaminated information system or component. |
The organization conducting the inspection/assessment obtains and examines the incident response plan as well as after action reports of incidents to ensure that the organization being inspected/assessed eradicates the information from the contaminated information system or component.
|
The organization being inspected/assessed documents within their incident response plan, a process to eradicate the information from the contaminated information system or component.
|
Information Spillage Response |
IR-9 |
IR-9.5 |
Information spillage refers to instances where either classified or sensitive information is inadvertently placed on information systems that are not authorized to process such information. Such information spills often occur when information that is initially thought to be of lower sensitivity is transmitted to an information system and then is subsequently determined to be of higher sensitivity. At that point, corrective action is required. The nature of the organizational response is generally based upon the degree of sensitivity of the spilled information (e.g., security category or classification level), the security capabilities of the information system, the specific nature of contaminated storage media, and the access authorizations (e.g., security clearances) of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated. |
The organization responds to information spills by:
a. Identifying the specific information causing the information system contamination;
b. Alerting [Assignment: organization-defined personnel] of the information spill using a secure
method of communication;
c. Isolating the contaminated information system;
d. Eradicating the information from the contaminated information system;
e. Identifying other information systems that may have been subsequently contaminated; and
f. Performing other [Assignment: organization-defined actions]. |
| CCI-002810 |
The organization responds to information spills by identifying other information systems or system components that may have been subsequently contaminated. |
The organization conducting the inspection/assessment obtains and examines the incident response plan as well as after action reports of incidents to ensure that the organization being inspected/assessed identifies other information systems or system components that may have been subsequently contaminated. |
The organization being inspected/assessed documents within their incident response plan, a process to identify other information systems or system components that may have been subsequently contaminated.
|
Information Spillage Response |
IR-9 |
IR-9.6 |
Information spillage refers to instances where either classified or sensitive information is inadvertently placed on information systems that are not authorized to process such information. Such information spills often occur when information that is initially thought to be of lower sensitivity is transmitted to an information system and then is subsequently determined to be of higher sensitivity. At that point, corrective action is required. The nature of the organizational response is generally based upon the degree of sensitivity of the spilled information (e.g., security category or classification level), the security capabilities of the information system, the specific nature of contaminated storage media, and the access authorizations (e.g., security clearances) of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated. |
The organization responds to information spills by:
a. Identifying the specific information causing the information system contamination;
b. Alerting [Assignment: organization-defined personnel] of the information spill using a secure
method of communication;
c. Isolating the contaminated information system;
d. Eradicating the information from the contaminated information system;
e. Identifying other information systems that may have been subsequently contaminated; and
f. Performing other [Assignment: organization-defined actions]. |
| CCI-002811 |
The organization responds to information spills by performing other organization-defined actions. |
The organization conducting the inspection/assessment obtains and examines the incident response plan as well as after action reports of incidents to ensure that the organization being inspected/assessed performs actions defined in IR-9, CCI 2812. |
The organization being inspected/assessed documents within their incident response plan, processes to perform actions defined in IR-9, CCI 2812.
|
Information Spillage Response |
IR-9 |
IR-9.7 |
Information spillage refers to instances where either classified or sensitive information is inadvertently placed on information systems that are not authorized to process such information. Such information spills often occur when information that is initially thought to be of lower sensitivity is transmitted to an information system and then is subsequently determined to be of higher sensitivity. At that point, corrective action is required. The nature of the organizational response is generally based upon the degree of sensitivity of the spilled information (e.g., security category or classification level), the security capabilities of the information system, the specific nature of contaminated storage media, and the access authorizations (e.g., security clearances) of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated. |
The organization responds to information spills by:
a. Identifying the specific information causing the information system contamination;
b. Alerting [Assignment: organization-defined personnel] of the information spill using a secure
method of communication;
c. Isolating the contaminated information system;
d. Eradicating the information from the contaminated information system;
e. Identifying other information systems that may have been subsequently contaminated; and
f. Performing other [Assignment: organization-defined actions]. |
| CCI-002812 |
The organization defines other actions required to respond to information spills. |
The organization conducting the inspection/assessment obtains and examines the documented additional actions to ensure the organization being inspected/assessed defines other actions required to respond to information spills.
DoD has determined the actions are not appropriate to define at the Enterprise level |
The organization being inspected/assessed
defines and documents additional actions to be taken in response to spillage incidents. The actions must include the following:
1)consider the information system as classified at the same level as the spilled information until the appropriate remediation processes have been executed and verified;
2) Include the investigative team members and questions identified in CNSS Instruction 1001 in investigation of the incident;
3) Protect information regarding the incident from disclosure.
DoD has determined the actions are not appropriate to define at the Enterprise level.
|
Information Spillage Response |
IR-9 |
IR-9.8 |
Information spillage refers to instances where either classified or sensitive information is inadvertently placed on information systems that are not authorized to process such information. Such information spills often occur when information that is initially thought to be of lower sensitivity is transmitted to an information system and then is subsequently determined to be of higher sensitivity. At that point, corrective action is required. The nature of the organizational response is generally based upon the degree of sensitivity of the spilled information (e.g., security category or classification level), the security capabilities of the information system, the specific nature of contaminated storage media, and the access authorizations (e.g., security clearances) of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated. |
The organization responds to information spills by:
a. Identifying the specific information causing the information system contamination;
b. Alerting [Assignment: organization-defined personnel] of the information spill using a secure
method of communication;
c. Isolating the contaminated information system;
d. Eradicating the information from the contaminated information system;
e. Identifying other information systems that may have been subsequently contaminated; and
f. Performing other [Assignment: organization-defined actions]. |
| CCI-002813 |
The organization assigns organization-defined personnel or roles with responsibility for responding to information spills. |
The organization conducting the inspection/assessment obtains and examines appointment letters to ensure the organization being inspected/assessed appoints personnel or roles defined in IR-9 (1), CCI 2815 as having the responsibility for responding to information spills. |
The organization being inspected/assessed appoints personnel or roles defined in IR-9 (1), CCI 2815 as having the responsibility for responding to information spills. |
Information Spillage Response | Responsible Personnel |
IR-9 (1) |
IR-9(1).1 |
|
The organization identifies [Assignment: organization-defined personnel] with responsibility for responding to information spills. |
| CCI-002814 |
The organization assigns organization-defined personnel or roles with responsibility for responding to information spills. |
|
|
|
|
|
|
|
| CCI-002815 |
The organization defines personnel or roles to whom responsibility for responding to information spills will be assigned. |
The organization conducting the inspection/assessment obtains and examines the documented personnel or roles to ensure the organization being inspected/assessed defines personnel or roles to whom responsibility for responding to information spills will be assigned, which must include the ISSO and ISSM.
DoD has determined the personnel or roles are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents personnel or roles to whom responsibility for responding to information spills will be assigned. The personnel must include the ISSO and ISSM.
DoD has determined the personnel or roles are not appropriate to define at the Enterprise level. |
Information Spillage Response | Responsible Personnel |
IR-9 (1) |
IR-9(1).2 |
|
The organization identifies [Assignment: organization-defined personnel] with responsibility for responding to information spills. |
| CCI-002816 |
The organization provides information spillage response training according to an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the training records for a sampling of incident response personnel to ensure the organization being inspected/assessed provides information spillage response training annually.
DoD has defined the frequency as annually. |
The organization being inspected/assessed documents and implements a process to provide information spillage response training annually.
The organization must maintain a record of training.
DoD has defined the frequency as annually. |
Information Spillage Response | Training |
IR-9 (2) |
IR-9(2).1 |
|
The organization provides information spillage response training [Assignment: organizationdefined frequency]. |
| CCI-002817 |
The organization defines the frequency with which to provide information spillage response training. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Information Spillage Response | Training |
IR-9 (2) |
IR-9(2).2 |
|
The organization provides information spillage response training [Assignment: organizationdefined frequency]. |
| CCI-002818 |
The organization implements organization-defined procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions. |
The organization conducting the inspection/assessment obtains and examines the documented procedures defined in IR-9 (3), CCI 2819 as well as after action reports of incidents to ensure the organization being inspected/assessed implements procedures defined in IR-9 (3), CCI 2819 to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions. |
The organization being inspected/assessed implements procedures defined in IR-9 (3), CCI 2819 to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions. |
Information Spillage Response | Post-Spill Operations |
IR-9 (3) |
IR-9(3).1 |
Correction actions for information systems contaminated due to information spillages may be very time-consuming. During those periods, personnel may not have access to the contaminated systems, which may potentially affect their ability to conduct organizational business. |
The organization implements [Assignment: organization-defined procedures] to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions. |
| CCI-002819 |
The organization defines procedures to implement to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions. |
The organization conducting the inspection/assessment obtains and examines the documented procedures to ensure the organization being inspected/assessed defines procedures to implement to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.
DoD has determined the procedures are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents procedures to implement to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.
DoD has determined the procedures are not appropriate to define at the Enterprise level. |
Information Spillage Response | Post-Spill Operations |
IR-9 (3) |
IR-9(3).2 |
Correction actions for information systems contaminated due to information spillages may be very time-consuming. During those periods, personnel may not have access to the contaminated systems, which may potentially affect their ability to conduct organizational business. |
The organization implements [Assignment: organization-defined procedures] to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions. |
| CCI-002820 |
The organization employs organization-defined security safeguards for personnel exposed to information not within assigned access authorizations. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed employs security safeguards defined in IR-9 (4), CCI 2821 for personnel exposed to information not within assigned access authorizations. |
The organization being inspected/assessed documents and implements a process to employ security safeguards defined in IR-9 (4), CCI 2821 for personnel exposed to information not within assigned access authorizations. |
Information Spillage Response | Exposure To Unauthorized Personnel |
IR-9 (4) |
IR-9(4).1 |
Security safeguards include, for example, making personnel exposed to spilled information aware of the federal laws, directives, policies, and/or regulations regarding the information and the restrictions imposed based on exposure to such information. |
The organization employs [Assignment: organization-defined security safeguards] for personnel exposed to information not within assigned access authorizations. |
| CCI-002821 |
The organization defines security safeguards to employ for personnel exposed to information not within assigned access authorizations. |
The organization conducting the inspection/assessment obtains and examines the documented security safeguards to ensure the organization being inspected/assessed defines security safeguards to employ for personnel exposed to information not within assigned access authorizations.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents security safeguards to employ for personnel exposed to information not within assigned access authorizations.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
Information Spillage Response | Exposure To Unauthorized Personnel |
IR-9 (4) |
IR-9(4).2 |
Security safeguards include, for example, making personnel exposed to spilled information aware of the federal laws, directives, policies, and/or regulations regarding the information and the restrictions imposed based on exposure to such information. |
The organization employs [Assignment: organization-defined security safeguards] for personnel exposed to information not within assigned access authorizations. |
| CCI-002822 |
The organization establishes an integrated team of forensic/malicious code analysts, tool developers, and real-time operations personnel. |
The organization conducting the inspection/assessment obtains and examines appointments to the integrated team as well as the documented roles and responsibilities to ensure the organization being inspected/assessed establishes an integrated team of forensic/malicious code analysts, tool developers, and real-time operations personnel. |
The organization being inspected/assessed establishes an integrated team of forensic/malicious code analysts, tool developers, and real-time operations personnel.
The organization appoints team members and defines and documents roles and responsibilities for each member. |
Integrated Information Security Analysis Team |
IR-10 |
IR-10.1 |
Having an integrated team for incident response facilitates information sharing. Such capability allows organizational personnel, including developers, implementers, and operators, to leverage the team knowledge of the threat in order to implement defensive measures that will enable organizations to deter intrusions more effectively. Moreover, it promotes the rapid detection of intrusions, development of appropriate mitigations, and the deployment of effective defensive measures. For example, when an intrusion is detected, the integrated security analysis team can rapidly develop an appropriate response for operators to implement, correlate the new incident with information on past intrusions, and augment ongoing intelligence development. This enables the team to identify adversary TTPs that are linked to the operations tempo or to specific missions/business functions, and to define responsive actions in a way that does not disrupt the mission/business operations. Ideally, information security analysis teams are distributed within organizations to make the capability more resilient. |
The organization establishes an integrated team of forensic/malicious code analysts, tool developers, and real-time operations personnel. |
| CCI-002861 |
The organization defines the personnel or roles to whom a system maintenance policy is disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as the SCA, ISSO, and maintenance personnel as needed by role in maintaining the system. |
DoD has defined the personnel or roles as the SCA, ISSO, and maintenance personnel as needed by role in maintaining the system. |
System Maintenance Policy And Procedures |
MA-1 |
MA-1.1 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and
b. Reviews and updates the current:
1. System maintenance policy [Assignment: organization-defined frequency]; and
2. System maintenance procedures [Assignment: organization-defined frequency]. |
| CCI-002862 |
The organization defines the personnel or roles to whom system maintenance procedures are to be disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as the SCA, ISSO, and maintenance personnel as needed by role in maintaining the system. |
DoD has defined the personnel or roles as the SCA, ISSO, and maintenance personnel as needed by role in maintaining the system. |
System Maintenance Policy And Procedures |
MA-1 |
MA-1.2 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and
b. Reviews and updates the current:
1. System maintenance policy [Assignment: organization-defined frequency]; and
2. System maintenance procedures [Assignment: organization-defined frequency]. |
| CCI-002863 |
The organization employs automated mechanisms to schedule, conduct, and document repairs. |
The organization conducting the inspection/assessment obtains and examines the documentation of automated mechanisms to ensure the organization being inspected/assessed employs automated mechanisms to schedule, conduct, and document repairs. |
The organization being inspected/assessed documents and implements automated mechanisms to schedule, conduct, and document repairs. |
Controlled Maintenance | Automated Maintenance Activities |
MA-2 (2) |
MA-2(2).1 |
Related controls: CA-7, MA-3. |
The organization:
(a) Employs automated mechanisms to schedule, conduct, and document maintenance and repairs; and
(b) Produces up-to date, accurate, and complete records of all maintenance and repair actions requested, scheduled, in process, and completed. |
| CCI-002864 |
The organization produces up-to date, accurate, and complete records of all maintenance requested, scheduled, in process, and completed. |
The organization conducting the inspection/assessment obtains and examines the records of maintenance to ensure the organization being inspected/assessed produces up-to date, accurate, and complete records of all maintenance requested, scheduled, in process, and completed. |
The organization being inspected/assessed produces and maintains up-to date, accurate, and complete records of all maintenance requested, scheduled, in process, and completed. |
Controlled Maintenance | Automated Maintenance Activities |
MA-2 (2) |
MA-2(2).3 |
Related controls: CA-7, MA-3. |
The organization:
(a) Employs automated mechanisms to schedule, conduct, and document maintenance and repairs; and
(b) Produces up-to date, accurate, and complete records of all maintenance and repair actions requested, scheduled, in process, and completed. |
| CCI-002865 |
The organization produces up-to date, accurate, and complete records of all repair actions requested, scheduled, in process, and completed. |
The organization conducting the inspection/assessment obtains and examines the records of repair actions to ensure the organization being inspected/assessed produces up-to date, accurate, and complete records of all repair actions requested, scheduled, in process, and completed. |
The organization being inspected/assessed produces and maintains up-to date, accurate, and complete records of all repair actions requested, scheduled, in process, and completed. |
Controlled Maintenance | Automated Maintenance Activities |
MA-2 (2) |
MA-2(2).4 |
Related controls: CA-7, MA-3. |
The organization:
(a) Employs automated mechanisms to schedule, conduct, and document maintenance and repairs; and
(b) Produces up-to date, accurate, and complete records of all maintenance and repair actions requested, scheduled, in process, and completed. |
| CCI-002866 |
The organization schedules maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements. |
The organization conducting the inspection/assessment obtains and examines the record of maintenance to ensure the organization being inspected/assessed schedules maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements. |
The organization being inspected/assessed schedules maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
The organization must maintain a record of maintenance. |
Controlled Maintenance |
MA-2 |
MA-2.1 |
This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2. |
The organization:
a. Schedules, performs, documents, and reviews records of, maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and /or organizational requirements;
b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
c. Requires that [Assignment: organization-defined personnel] explicitly approve the removal of the information system or system components from organizational facilities for off-site
maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records. |
| CCI-002867 |
The organization performs maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements. |
The organization conducting the inspection/assessment obtains and examines the record of maintenance procedures followed to ensure the organization being inspected/assessed performs maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements. |
The organization being inspected/assessed implements a process to perform maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
The organization must maintain a record of maintenance procedures followed. |
Controlled Maintenance |
MA-2 |
MA-2.2 |
This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2. |
The organization:
a. Schedules, performs, documents, and reviews records of, maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and /or organizational requirements;
b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
c. Requires that [Assignment: organization-defined personnel] explicitly approve the removal of the information system or system components from organizational facilities for off-site
maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records. |
| CCI-002868 |
The organization documents maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements. |
The organization conducting the inspection/assessment obtains and examines documentation of maintenance to ensure the organization being inspected/assessed documents maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements. |
The organization being inspected/assessed documents maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements. |
Controlled Maintenance |
MA-2 |
MA-2.3 |
This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2. |
The organization:
a. Schedules, performs, documents, and reviews records of, maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and /or organizational requirements;
b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
c. Requires that [Assignment: organization-defined personnel] explicitly approve the removal of the information system or system components from organizational facilities for off-site
maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records. |
| CCI-002869 |
The organization reviews records of maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of reviews to ensure the organization being inspected/assessed reviews records of maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements. |
The organization being inspected/assessed documents and implements a process to review records of maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
The organization must maintain a record of reviews. |
Controlled Maintenance |
MA-2 |
MA-2.4 |
This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2. |
The organization:
a. Schedules, performs, documents, and reviews records of, maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and /or organizational requirements;
b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
c. Requires that [Assignment: organization-defined personnel] explicitly approve the removal of the information system or system components from organizational facilities for off-site
maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records. |
| CCI-002870 |
The organization schedules repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements. |
The organization conducting the inspection/assessment obtains and examines the record of repairs to ensure the organization being inspected/assessed schedules repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements. |
The organization being inspected/assessed schedules repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
The organization must maintain a record of repairs. |
Controlled Maintenance |
MA-2 |
MA-2.5 |
This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2. |
The organization:
a. Schedules, performs, documents, and reviews records of, maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and /or organizational requirements;
b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
c. Requires that [Assignment: organization-defined personnel] explicitly approve the removal of the information system or system components from organizational facilities for off-site
maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records. |
| CCI-002871 |
The organization performs repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements. |
The organization conducting the inspection/assessment obtains and examines the record of repair procedures followed to ensure the organization being inspected/assessed performs repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements. |
The organization being inspected/assessed implements a process to perform repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
The organization must maintain a record of repair procedures followed. |
Controlled Maintenance |
MA-2 |
MA-2.6 |
This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2. |
The organization:
a. Schedules, performs, documents, and reviews records of, maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and /or organizational requirements;
b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
c. Requires that [Assignment: organization-defined personnel] explicitly approve the removal of the information system or system components from organizational facilities for off-site
maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records. |
| CCI-002872 |
The organization documents repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements. |
The organization conducting the inspection/assessment obtains and examines documentation of repairs to ensure the organization being inspected/assessed documents repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements. |
The organization being inspected/assessed documents repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements. |
Controlled Maintenance |
MA-2 |
MA-2.7 |
This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2. |
The organization:
a. Schedules, performs, documents, and reviews records of, maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and /or organizational requirements;
b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
c. Requires that [Assignment: organization-defined personnel] explicitly approve the removal of the information system or system components from organizational facilities for off-site
maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records. |
| CCI-002873 |
The organization reviews records of repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of reviews to ensure the organization being inspected/assessed reviews records of repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements. |
The organization being inspected/assessed documents and implements a process to review records of repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
The organization must maintain a record of reviews. |
Controlled Maintenance |
MA-2 |
MA-2.8 |
This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2. |
The organization:
a. Schedules, performs, documents, and reviews records of, maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and /or organizational requirements;
b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
c. Requires that [Assignment: organization-defined personnel] explicitly approve the removal of the information system or system components from organizational facilities for off-site
maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records. |
| CCI-002874 |
The organization defines the personnel or roles who can explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs. |
The organization conducting the inspection/assessment obtains and examines the documented personnel or roles to ensure the organization being inspected/assessed defines the personnel or roles who can explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs.
DoD has determined the personnel or roles are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the personnel or roles who can explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs.
DoD has determined the personnel or roles are not appropriate to define at the Enterprise level. |
Controlled Maintenance |
MA-2 |
MA-2.11 |
This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2. |
The organization:
a. Schedules, performs, documents, and reviews records of, maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and /or organizational requirements;
b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
c. Requires that [Assignment: organization-defined personnel] explicitly approve the removal of the information system or system components from organizational facilities for off-site
maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records. |
| CCI-002875 |
The organization includes organization-defined maintenance-related information in organizational maintenance records. |
The organization conducting the inspection/assessment obtains and examines maintenance records to ensure they include maintenance-related information defined in MA-2, CCI 2876. |
The organization being inspected/assessed includes maintenance-related information defined in MA-2, CCI 2876 in organizational maintenance records. |
Controlled Maintenance |
MA-2 |
MA-2.14 |
This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2. |
The organization:
a. Schedules, performs, documents, and reviews records of, maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and /or organizational requirements;
b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
c. Requires that [Assignment: organization-defined personnel] explicitly approve the removal of the information system or system components from organizational facilities for off-site
maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records. |
| CCI-002876 |
The organization defines the maintenance-related information to include in organizational maintenance records. |
The organization conducting the inspection/assessment obtains and examines the documented maintenance-related information to ensure the organization being inspected/assessed defines the maintenance-related information to include in organizational maintenance records.
DoD has determined the maintenance-related information is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the maintenance-related information to include in organizational maintenance records.
DoD has determined the maintenance-related information is not appropriate to define at the Enterprise level. |
Controlled Maintenance |
MA-2 |
MA-2.15 |
This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2. |
The organization:
a. Schedules, performs, documents, and reviews records of, maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and /or organizational requirements;
b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
c. Requires that [Assignment: organization-defined personnel] explicitly approve the removal of the information system or system components from organizational facilities for off-site
maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records. |
| CCI-002905 |
The organization employs automated mechanisms to schedule, conduct, and document maintenance. |
The organization conducting the inspection/assessment obtains and examines the documentation of automated mechanisms to ensure the organization being inspected/assessed employs automated mechanisms to schedule, conduct, and document maintenance. |
The organization being inspected/assessed documents and implements automated mechanisms to schedule, conduct, and document maintenance. |
Controlled Maintenance | Automated Maintenance Activities |
MA-2 (2) |
MA-2(2).2 |
Related controls: CA-7, MA-3. |
The organization:
(a) Employs automated mechanisms to schedule, conduct, and document maintenance and repairs; and
(b) Produces up-to date, accurate, and complete records of all maintenance and repair actions requested, scheduled, in process, and completed. |
| CCI-002877 |
The organization prevents the unauthorized removal of maintenance equipment containing organizational information by verifying that there is no organizational information contained on the equipment. |
|
|
|
|
|
|
|
| CCI-002878 |
The organization prevents the unauthorized removal of maintenance equipment containing organizational information by sanitizing or destroying the equipment. |
|
|
|
|
|
|
|
| CCI-002879 |
The organization prevents the unauthorized removal of maintenance equipment containing organizational information by retaining the equipment within the facility. |
|
|
|
|
|
|
|
| CCI-002880 |
The organization prevents the unauthorized removal of maintenance equipment containing organizational information by retaining the equipment within the facility. |
|
|
|
|
|
|
|
| CCI-002881 |
The organization prevents the unauthorized removal of maintenance equipment containing organizational information by obtaining an exemption from organization-defined personnel or roles explicitly authorizing removal of the equipment from the facility. |
|
|
|
|
|
|
|
| CCI-002882 |
The organization defines the personnel or roles who can provide an exemption that explicitly authorizes removal of equipment from the facility. |
The organization conducting the inspection/assessment obtains and examines the documented personnel or roles to ensure the organization being inspected/assessed defines the personnel or roles who can provide an exemption that explicitly authorizes removal of equipment from the facility.
DoD has determined the personnel or roles are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the personnel or roles who can provide an exemption that explicitly authorizes removal of equipment from the facility.
DoD has determined the personnel or roles are not appropriate to define at the Enterprise level. |
Maintenance Tools | Prevent Unauthorized Removal |
MA-3 (3) |
MA-3(3).2 |
Organizational information includes all information specifically owned by organizations and information provided to organizations in which organizations serve as information stewards |
The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:
(a) Verifying that there is no organizational information contained on the equipment;
(b) Sanitizing or destroying the equipment;
(c) Retaining the equipment within the facility; or
(d) Obtaining an exemption from [Assignment: organization-defined personnel] explicitly authorizing removal of the equipment from the facility. |
| CCI-002883 |
The information system restricts the use of maintenance tools to authorized personnel only. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to restrict the use of maintenance tools to authorized personnel only.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2883. |
The organization being inspected/assessed configures the information system to restrict the use of maintenance tools to authorized personnel only.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2883. |
Maintenance Tools | Restricted Tool Use |
MA-3 (4) |
MA-3(4).1 |
This control enhancement applies to information systems that are used to carry out maintenance functions. Related controls: AC-2, AC-3, AC-5, AC-6. |
The information system restricts the use of maintenance tools to authorized personnel only. |
| CCI-002884 |
The organization audits nonlocal maintenance and diagnostic sessions^ organization-defined audit events. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to audit nonlocal maintenance and diagnostic sessions' organization-defined audit events.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2884. |
The organization being inspected/assessed configures the information system to audit nonlocal maintenance and diagnostic sessions' organization-defined audit events.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2884. |
Nonlocal Maintenance | Auditing And Review |
MA-4 (1) |
MA-4(1).1 |
Related controls: AU-2, AU-6, AU-12. |
The organization:
(a) Audits nonlocal maintenance and diagnostic sessions [Assignment: organization-defined audit events]; and
(b) Reviews the records of the maintenance and diagnostic sessions. |
| CCI-002885 |
The organization defines the nonlocal maintenance and diagnostic session audit events to audit. |
The organization conducting the inspection/assessment obtains and examines the documented audit events to ensure the organization being inspected/assessed defines the nonlocal maintenance and diagnostic session audit events to audit.
DoD has determined the audit events are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the nonlocal maintenance and diagnostic session audit events to audit.
DoD has determined the audit events are not appropriate to define at the Enterprise level. |
Nonlocal Maintenance | Auditing And Review |
MA-4 (1) |
MA-4(1).2 |
Related controls: AU-2, AU-6, AU-12. |
The organization:
(a) Audits nonlocal maintenance and diagnostic sessions [Assignment: organization-defined audit events]; and
(b) Reviews the records of the maintenance and diagnostic sessions. |
| CCI-002886 |
The organization reviews the records of the nonlocal maintenance and diagnostic sessions. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of reviews to ensure the organization being inspected/assessed reviews the records of the nonlocal maintenance and diagnostic sessions. |
The organization being inspected/assessed documents and implements a process to review the records of the nonlocal maintenance and diagnostic sessions.
The organization must maintain a record of reviews. |
Nonlocal Maintenance | Auditing And Review |
MA-4 (1) |
MA-4(1).3 |
Related controls: AU-2, AU-6, AU-12. |
The organization:
(a) Audits nonlocal maintenance and diagnostic sessions [Assignment: organization-defined audit events]; and
(b) Reviews the records of the maintenance and diagnostic sessions. |
| CCI-002887 |
The organization defines the authenticators that are replay resistant which will be employed to protect nonlocal maintenance sessions. |
The organization conducting the inspection/assessment obtains and examines the documented authenticators to ensure the organization being inspected/assessed defines the authenticators that are replay resistant which will be employed to protect nonlocal maintenance sessions.
DoD has determined the authenticators are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the authenticators that are replay resistant which will be employed to protect nonlocal maintenance sessions.
DoD has determined the authenticators are not appropriate to define at the Enterprise level. |
Nonlocal Maintenance | Authentication / Separation Of Maintenance Sessions |
MA-4 (4) |
MA-4(4).2 |
Related control: SC-13. |
The organization protects non-local maintenance sessions by:
(a) Employing [Assignment: organization-defined authenticators that are replay resistant]; and
(b) Separating the maintenance sessions from other network sessions with the information system by either:
- Physically separated communications paths; or
- Logically separated communications paths based upon encryption. |
| CCI-002888 |
The organization defines the personnel or roles authorized to approve each nonlocal maintenance session. |
|
|
|
|
|
|
|
| CCI-002889 |
The organization notifies organization-defined personnel or roles of the date and time of planned nonlocal maintenance. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed notifies the user base which could be impacted by the maintenance event of the date and time of planned nonlocal maintenance.
DoD has defined the personnel or roles as the user base which could be impacted by the maintenance event. |
The organization being inspected/assessed documents and implements a process to notify the user base which could be impacted by the maintenance event of the date and time of planned nonlocal maintenance.
DoD has defined the personnel or roles as the user base which could be impacted by the maintenance event. |
Nonlocal Maintenance | Approvals And Notifications |
MA-4 (5) |
MA-4(5).4 |
Notification may be performed by maintenance personnel. Approval of nonlocal maintenance sessions is accomplished by organizational personnel with sufficient information security and information system knowledge to determine the appropriateness of the proposed maintenance. |
The organization:
(a) Requires the approval of each nonlocal maintenance session by [Assignment: organization-defined personnel or roles]; and
(b) Notifies [Assignment: organization-defined personnel or roles] of the date and time of planned nonlocal maintenance. |
| CCI-002890 |
The information system implements cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2890. |
The organization being inspected/assessed configures the information system to implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2890. |
Nonlocal Maintenance | Cryptographic Protection |
MA-4 (6) |
MA-4(6).1 |
Related controls: SC-8, SC-13. |
The information system implements cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications. |
| CCI-002891 |
The information system implements remote disconnect verification at the termination of nonlocal maintenance and diagnostic sessions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement remote disconnect verification at the termination of nonlocal maintenance and diagnostic sessions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2891. |
The organization being inspected/assessed configures the information system to implement remote disconnect verification at the termination of nonlocal maintenance and diagnostic sessions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2891. |
Nonlocal Maintenance | Remote Disconnect Verification |
MA-4 (7) |
MA-4(7).1 |
Remote disconnect verification ensures that remote connections from nonlocal maintenance sessions have been terminated and are no longer available for use. Related control: SC-13. |
The information system implements remote disconnect verification at the termination of nonlocal maintenance and diagnostic sessions. |
| CCI-003123 |
The information system implements cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 3123. |
The organization being inspected/assessed configures the information system to implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 3123. |
Nonlocal Maintenance | Cryptographic Protection |
MA-4 (6) |
MA-4(6).2 |
Related controls: SC-8, SC-13. |
The information system implements cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications. |
| CCI-002892 |
The organization develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system. |
The organization being inspected/assessed documents and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system. |
Maintenance Personnel | Individuals Without Appropriate Access |
MA-5 (1) |
MA-5(1).4 |
This control enhancement denies individuals who lack appropriate security clearances (i.e., individuals who do not possess security clearances or possess security clearances at a lower level than required) or who are not U.S. citizens, visual and electronic access to any classified information, Controlled Unclassified Information (CUI), or any other sensitive information contained on organizational information systems. Procedures for the use of maintenance personnel can be documented in security plans for the information systems. Related controls: MP-6, PL-2. |
The organization:
(a) Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:
(1) Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified;
(2) Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and
(b) Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system. |
| CCI-002893 |
The organization ensures that non-escorted personnel performing maintenance activities not directly associated with the information system but in the physical proximity of the system, have required access authorization. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed ensures that non-escorted personnel performing maintenance activities not directly associated with the information system but in the physical proximity of the system, have required access authorization. |
The organization being inspected/assessed documents and implements a process to ensure that non-escorted personnel performing maintenance activities not directly associated with the information system but in the physical proximity of the system, have required access authorization. |
Maintenance Personnel | Nonsystem-Related Maintenance |
MA-5 (5) |
MA-5(5).1 |
Personnel performing maintenance activities in other capacities not directly related to the information system include, for example, physical plant personnel and janitorial personnel. |
The organization ensures that non-escorted personnel performing maintenance activities not directly associated with the information system but in the physical proximity of the system, have required access authorizations. |
| CCI-002894 |
The organization ensures that non-escorted personnel performing maintenance on the information system have required access authorizations. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of personnel performing maintenance on the information system to ensure the organization being inspected/assessed ensures that non-escorted personnel performing maintenance on the information system have required access authorizations. |
The organization being inspected/assessed documents and implements a process to ensure that non-escorted personnel performing maintenance on the information system have required access authorizations.
The organization must maintain a record of personnel performing maintenance on the information system. |
Maintenance Personnel |
MA-5 |
MA-5.3 |
This control applies to individuals performing hardware or software maintenance on organizational information systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Technical competence of supervising individuals relates to the maintenance performed on the information systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational information systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods. Related controls: AC-2, IA-8, MP-2, PE-2, PE-3, PE-4, RA-3. |
The organization:
a. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;
b. Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and
c. Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations. |
| CCI-002895 |
The organization designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations. |
The organization conducting the inspection/assessment obtains and examines documented organizational personnel to ensure the organization being inspected/assessed designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations. |
The organization being inspected/assessed defines and documents organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations. |
Maintenance Personnel |
MA-5 |
MA-5.4 |
This control applies to individuals performing hardware or software maintenance on organizational information systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Technical competence of supervising individuals relates to the maintenance performed on the information systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational information systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods. Related controls: AC-2, IA-8, MP-2, PE-2, PE-3, PE-4, RA-3. |
The organization:
a. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;
b. Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and
c. Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations. |
| CCI-002896 |
The organization defines the information system components for which it obtains maintenance support and/or spare parts. |
The organization conducting the inspection/assessment obtains and examines the documented information system components to ensure the organization being inspected/assessed defines the information system components for which it obtains maintenance support and/or spare parts.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system components for which it obtains maintenance support and/or spare parts.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
Timely Maintenance |
MA-6 |
MA-6.2 |
Organizations specify the information system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support typically include having appropriate contracts in place. Related controls: CM-8, CP-2, CP-7, SA-14, SA-15. |
The organization obtains maintenance support and/or spare parts for [Assignment: organization-defined information system components] within [Assignment: organization-defined time period] of failure. |
| CCI-002897 |
The organization defines a time period for obtaining maintenance support and/or spare parts for organization-defined information system components after a failure. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as within 24 hours (Low and Moderate Availability) or immediately upon failure for (High Availability). |
DoD has defined the time period as within 24 hours (Low and Moderate Availability) or immediately upon failure for (High Availability). |
Timely Maintenance |
MA-6 |
MA-6.3 |
Organizations specify the information system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support typically include having appropriate contracts in place. Related controls: CM-8, CP-2, CP-7, SA-14, SA-15. |
The organization obtains maintenance support and/or spare parts for [Assignment: organization-defined information system components] within [Assignment: organization-defined time period] of failure. |
| CCI-002898 |
The organization performs preventive maintenance on organization-defined information system components at organization-defined time intervals. |
The organization conducting the inspection/assessment obtains and examines schedules and records of preventive maintenance to ensure the organization being inspected/assessed performs preventive maintenance on information system components defined in MA-6 (1), CCI 2899 at time intervals defined in MA-6 (1), CCI 2900. |
The organization being inspected/assessed performs preventive maintenance on information system components defined in MA-6 (1), CCI 2899 at time intervals defined in MA-6 (1), CCI 2900.
The organization must maintain schedules and records of preventive maintenance. |
Timely Maintenance | Preventive Maintenance |
MA-6 (1) |
MA-6(1).1 |
Preventive maintenance includes proactive care and servicing of organizational information systems components for the purpose of maintaining equipment and facilities in satisfactory operating condition. Such maintenance provides for the systematic inspection, tests, measurements, adjustments, parts replacement, detection, and correction of incipient failures either before they occur or before they develop into major defects. The primary goal of preventive maintenance is to avoid/mitigate the consequences of equipment failures. Preventive maintenance is designed to preserve and restore equipment reliability by replacing worn components before they actually fail. Methods of determining what preventive (or other) failure management policies to apply include, for example, original equipment manufacturer (OEM) recommendations, statistical failure records, requirements of codes, legislation, or regulations within a jurisdiction, expert opinion, maintenance that has already been conducted on similar equipment, or measured values and performance indications. |
The organization performs preventive maintenance on [Assignment: organization-defined information system components] at [Assignment: organization-defined time intervals]. |
| CCI-002899 |
The organization defines information system components on which to perform preventive maintenance. |
The organization conducting the inspection/assessment obtains and examines the documented information system components to ensure the organization being inspected/assessed defines information system components on which to perform preventive maintenance.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents information system components on which to perform preventive maintenance.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
Timely Maintenance | Preventive Maintenance |
MA-6 (1) |
MA-6(1).2 |
Preventive maintenance includes proactive care and servicing of organizational information systems components for the purpose of maintaining equipment and facilities in satisfactory operating condition. Such maintenance provides for the systematic inspection, tests, measurements, adjustments, parts replacement, detection, and correction of incipient failures either before they occur or before they develop into major defects. The primary goal of preventive maintenance is to avoid/mitigate the consequences of equipment failures. Preventive maintenance is designed to preserve and restore equipment reliability by replacing worn components before they actually fail. Methods of determining what preventive (or other) failure management policies to apply include, for example, original equipment manufacturer (OEM) recommendations, statistical failure records, requirements of codes, legislation, or regulations within a jurisdiction, expert opinion, maintenance that has already been conducted on similar equipment, or measured values and performance indications. |
The organization performs preventive maintenance on [Assignment: organization-defined information system components] at [Assignment: organization-defined time intervals]. |
| CCI-002900 |
The organization defines time intervals at which to perform preventive maintenance on organization-defined information system components. |
The organization conducting the inspection/assessment obtains and examines the documented time intervals to ensure the organization being inspected/assessed defines time intervals to perform preventive maintenance on organization-defined information system components.
DoD has determined the time intervals are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents time intervals to perform preventive maintenance on organization-defined information system components.
Time periods must be determined based on methods of determining what preventive (or other) failure management policies to apply include, for example, original equipment manufacturer (OEM) recommendations, statistical failure records, requirements of codes, legislation, or regulations within a jurisdiction, expert opinion, maintenance that has already been conducted on similar equipment, or measured values and performance indications.
DoD has determined the time intervals are not appropriate to define at the Enterprise level. |
Timely Maintenance | Preventive Maintenance |
MA-6 (1) |
MA-6(1).3 |
Preventive maintenance includes proactive care and servicing of organizational information systems components for the purpose of maintaining equipment and facilities in satisfactory operating condition. Such maintenance provides for the systematic inspection, tests, measurements, adjustments, parts replacement, detection, and correction of incipient failures either before they occur or before they develop into major defects. The primary goal of preventive maintenance is to avoid/mitigate the consequences of equipment failures. Preventive maintenance is designed to preserve and restore equipment reliability by replacing worn components before they actually fail. Methods of determining what preventive (or other) failure management policies to apply include, for example, original equipment manufacturer (OEM) recommendations, statistical failure records, requirements of codes, legislation, or regulations within a jurisdiction, expert opinion, maintenance that has already been conducted on similar equipment, or measured values and performance indications. |
The organization performs preventive maintenance on [Assignment: organization-defined information system components] at [Assignment: organization-defined time intervals]. |
| CCI-002901 |
The organization performs predictive maintenance on organization-defined information system components at organization-defined intervals. |
The organization conducting the inspection/assessment obtains and examines schedules and records of predictive maintenance to ensure the organization being inspected/assessed performs predictive maintenance on information system components defined in MA-6 (2), CCI 2902 at time intervals defined in MA-6 (2), CCI 2903. |
The organization being inspected/assessed performs predictive maintenance on information system components defined in MA-6 (2), CCI 2902 at time intervals defined in MA-6 (2), CCI 2903.
The organization must maintain schedules and records of predictive maintenance. |
Timely Maintenance | Predictive Maintenance |
MA-6 (2) |
MA-6(2).1 |
Predictive maintenance, or condition-based maintenance, attempts to evaluate the condition of equipment by performing periodic or continuous (online) equipment condition monitoring. The goal of predictive maintenance is to perform maintenance at a scheduled point in time when the maintenance activity is most cost-effective and before the equipment loses performance within a threshold. The predictive component of predictive maintenance stems from the goal of predicting the future trend of the equipment's condition. This approach uses principles of statistical process control to determine at what point in the future maintenance activities will be appropriate. Most predictive maintenance inspections are performed while equipment is in service, thereby minimizing disruption of normal system operations. Predictive maintenance can result in substantial cost savings and higher system reliability. Predictive maintenance tends to include measurement of the item. To evaluate equipment condition, predictive maintenance utilizes nondestructive testing technologies such as infrared, acoustic (partial discharge and airborne ultrasonic), corona detection, vibration analysis, sound level measurements, oil analysis, and other specific online tests. |
The organization performs predictive maintenance on [Assignment: organization-defined information system components] at [Assignment: organization-defined time intervals]. |
| CCI-002902 |
The organization defines information system components on which to perform predictive maintenance. |
The organization conducting the inspection/assessment obtains and examines the documented information system components to ensure the organization being inspected/assessed defines information system components on which to perform predictive maintenance.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents information system components on which to perform predictive maintenance.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
Timely Maintenance | Predictive Maintenance |
MA-6 (2) |
MA-6(2).2 |
Predictive maintenance, or condition-based maintenance, attempts to evaluate the condition of equipment by performing periodic or continuous (online) equipment condition monitoring. The goal of predictive maintenance is to perform maintenance at a scheduled point in time when the maintenance activity is most cost-effective and before the equipment loses performance within a threshold. The predictive component of predictive maintenance stems from the goal of predicting the future trend of the equipment's condition. This approach uses principles of statistical process control to determine at what point in the future maintenance activities will be appropriate. Most predictive maintenance inspections are performed while equipment is in service, thereby minimizing disruption of normal system operations. Predictive maintenance can result in substantial cost savings and higher system reliability. Predictive maintenance tends to include measurement of the item. To evaluate equipment condition, predictive maintenance utilizes nondestructive testing technologies such as infrared, acoustic (partial discharge and airborne ultrasonic), corona detection, vibration analysis, sound level measurements, oil analysis, and other specific online tests. |
The organization performs predictive maintenance on [Assignment: organization-defined information system components] at [Assignment: organization-defined time intervals]. |
| CCI-002903 |
The organization defines time intervals at which to perform predictive maintenance on organization-defined information system components. |
The organization conducting the inspection/assessment obtains and examines the documented time intervals to ensure the organization being inspected/assessed defines time intervals to perform predictive maintenance on organization-defined information system components.
DoD has determined the time intervals are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents time intervals to perform predictive maintenance on organization-defined information system components.
DoD has determined the time intervals are not appropriate to define at the Enterprise level |
Timely Maintenance | Predictive Maintenance |
MA-6 (2) |
MA-6(2).3 |
Predictive maintenance, or condition-based maintenance, attempts to evaluate the condition of equipment by performing periodic or continuous (online) equipment condition monitoring. The goal of predictive maintenance is to perform maintenance at a scheduled point in time when the maintenance activity is most cost-effective and before the equipment loses performance within a threshold. The predictive component of predictive maintenance stems from the goal of predicting the future trend of the equipment's condition. This approach uses principles of statistical process control to determine at what point in the future maintenance activities will be appropriate. Most predictive maintenance inspections are performed while equipment is in service, thereby minimizing disruption of normal system operations. Predictive maintenance can result in substantial cost savings and higher system reliability. Predictive maintenance tends to include measurement of the item. To evaluate equipment condition, predictive maintenance utilizes nondestructive testing technologies such as infrared, acoustic (partial discharge and airborne ultrasonic), corona detection, vibration analysis, sound level measurements, oil analysis, and other specific online tests. |
The organization performs predictive maintenance on [Assignment: organization-defined information system components] at [Assignment: organization-defined time intervals]. |
| CCI-002904 |
The organization employs automated mechanisms to transfer predictive maintenance data to a computerized maintenance management system. |
The organization conducting the inspection/assessment obtains and examines documentation of automated mechanisms to ensure the organization being inspected/assessed employs automated mechanisms to transfer predictive maintenance data to a computerized maintenance management system. |
The organization being inspected/assessed documents and implements automated mechanisms to transfer predictive maintenance data to a computerized maintenance management system. |
Timely Maintenance | Automated Support For Predictive Maintenance |
MA-6 (3) |
MA-6(3).1 |
A computerized maintenance management system maintains a computer database of information about the maintenance operations of organizations and automates processing equipment condition data in order to trigger maintenance planning, execution, and reporting. |
The organization employs automated mechanisms to transfer predictive maintenance data to a computerized maintenance management system. |
| CCI-002566 |
The organization defines personnel or roles to whom a documented media protection policy and procedures will be disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as all users. |
DoD has defined the personnel or roles as all users. |
Media Protection Policy And Procedures |
MP-1 |
MP-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and
b. Reviews and updates the current:
1. Media protection policy [Assignment: organization-defined frequency]; and
2. Media protection procedures [Assignment: organization-defined frequency]. |
| CCI-002567 |
The organization reviews and approves media sanitization. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of media sanitization actions to ensure the organization being inspected/assessed reviews and approves media sanitization actions. |
The organization being inspected/assessed documents and implements a process for reviewing and approving media sanitization. The process must include procedures for reviewing and approving sanitization actions.
The organization must maintain a record of media sanitization actions. |
Media Sanitization | Review / Approve / Track / Document / Verify |
MP-6 (1) |
MP-6(1).1 |
Organizations review and approve media to be sanitized to ensure compliance with records-retention policies. Tracking/documenting actions include, for example, listing personnel who reviewed and approved sanitization and disposal actions, types of media sanitized, specific files stored on the media, sanitization methods used, date and time of the sanitization actions, personnel who performed the sanitization, verification actions taken, personnel who performed the verification, and disposal action taken. Organizations verify that the sanitization of the media was effective prior to disposal. Related control: SI-12. |
The organization reviews, approves, tracks, documents, and verifies media sanitization and disposal actions. |
| CCI-002568 |
The organization tracks and documents media sanitization. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of media sanitization actions to ensure the organization being inspected/assessed tracks and documents media sanitization actions. |
The organization being inspected/assessed documents and implements a process for tracking media sanitization. The process must include procedures for tracking sanitization actions.
The organization must maintain a record of media sanitization actions. |
Media Sanitization | Review / Approve / Track / Document / Verify |
MP-6 (1) |
MP-6(1).2 |
Organizations review and approve media to be sanitized to ensure compliance with records-retention policies. Tracking/documenting actions include, for example, listing personnel who reviewed and approved sanitization and disposal actions, types of media sanitized, specific files stored on the media, sanitization methods used, date and time of the sanitization actions, personnel who performed the sanitization, verification actions taken, personnel who performed the verification, and disposal action taken. Organizations verify that the sanitization of the media was effective prior to disposal. Related control: SI-12. |
The organization reviews, approves, tracks, documents, and verifies media sanitization and disposal actions. |
| CCI-002569 |
The organization verifies media sanitization. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of media sanitization actions to ensure the organization being inspected/assessed verifies media sanitization actions. |
The organization being inspected/assessed documents and implements a process for media sanitization. The process must include procedures for verification of sanitization actions.
The organization must maintain a record of media sanitization actions including verification information. |
Media Sanitization | Review / Approve / Track / Document / Verify |
MP-6 (1) |
MP-6(1).3 |
Organizations review and approve media to be sanitized to ensure compliance with records-retention policies. Tracking/documenting actions include, for example, listing personnel who reviewed and approved sanitization and disposal actions, types of media sanitized, specific files stored on the media, sanitization methods used, date and time of the sanitization actions, personnel who performed the sanitization, verification actions taken, personnel who performed the verification, and disposal action taken. Organizations verify that the sanitization of the media was effective prior to disposal. Related control: SI-12. |
The organization reviews, approves, tracks, documents, and verifies media sanitization and disposal actions. |
| CCI-002570 |
The organization reviews and approves media disposal actions. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of media disposal actions to ensure the organization being inspected/assessed reviews and approves media disposal actions. |
The organization being inspected/assessed documents and implements a process for reviewing and approving media disposal. The process must include procedures for reviewing and approving disposal actions.
The organization must maintain a record of media disposal actions. |
Media Sanitization | Review / Approve / Track / Document / Verify |
MP-6 (1) |
MP-6(1).4 |
Organizations review and approve media to be sanitized to ensure compliance with records-retention policies. Tracking/documenting actions include, for example, listing personnel who reviewed and approved sanitization and disposal actions, types of media sanitized, specific files stored on the media, sanitization methods used, date and time of the sanitization actions, personnel who performed the sanitization, verification actions taken, personnel who performed the verification, and disposal action taken. Organizations verify that the sanitization of the media was effective prior to disposal. Related control: SI-12. |
The organization reviews, approves, tracks, documents, and verifies media sanitization and disposal actions. |
| CCI-002571 |
The organization tracks and documents media disposal actions. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of media disposal actions to ensure the organization being inspected/assessed tracks and documents media disposal actions. |
The organization being inspected/assessed documents and implements a process for tracking media disposal. The process must include procedures for tracking disposal actions.
The organization must maintain a record of media disposal actions. |
Media Sanitization | Review / Approve / Track / Document / Verify |
MP-6 (1) |
MP-6(1).5 |
Organizations review and approve media to be sanitized to ensure compliance with records-retention policies. Tracking/documenting actions include, for example, listing personnel who reviewed and approved sanitization and disposal actions, types of media sanitized, specific files stored on the media, sanitization methods used, date and time of the sanitization actions, personnel who performed the sanitization, verification actions taken, personnel who performed the verification, and disposal action taken. Organizations verify that the sanitization of the media was effective prior to disposal. Related control: SI-12. |
The organization reviews, approves, tracks, documents, and verifies media sanitization and disposal actions. |
| CCI-002572 |
The organization verifies media disposal actions. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of media disposal actions to ensure the organization being inspected/assessed verifies media disposal actions. |
The organization being inspected/assessed documents and implements a process for media disposal. The process must include procedures for verification of disposal actions.
The organization must maintain a record of media disposal actions including verification information. |
Media Sanitization | Review / Approve / Track / Document / Verify |
MP-6 (1) |
MP-6(1).6 |
Organizations review and approve media to be sanitized to ensure compliance with records-retention policies. Tracking/documenting actions include, for example, listing personnel who reviewed and approved sanitization and disposal actions, types of media sanitized, specific files stored on the media, sanitization methods used, date and time of the sanitization actions, personnel who performed the sanitization, verification actions taken, personnel who performed the verification, and disposal action taken. Organizations verify that the sanitization of the media was effective prior to disposal. Related control: SI-12. |
The organization reviews, approves, tracks, documents, and verifies media sanitization and disposal actions. |
| CCI-002573 |
The organization enforces dual authorization for the sanitization of organization-defined information system media. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as a sampling of records of sanitization actions to ensure the organization being inspected/assessed enforces dual authorization for the sanitization of information system media defined in MP-6 (7), CCI 2574. |
The organization being inspected/assessed documents and implements a process for dual authorization for the sanitization of information system media defined in MP-6 (7), CCI 2574.
The organization must maintain a record of sanitization actions for media defined in MP-6 (7), CCI 2574. |
Media Sanitization | Dual Authorization |
MP-6 (7) |
MP-6(7).1 |
Organizations employ dual authorization to ensure that information system media sanitization cannot occur unless two technically qualified individuals conduct the task. Individuals sanitizing information system media possess sufficient skills/expertise to determine if the proposed sanitization reflects applicable federal/organizational standards, policies, and procedures. Dual authorization also helps to ensure that sanitization occurs as intended, both protecting against errors and false claims of having performed the sanitization actions. Dual authorization may also be known as two-person control. Related controls: AC-3, MP-2. |
The organization enforces dual authorization for the sanitization of [Assignment: organization-defined information system media]. |
| CCI-002574 |
The organization defines the information system media that dual authorization is enforced for sanitization. |
The organization conducting the inspection/assessment obtains and examines the documented information system media to ensure the organization being inspected/assessed defines the information system media that dual authorization should be enforced for sanitization.
DoD has determined the information system media is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system media that dual authorization should be enforced for sanitization.
DoD has determined the information system media is not appropriate to define at the Enterprise level. |
Media Sanitization | Dual Authorization |
MP-6 (7) |
MP-6(7).2 |
Organizations employ dual authorization to ensure that information system media sanitization cannot occur unless two technically qualified individuals conduct the task. Individuals sanitizing information system media possess sufficient skills/expertise to determine if the proposed sanitization reflects applicable federal/organizational standards, policies, and procedures. Dual authorization also helps to ensure that sanitization occurs as intended, both protecting against errors and false claims of having performed the sanitization actions. Dual authorization may also be known as two-person control. Related controls: AC-3, MP-2. |
The organization enforces dual authorization for the sanitization of [Assignment: organization-defined information system media]. |
| CCI-002575 |
The organization defines information systems, system components, or devices from which information is to be purged/wiped, either remotely or under the organization-defined conditions. |
The organization conducting the inspection/assessment obtains and examines the documented information systems, system components, or devices to ensure the organization being inspected/assessed defines information systems, system components, or devices that information should be purged/wiped either remotely or under the organization-defined conditions.
DoD has determined the information systems, system components, or devices are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents information systems, system components, or devices that information should be purged/wiped either remotely or under the organization-defined conditions.
DoD has determined the information systems, system components, or devices are not appropriate to define at the Enterprise level. |
Media Sanitization | Remote Purging / Wiping Of Information |
MP-6 (8) |
MP-6(8).1 |
This control enhancement protects data/information on organizational information systems, system components, or devices (e.g., mobile devices) if such systems, components, or devices are obtained by unauthorized individuals. Remote purge/wipe commands require strong authentication to mitigate the risk of unauthorized individuals purging/wiping the system/component/device. The purge/wipe function can be implemented in a variety of ways including, for example, by overwriting data/information multiple times or by destroying the key necessary to decrypt encrypted data. |
The organization provides the capability to purge/wipe information from [Assignment: organization-defined information systems, system components, or devices] either remotely or under the following conditions: [Assignment: organization-defined conditions]. |
| CCI-002576 |
The organization defines conditions under which information from organization-defined information systems, system components, or devices should be purged/wiped. |
The organization conducting the inspection/assessment obtains and examines the documented conditions to ensure the organization being inspected/assessed defines conditions in which information from organization-defined information systems, system components, or devices should be purged/wiped.
DoD has determined the conditions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents conditions in which information from organization-defined information systems, system components, or devices should be purged/wiped.
DoD has determined the conditions are not appropriate to define at the Enterprise level. |
Media Sanitization | Remote Purging / Wiping Of Information |
MP-6 (8) |
MP-6(8).2 |
This control enhancement protects data/information on organizational information systems, system components, or devices (e.g., mobile devices) if such systems, components, or devices are obtained by unauthorized individuals. Remote purge/wipe commands require strong authentication to mitigate the risk of unauthorized individuals purging/wiping the system/component/device. The purge/wipe function can be implemented in a variety of ways including, for example, by overwriting data/information multiple times or by destroying the key necessary to decrypt encrypted data. |
The organization provides the capability to purge/wipe information from [Assignment: organization-defined information systems, system components, or devices] either remotely or under the following conditions: [Assignment: organization-defined conditions]. |
| CCI-002577 |
The organization provides the capability to purge/wipe information from organization-defined information systems, system components, or devices either remotely or under organization-defined conditions. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed provides the capability to purge /wipe information from information systems, system components, or devices defined in MP-6 (8), CCI 2575 either remotely or under conditions defined in MP-6 (8), CCI 2576. |
The organization being inspected/assessed documents and implements a process to purge /wipe information from information systems, system components, or devices defined in MP-6 (8), CCI 2575 either remotely or under conditions defined in MP-6 (8), CCI 2576. |
Media Sanitization | Remote Purging / Wiping Of Information |
MP-6 (8) |
MP-6(8).3 |
This control enhancement protects data/information on organizational information systems, system components, or devices (e.g., mobile devices) if such systems, components, or devices are obtained by unauthorized individuals. Remote purge/wipe commands require strong authentication to mitigate the risk of unauthorized individuals purging/wiping the system/component/device. The purge/wipe function can be implemented in a variety of ways including, for example, by overwriting data/information multiple times or by destroying the key necessary to decrypt encrypted data. |
The organization provides the capability to purge/wipe information from [Assignment: organization-defined information systems, system components, or devices] either remotely or under the following conditions: [Assignment: organization-defined conditions]. |
| CCI-002578 |
The organization defines information system media to sanitize prior to disposal, release out of organizational control, or release for reuse using organization-defined sanitization techniques and procedures in accordance with applicable federal and organizational standards and policies. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the information system media as all media. |
DoD has defined the information system media as all media. |
Media Sanitization |
MP-6 |
MP-6.2 |
This control applies to all information system media, both digital and non-digital, subject to disposal or reuse, whether or not the media is considered removable. Examples include media found in scanners, copiers, printers, notebook computers, workstations, network components, and mobile devices. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable, or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal.
Sanitization of non-digital media includes, for example, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections/words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media containing classified information. Related controls: MA-2, MA-4, RA-3, SC-4. |
The organization:
a. Sanitizes [Assignment: organization-defined information system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures] in accordance with applicable federal and organizational standards and policies; and
b. Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information. |
| CCI-002579 |
The organization defines the sanitization techniques and procedures to be used to sanitize organization-defined information system media prior to disposal, release out of organizational control, or release for reuse in accordance with applicable federal and organization standards and policies. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the sanitization techniques as techniques and procedures IAW NIST SP 800-88. |
DoD has defined the sanitization techniques as techniques and procedures IAW NIST SP 800-88. |
Media Sanitization |
MP-6 |
MP-6.3 |
This control applies to all information system media, both digital and non-digital, subject to disposal or reuse, whether or not the media is considered removable. Examples include media found in scanners, copiers, printers, notebook computers, workstations, network components, and mobile devices. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable, or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal.
Sanitization of non-digital media includes, for example, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections/words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media containing classified information. Related controls: MA-2, MA-4, RA-3, SC-4. |
The organization:
a. Sanitizes [Assignment: organization-defined information system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures] in accordance with applicable federal and organizational standards and policies; and
b. Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information. |
| CCI-002580 |
The organization employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information. |
The organization conducting the inspection/assessment obtains and examines the audit trail of sanitization actions to ensure the organization being inspected/assessed implements sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information. |
The organization being inspected/assessed implements sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.
The organization must maintain an audit trail of sanitization actions. |
Media Sanitization |
MP-6 |
MP-6.4 |
This control applies to all information system media, both digital and non-digital, subject to disposal or reuse, whether or not the media is considered removable. Examples include media found in scanners, copiers, printers, notebook computers, workstations, network components, and mobile devices. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable, or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal.
Sanitization of non-digital media includes, for example, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections/words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media containing classified information. Related controls: MA-2, MA-4, RA-3, SC-4. |
The organization:
a. Sanitizes [Assignment: organization-defined information system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures] in accordance with applicable federal and organizational standards and policies; and
b. Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information. |
| CCI-002581 |
The organization defines the types of information system media to restrict or prohibit on organization-defined information systems or system components using organization-defined security safeguards. |
The organization conducting the inspection/assessment obtains and examines the documented type of information system media to ensure the organization being inspected/assessed defines the types of information system media to restrict or prohibit on organization-defined information systems or system components using organization-defined security safeguards.
DoD has determined the types of information system media are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the types of information system media to restrict or prohibit on organization-defined information systems or system components using organization-defined security safeguards.
DoD has determined the types of information system media are not appropriate to define at the Enterprise level. |
Media Use |
MP-7 |
MP-7.1 |
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers). In contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting/prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to restrict the use of information system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling/removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including, for example, devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices. Related controls: AC-19, PL-4. |
The organization [Selection: restricts; prohibits] the use of [Assignment: organization-defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards]. |
| CCI-002582 |
The organization defines the information systems or system components on which to restrict or prohibit the use of organization-defined types of information system media using organization-defined security safeguards. |
The organization conducting the inspection/assessment obtains and examines the documented information systems or system components to ensure the organization being inspected/assessed defines the information systems or system components to restrict or prohibit the use of organization-defined types of information system media using organization-defined security safeguards.
DoD has determined the information systems or system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information systems or system components to restrict or prohibit the use of organization-defined types of information system media using organization-defined security safeguards.
DoD has determined the information systems or system components are not appropriate to define at the Enterprise level. |
Media Use |
MP-7 |
MP-7.2 |
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers). In contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting/prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to restrict the use of information system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling/removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including, for example, devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices. Related controls: AC-19, PL-4. |
The organization [Selection: restricts; prohibits] the use of [Assignment: organization-defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards]. |
| CCI-002583 |
The organization defines the security safeguards to use for restricting or prohibiting the use of organization-defined types of information system media on organization-defined information systems or system components. |
The organization conducting the inspection/assessment obtains and examines the documented security safeguards to ensure the organization being inspected/assessed defines the security safeguards to use for restricting or prohibiting the use of organization-defined types of information system media on organization-defined information systems or system components.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security safeguards to use for restricting or prohibiting the use of organization-defined types of information system media on organization-defined information systems or system components.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
Media Use |
MP-7 |
MP-7.3 |
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers). In contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting/prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to restrict the use of information system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling/removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including, for example, devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices. Related controls: AC-19, PL-4. |
The organization [Selection: restricts; prohibits] the use of [Assignment: organization-defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards]. |
| CCI-002584 |
The organization restricts or prohibits the use of organization-defined types of information system media on organization-defined information systems or system components using organization-defined security safeguards. |
The organization conducting the inspection/assessment obtains and examines the documented controls and examines information system procedures associated with the use of media to ensure the organization being inspected/assessed documents and enforces controls for the use of media defined in MP-7, CCI 2581 on systems defined in MP-7, CCI 2582 using security safeguards defined in MP-7, CCI 2583. |
The organization being inspected/assessed documents and enforces controls for the use of media defined in MP-7, CCI 2581 on systems defined in MP-7, CCI 2582 using security safeguards defined in MP-7, CCI 2583. |
Media Use |
MP-7 |
MP-7.4 |
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers). In contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting/prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to restrict the use of information system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling/removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including, for example, devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices. Related controls: AC-19, PL-4. |
The organization [Selection: restricts; prohibits] the use of [Assignment: organization-defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards]. |
| CCI-002585 |
The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner. |
The organization conducting the inspection/assessment examines a sampling of portable storage devices used in the information system to ensure that the devices have an identifiable owner. |
The organization being inspected/assessed does not use portable storage devices in organization information systems when such devices have no identifiable owner. |
Media Use | Prohibit Use Without Owner |
MP-7 (1) |
MP-7(1).1 |
|
The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner. |
| CCI-002586 |
The organization prohibits the use of sanitization-resistant media in organizational information systems. |
The organization conducting the inspection/assessment examines a sampling of media used in the information system to ensure sanitization-resistant media is not used. |
The organization being inspected/assessed does not use sanitization-resistant media in organizational information systems. |
Media Use | Prohibit Use Of Sanitization-Resistant Media |
MP-7 (2) |
MP-7(2).1 |
Sanitation-resistance applies to the capability to purge information from media. Certain types of media do not support sanitize commands, or if supported, the interfaces are not supported in a standardized way across these devices. Sanitation-resistant media include, for example, compact flash, embedded flash on boards and devices, solid state drives, and USB removable media. Related control: MP-6. |
The organization prohibits the use of sanitization-resistant media in organizational information systems. |
| CCI-002587 |
The organization documents information system media downgrading actions. |
The organization conducting the inspection/assessment obtains and examines the documented information system media downgrading actions to ensure the organization being inspected/assessed documents information system media downgrading actions. |
The organization being inspected/assessed documents information system media downgrading actions. |
Media Downgrading | Documentation Of Process |
MP-8 (1) |
MP-8(1).1 |
Organizations can document the media downgrading process by providing information such as the downgrading technique employed, the identification number of the downgraded media, and the identity of the individual that authorized and/or performed the downgrading action. |
The organization documents information system media downgrading actions. |
| CCI-002588 |
The organization employs organization-defined tests of downgrading equipment in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the record of tests to ensure the organization being inspected/assessed implements tests defined in MP-8 (2), CCI 2590 at a minimum annually to verify correct performance of equipment.
DoD has defined the frequency as at a minimum annually.
|
The organization being inspected/assessed implements tests defined in MP-8 (2), CCI 2590 at a minimum annually to verify correct performance of equipment.
The organization must maintain a record of tests.
DoD has defined the frequency as at a minimum annually. |
Media Downgrading | Equipment Testing |
MP-8 (2) |
MP-8(2).1 |
|
The organization employs [Assignment: organization-defined tests] of downgrading equipment and procedures to verify correct performance [Assignment: organization-defined frequency]. |
| CCI-002589 |
The organization employs procedures to verify correct performance of organization-defined tests of downgrading equipment in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the record of tests to ensure the organization being inspected/assessed implements tests defined in MP-8 (2), CCI 2590 at a minimum annually to verify correct performance of procedures.
DoD has defined the frequency as at a minimum annually.
|
The organization being inspected/assessed implements tests defined in MP-8 (2), CCI 2590 at a minimum annually to verify correct performance of procedures.
The organization must maintain a record of tests.
DoD has defined the frequency as at a minimum annually. |
Media Downgrading | Equipment Testing |
MP-8 (2) |
MP-8(2).2 |
|
The organization employs [Assignment: organization-defined tests] of downgrading equipment and procedures to verify correct performance [Assignment: organization-defined frequency]. |
| CCI-002590 |
The organization defines tests to employ for downgrading equipment. |
The organization conducting the inspection/assessment obtains and examines the documented tests to ensure the organization being inspected/assessed defines tests to employ for downgrading equipment.
DoD has determined the tests are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents tests to employ for downgrading equipment.
DoD has determined the tests are not appropriate to define at the Enterprise level. |
Media Downgrading | Equipment Testing |
MP-8 (2) |
MP-8(2).3 |
|
The organization employs [Assignment: organization-defined tests] of downgrading equipment and procedures to verify correct performance [Assignment: organization-defined frequency]. |
| CCI-002591 |
The organization defines the frequency with which to employ tests of downgrading equipment and procedures to verify correct performance. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at a minimum annually. |
DoD has defined the frequency as at a minimum annually. |
Media Downgrading | Equipment Testing |
MP-8 (2) |
MP-8(2).4 |
|
The organization employs [Assignment: organization-defined tests] of downgrading equipment and procedures to verify correct performance [Assignment: organization-defined frequency]. |
| CCI-002592 |
The organization defines Controlled Unclassified Information (CUI). |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the Controlled Unclassified Information (CUI) as any Controlled Unclassified Information (CUI). |
DoD has defined the Controlled Unclassified Information (CUI) as any Controlled Unclassified Information (CUI). |
Media Downgrading | Controlled Unclassified Information |
MP-8 (3) |
MP-8(3).1 |
|
The organization downgrades information system media containing [Assignment: organization-defined Controlled Unclassified Information (CUI)] prior to public release in accordance with applicable federal and organizational standards and policies. |
| CCI-002593 |
The organization downgrades information system media containing organization-defined Controlled Unclassified Information (CUI) prior to public release in accordance with applicable federal and organizational standards and policies. |
The organization conducting the inspection/assessment obtains and examines the record of public release of media as well as records of information system media downgrade to ensure the organization being inspected/assessed implements a process to downgrade information system media containing any Controlled Unclassified Information (CUI) prior to public release in accordance with applicable federal and organizational standards and policies.
DoD has defined the Controlled Unclassified Information (CUI) as any Controlled Unclassified Information (CUI). |
The organization being inspected/assessed implements a process to downgrade information system media containing any Controlled Unclassified Information (CUI) prior to public release in accordance with applicable federal and organizational standards and policies.
The organization must maintain a record of public release of media and a record of information system media downgrade.
DoD has defined the Controlled Unclassified Information (CUI) as any Controlled Unclassified Information (CUI). |
Media Downgrading | Controlled Unclassified Information |
MP-8 (3) |
MP-8(3).2 |
|
The organization downgrades information system media containing [Assignment: organization-defined Controlled Unclassified Information (CUI)] prior to public release in accordance with applicable federal and organizational standards and policies. |
| CCI-002594 |
The organization downgrades information system media containing classified information prior to release to individuals without required access authorizations in accordance with NSA standards and policies. |
The organization conducting the inspection/assessment obtains and examines the record of release of media containing classified information as well as records of information system media downgrade to ensure the organization being inspected/assessed implements a process to downgrade information system media containing classified information prior to release to individuals without required access authorizations in accordance with NSA standards and policies. |
The organization being inspected/assessed implements a process to downgrade information system media containing classified information prior to release to individuals without required access authorizations in accordance with NSA standards and policies.
The organization must maintain a record of release of media containing classified information and a record of information system media downgrade. |
Media Downgrading | Classified Information |
MP-8 (4) |
MP-8(4).1 |
Downgrading of classified information uses approved sanitization tools, techniques, and procedures to transfer information confirmed to be unclassified from classified information systems to unclassified media. |
The organization downgrades information system media containing classified information prior to release to individuals without required access authorizations in accordance with NSA standards and policies. |
| CCI-002595 |
The organization establishes an organization-defined information system media downgrading process that includes employing downgrading mechanisms with organization-defined strength and integrity. |
|
|
|
|
|
|
|
| CCI-002596 |
The organization establishes and defines an information system media downgrading process that includes employing downgrading mechanisms with organization-defined strength and integrity. |
The organization conducting the inspection/assessment obtains and examines the documented information system media downgrading process to ensure the organization being inspected/assessed defines an information system media downgrading process that includes employing downgrading mechanisms with organization-defined strength and integrity.
DoD has determined the information system media downgrading process is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents an information system media downgrading process that includes employing downgrading mechanisms with organization-defined strength and integrity.
DoD has determined the information system media downgrading process is not appropriate to define at the Enterprise level. |
Media Downgrading |
MP-8 |
MP-8.1 |
This control applies to all information system media, digital and non-digital, subject to release outside of the organization, whether or not the media is considered removable. The downgrading process, when applied to system media, removes information from the media, typically by security category or classification level, such that the information cannot be retrieved or reconstructed. Downgrading of media includes redacting information to enable wider release and distribution. Downgrading of media also ensures that empty space on the media (e.g., slack space within files) is devoid of information. |
The organization:
a. Establishes [Assignment: organization-defined information system media downgrading process] that includes employing downgrading mechanisms with [Assignment: organization defined strength and integrity];
b. Ensures that the information system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information;
c. Identifies [Assignment: organization-defined information system media, both digital and nondigital, requiring downgrading]; and
d. Downgrades the identified information system media using the established process. |
| CCI-002597 |
The organization defines strength and integrity for downgrading mechanisms to establish an organization-defined information system media downgrading process. |
The organization conducting the inspection/assessment obtains and examines the documented strength and integrity to ensure the organization being inspected/assessed defines strength and integrity for downgrading mechanisms to establish an organization-defined information system media downgrading process.
DoD has determined the strength and integrity are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents strength and integrity for downgrading mechanisms to establish an organization-defined information system media downgrading process.
DoD has determined the strength and integrity are not appropriate to define at the Enterprise level. |
Media Downgrading |
MP-8 |
MP-8.2 |
This control applies to all information system media, digital and non-digital, subject to release outside of the organization, whether or not the media is considered removable. The downgrading process, when applied to system media, removes information from the media, typically by security category or classification level, such that the information cannot be retrieved or reconstructed. Downgrading of media includes redacting information to enable wider release and distribution. Downgrading of media also ensures that empty space on the media (e.g., slack space within files) is devoid of information. |
The organization:
a. Establishes [Assignment: organization-defined information system media downgrading process] that includes employing downgrading mechanisms with [Assignment: organization defined strength and integrity];
b. Ensures that the information system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information;
c. Identifies [Assignment: organization-defined information system media, both digital and nondigital, requiring downgrading]; and
d. Downgrades the identified information system media using the established process. |
| CCI-002598 |
The organization ensures that the information system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information. |
The organization conducting the inspection/assessment obtains and examines the documented process defined in MP-8, CCI 2596 to ensure it is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information. |
The organization being inspected/assessed includes within the process defined in MP-8, CCI 2596, processes which are commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information. |
Media Downgrading |
MP-8 |
MP-8.3 |
This control applies to all information system media, digital and non-digital, subject to release outside of the organization, whether or not the media is considered removable. The downgrading process, when applied to system media, removes information from the media, typically by security category or classification level, such that the information cannot be retrieved or reconstructed. Downgrading of media includes redacting information to enable wider release and distribution. Downgrading of media also ensures that empty space on the media (e.g., slack space within files) is devoid of information. |
The organization:
a. Establishes [Assignment: organization-defined information system media downgrading process] that includes employing downgrading mechanisms with [Assignment: organization defined strength and integrity];
b. Ensures that the information system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information;
c. Identifies [Assignment: organization-defined information system media, both digital and nondigital, requiring downgrading]; and
d. Downgrades the identified information system media using the established process. |
| CCI-002599 |
The organization defines and identifies the information system media requiring downgrading. |
The organization conducting the inspection/assessment obtains and examines the documented information system media to ensure the organization being inspected/assessed defines and identifies the information system media requiring downgrading.
DoD has determined the information system media is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines, identifies, and documents the information system media requiring downgrading.
DoD has determined the information system media is not appropriate to define at the Enterprise level. |
Media Downgrading |
MP-8 |
MP-8.4 |
This control applies to all information system media, digital and non-digital, subject to release outside of the organization, whether or not the media is considered removable. The downgrading process, when applied to system media, removes information from the media, typically by security category or classification level, such that the information cannot be retrieved or reconstructed. Downgrading of media includes redacting information to enable wider release and distribution. Downgrading of media also ensures that empty space on the media (e.g., slack space within files) is devoid of information. |
The organization:
a. Establishes [Assignment: organization-defined information system media downgrading process] that includes employing downgrading mechanisms with [Assignment: organization defined strength and integrity];
b. Ensures that the information system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information;
c. Identifies [Assignment: organization-defined information system media, both digital and nondigital, requiring downgrading]; and
d. Downgrades the identified information system media using the established process. |
| CCI-002600 |
The organization downgrades the identified information system media using the established process. |
The organization conducting the inspection/assessment obtains and examines the record of downgrade activities to ensure the organization being inspected/assessed implements the process defined in MP-8, CCI 2596 to downgrade media defined in MP-8, CCI 2599. |
The organization being inspected/assessed implements the process defined in MP-8, CCI 2596 to downgrade media defined in MP-8, CCI 2599.
The organization must maintain a record of downgrade activities. |
Media Downgrading |
MP-8 |
MP-8.5 |
This control applies to all information system media, digital and non-digital, subject to release outside of the organization, whether or not the media is considered removable. The downgrading process, when applied to system media, removes information from the media, typically by security category or classification level, such that the information cannot be retrieved or reconstructed. Downgrading of media includes redacting information to enable wider release and distribution. Downgrading of media also ensures that empty space on the media (e.g., slack space within files) is devoid of information. |
The organization:
a. Establishes [Assignment: organization-defined information system media downgrading process] that includes employing downgrading mechanisms with [Assignment: organization defined strength and integrity];
b. Ensures that the information system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information;
c. Identifies [Assignment: organization-defined information system media, both digital and nondigital, requiring downgrading]; and
d. Downgrades the identified information system media using the established process. |
| CCI-002908 |
The organization defines the personnel or roles to whom a physical and environmental protection policy is disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the roles as organizational personnel with physical and environmental protection responsibilities. |
DoD has defined the roles as organizational personnel with physical and environmental protection responsibilities. |
Physical And Environmental Protection Policy And Procedures |
PE-1 |
PE-1.1 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and
b. Reviews and updates the current:
1. Physical and environmental protection policy [Assignment: organization-defined frequency]; and
2. Physical and environmental protection procedures [Assignment: organization-defined frequency]. |
| CCI-002909 |
The organization defines the personnel or roles to whom the physical and environmental protection procedures are disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the roles as organizational personnel with physical and environmental protection responsibilities. |
DoD has defined the roles as organizational personnel with physical and environmental protection responsibilities. |
Physical And Environmental Protection Policy And Procedures |
PE-1 |
PE-1.2 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and
b. Reviews and updates the current:
1. Physical and environmental protection policy [Assignment: organization-defined frequency]; and
2. Physical and environmental protection procedures [Assignment: organization-defined frequency]. |
| CCI-002910 |
The organization approves a list of individuals with authorized access to the facility where the information system resides. |
The organization conducting the inspection/assessment obtains and examines the list of individuals currently authorized to access the facility where the information system resides and ensures it is formally approved. |
The organization being inspected/assessed formally approves a list of individuals currently authorized to access the facility where the information system resides. |
Physical Access Authorizations |
PE-2 |
PE-2.2 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have not been designated as publicly accessible. Related controls: PE-3, PE-4, PS-3. |
The organization:
a. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;
b. Issues authorization credentials for facility access;
c. Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and
d. Removes individuals from the facility access list when access is no longer required. |
| CCI-002911 |
The organization maintains a list of individuals with authorized access to the facility where the information system resides. |
The organization conducting the inspection/assessment obtains and examines the list of individuals to ensure the organization being inspected/assessed maintains a list of individuals currently authorized to access the facility where the information system resides. |
The organization being inspected/assessed maintains a list of individuals currently authorized to access the facility where the information system resides. |
Physical Access Authorizations |
PE-2 |
PE-2.3 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have not been designated as publicly accessible. Related controls: PE-3, PE-4, PS-3. |
The organization:
a. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;
b. Issues authorization credentials for facility access;
c. Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and
d. Removes individuals from the facility access list when access is no longer required. |
| CCI-002912 |
The organization defines a list of acceptable forms of identification for visitor access to the facility where the information system resides. |
The organization conducting the inspection/assessment obtains and examines the documented a list of acceptable forms of identification to ensure the organization being inspected/assessed defines a list of acceptable forms of identification for visitor access to the facility where the information system resides.
DoD has determined the list of acceptable forms of identification are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents a list of acceptable forms of identification for visitor access to the facility where the information system resides.
DoD has determined the list of acceptable forms of identification are not appropriate to define at the Enterprise level. |
Physical Access Authorizations | Two Forms Of Identification |
PE-2 (2) |
PE-2(2).2 |
Acceptable forms of government photo identification include, for example, passports, Personal Identity Verification (PIV) cards, and drivers' licenses. In the case of gaining access to facilities using automated mechanisms, organizations may use PIV cards, key cards, PINs, and biometrics. Related controls: IA-2, IA-4, IA-5. |
The organization requires two forms of identification from [Assignment: organization-defined list of acceptable forms of identification] for visitor access to the facility where the information system resides. |
| CCI-002913 |
The organization restricts unescorted access to the facility where the information system resides to personnel with one or more of the following: security clearances for all information contained within the system; formal access authorizations for all information contained within the system; need for access to all information contained within the system; organization-defined credentials. |
The organization conducting the inspection/assessment obtains and examines the physical security policy to ensure the organization being inspected/assessed has selected one or more of the physical security requirements that must be met before unescorted access to the facility where the information system resides is granted |
The organization being inspected/assessed defines and documents the requirements that must be met before unescorted access to the facility where the information system resides will be granted. These requirements will be selected from: security clearances for all information contained within the system; formal access authorizations for all information contained within the system; need for access to all information contained within the system; credentials defined in PE-2 (3), CCI 2914.
This requirement must be documented within the organization's physical security policy. |
Physical Access Authorizations | Restrict Unescorted Access |
PE-2 (3) |
PE-2(3).1 |
Due to the highly sensitive nature of classified information stored within certain facilities, it is important that individuals lacking sufficient security clearances, access approvals, or need to know, be escorted by individuals with appropriate credentials to ensure that such information is not exposed or otherwise compromised. Related controls: PS-2, PS-6. |
The organization restricts unescorted access to the facility where the information system resides to personnel with required security clearances, formal access authorizations, and validated need for access. |
| CCI-002914 |
The organization defines the credentials required for personnel to have unescorted access to the facility where the information system resides. |
The organization conducting the inspection/assessment obtains and examines the documented credentials to ensure the organization being inspected/assessed defines the credentials required for personnel to have unescorted access to the facility where the information system resides.
DoD has determined the credentials are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the credentials required for personnel to have unescorted access to the facility where the information system resides.
DoD has determined the credentials are not appropriate to define at the Enterprise level. |
Physical Access Authorizations | Restrict Unescorted Access |
PE-2 (3) |
PE-2(3).2 |
Due to the highly sensitive nature of classified information stored within certain facilities, it is important that individuals lacking sufficient security clearances, access approvals, or need to know, be escorted by individuals with appropriate credentials to ensure that such information is not exposed or otherwise compromised. Related controls: PS-2, PS-6. |
The organization restricts unescorted access to the facility where the information system resides to personnel with required security clearances, formal access authorizations, and validated need for access. |
| CCI-002915 |
The organization defines the entry/exit points to the facility where the information system resides. |
The organization conducting the inspection/assessment obtains and examines the documented entry/exit points and inspects the facility to ensure that all entry/exit points are documented.
DoD has determined the entry/exit points are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the entry/exit points to the facility where the information system resides.
DoD has determined the entry/exit points are not appropriate to define at the Enterprise level. |
Physical Access Control |
PE-3 |
PE-3.2 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. |
| CCI-002916 |
The organization defines the physical access control systems/devices or guards that control ingress/egress to the facility where the information system resides. |
The organization conducting the inspection/assessment obtains and examines the documented physical access control systems/devices to ensure the organization being inspected/assessed defines the physical access control systems/devices or guards that control ingress/egress to the facility.
DoD has determined the physical access control systems/devices are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the physical access control systems/devices or guards that control ingress/egress to the facility.
DoD has determined the physical access control systems/devices are not appropriate to define at the Enterprise level. |
Physical Access Control |
PE-3 |
PE-3.5 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. |
| CCI-002917 |
The organization maintains physical access audit logs for organization-defined entry/exit points to the facility where the information system resides. |
The organization conducting the inspection/assessment obtains and
examines the physical access audit logs and compares the logged entry with
known access to those entry points to ensure the organization being
inspected/assessed maintains physical access audit logs for entry/exit
points defined in PE-3, CCI 2918.
Instances of access that will be compared with the audit logs include, at a minimum, access as part of the inspection/assessment. Comparison of other
entry/exit events required elsewhere in system documentation that would have occurred before the inspection/assessment such as daily checks and scheduled
maintenance are strongly encouraged and help to establish a history of compliance/non-compliance. |
The organization being inspected/assessed maintains physical access audit logs for entry/exit points defined in PE-3, CCI 2918. |
Physical Access Control |
PE-3 |
PE-3.6 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. |
| CCI-002918 |
The organization defines entry/exit points to the facility where the information system resides that require physical access audit logs be maintained. |
The organization conducting the inspection/assessment obtains and examines the documented entry/exit points to ensure the organization being inspected/assessed defines entry/exit points that require physical access audit logs be maintained.
DoD has determined the entry/exit points are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents entry/exit points that require physical access audit logs be maintained.
DoD has determined the entry/exit points are not appropriate to define at the Enterprise level. |
Physical Access Control |
PE-3 |
PE-3.7 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. |
| CCI-002919 |
The organization provides organization-defined security safeguards to control access to areas within the facility where the information system resides officially designated as publicly accessible. |
The organization conducting the inspection/assessment obtains and examines the documentation of areas officially designated as publicly accessible to ensure the organization being inspected/assessed provides security safeguards defined in PE-3, CCI 2920 to control access to areas within the facility officially designated as publicly accessible. |
The organization being inspected/assessed provides security safeguards defined in PE-3, CCI 2920 to control access to areas within the facility officially designated as publicly accessible.
The organization must document which areas are officially designated as publicly accessible. |
Physical Access Control |
PE-3 |
PE-3.8 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. |
| CCI-002920 |
The organization defines security safeguards to control access to areas within the facility where the information system resides officially designated as publicly accessible. |
The organization conducting the inspection/assessment obtains and examines the documented security safeguards to ensure the organization being inspected/assessed defines security safeguards to control access to areas within the facility officially designated as publicly accessible.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents security safeguards to control access to areas within the facility officially designated as publicly accessible.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
Physical Access Control |
PE-3 |
PE-3.9 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. |
| CCI-002921 |
The organization escorts visitors in the facility where the information system resides during organization-defined circumstances requiring visitor escorts. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed escorts visitors during circumstances defined in PE-3, CCI 2922 requiring visitor escorts. |
The organization being inspected/assessed documents and implements a process to escort visitors during circumstances defined in PE-3, CCI 2922 requiring visitor escorts. |
Physical Access Control |
PE-3 |
PE-3.10 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. |
| CCI-002922 |
The organization defines circumstances requiring visitor escorts in the facility where the information system resides. |
The organization conducting the inspection/assessment obtains and examines the documented circumstances to ensure the organization being inspected/assessed defines circumstances requiring visitor escorts.
DoD has determined the circumstances are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents circumstances requiring visitor escorts.
DoD has determined the circumstances are not appropriate to define at the Enterprise level. |
Physical Access Control |
PE-3 |
PE-3.11 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. |
| CCI-002923 |
The organization monitors visitor activity in the facility where the information system resides during organization-defined circumstances requiring visitor monitoring. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed monitors visitor activity during circumstances defined in PE-3, CCI 2924 requiring visitor monitoring. |
The organization being inspected/assessed documents and implements a process to monitor visitor activity during circumstances defined in PE-3, CCI 2924 requiring visitor monitoring. |
Physical Access Control |
PE-3 |
PE-3.12 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. |
| CCI-002924 |
The organization defines circumstances requiring visitor monitoring in the facility where the information system resides. |
The organization conducting the inspection/assessment obtains and examines the documented circumstances to ensure the organization being inspected/assessed defines circumstances requiring visitor monitoring.
DoD has determined the circumstances are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents circumstances requiring visitor monitoring.
DoD has determined the circumstances are not appropriate to define at the Enterprise level. |
Physical Access Control |
PE-3 |
PE-3.13 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. |
| CCI-002925 |
The organization defines the physical access devices to inventory. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the physical access devices as minimally keys or any other physical token used to gain access. |
DoD has defined the physical access devices as minimally keys or any other physical token used to gain access. |
Physical Access Control |
PE-3 |
PE-3.17 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. |
| CCI-002926 |
The organization defines the physical spaces containing one or more components of the information system that require physical access authorizations and controls at the facility where the information system resides. |
The organization conducting the inspection/assessment obtains and examines the documented physical spaces to ensure the organization being inspected/assessed defines the physical spaces containing one or more components of the information system that require physical access authorizations and controls at the facility.
DoD has determined the physical spaces are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the physical spaces containing one or more components of the information system that require physical access authorizations and controls at the facility.
DoD has determined the physical spaces are not appropriate to define at the Enterprise level. |
Physical Access Control | Information System Access |
PE-3 (1) |
PE-3(1).2 |
This control enhancement provides additional physical security for those areas within facilities where there is a concentration of information system components (e.g., server rooms, media storage areas, data and communications centers). Related control: PS-2. |
The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the information system]. |
| CCI-002927 |
The organization defines the frequency with which to perform security checks at the physical boundary of the facility or information system for unauthorized exfiltration of information or removal of information system components. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at a minimum, annually. |
DoD has defined the frequency as at a minimum, annually. |
Physical Access Control | Facility / Information System Boundaries |
PE-3 (2) |
PE-3(2).2 |
Organizations determine the extent, frequency, and/or randomness of security checks to adequately mitigate risk associated with exfiltration. Related controls: AC-4, SC-7. |
The organization performs security checks [Assignment: organization-defined frequency] at the physical boundary of the facility or information system for unauthorized exfiltration of information or removal of information system components. |
| CCI-002928 |
The organization defines security safeguards to detect and prevent physical tampering or alteration of organization-defined hardware components within the information system. |
The organization conducting the inspection/assessment obtains and examines the documented security safeguards to ensure the organization being inspected/assessed defines security safeguards to detect and prevent physical tampering or alteration of organization-defined hardware components within the information system.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents security safeguards to detect and prevent physical tampering or alteration of organization-defined hardware components within the information system.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
Physical Access Control | Tamper Protection |
PE-3 (5) |
PE-3(5).2 |
Organizations may implement tamper detection/prevention at selected hardware components or tamper detection at some components and tamper prevention at other components. Tamper detection/prevention activities can employ many types of anti-tamper technologies including, for example, tamper-detection seals and anti-tamper coatings. Anti-tamper programs help to detect hardware alterations through counterfeiting and other supply chain-related risks. Related control: SA-12. |
The organization employs [Assignment: organization-defined security safeguards] to [Selection (one or more): detect; prevent] physical tampering or alteration of [Assignment: organization defined hardware components] within the information system. |
| CCI-002929 |
The organization defines hardware components within the information system for which to employ organization-defined security safeguards to detect and prevent physical tampering or alteration. |
The organization conducting the inspection/assessment obtains and examines the documented hardware components to ensure the organization being inspected/assessed defines hardware components within the information system to employ organization-defined security safeguards to detect and prevent physical tampering or alteration.
DoD has determined the hardware components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents hardware components within the information system to employ organization-defined security safeguards to detect and prevent physical tampering or alteration.
DoD has determined the hardware components are not appropriate to define at the Enterprise level. |
Physical Access Control | Tamper Protection |
PE-3 (5) |
PE-3(5).3 |
Organizations may implement tamper detection/prevention at selected hardware components or tamper detection at some components and tamper prevention at other components. Tamper detection/prevention activities can employ many types of anti-tamper technologies including, for example, tamper-detection seals and anti-tamper coatings. Anti-tamper programs help to detect hardware alterations through counterfeiting and other supply chain-related risks. Related control: SA-12. |
The organization employs [Assignment: organization-defined security safeguards] to [Selection (one or more): detect; prevent] physical tampering or alteration of [Assignment: organization defined hardware components] within the information system. |
| CCI-002930 |
The organization defines information system distribution and transmission lines within organizational facilities to control physical access to using organization-defined security safeguards. |
The organization conducting the inspection/assessment obtains and examines the documented information system distribution and transmission lines to ensure the organization being inspected/assessed defines information system distribution and transmission lines within organizational facilities to control physical access using organization-defined security safeguards.
DoD has determined the information system distribution and transmission lines are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents information system distribution and transmission lines within organizational facilities to control physical access using organization-defined security safeguards.
If transmission lines carry classified information, a protected distribution system (PDS) must be used to transmit unencrypted classified information through an area of lesser classification or control. For additional information, see NSTISSI No. 7003.
DoD has determined the information system distribution and transmission lines are not appropriate to define at the Enterprise level. |
Access Control For Transmission Medium |
PE-4 |
PE-4.2 |
Physical security safeguards applied to information system distribution and transmission lines help to prevent accidental damage, disruption, and physical tampering. In addition, physical safeguards may be necessary to help prevent eavesdropping or in transit modification of unencrypted transmissions. Security safeguards to control physical access to system distribution and transmission lines include, for example: (i) locked wiring closets; (ii) disconnected or locked spare jacks; and/or (iii) protection of cabling by conduit or cable trays. Related controls: MP-2, MP-4, PE-2, PE-3, PE-5, SC-7, SC-8. |
The organization controls physical access to [Assignment: organization-defined information system distribution and transmission lines] within organizational facilities using
[Assignment: organization-defined security safeguards]. |
| CCI-002931 |
The organization defines security safeguards to control physical access to organization-defined information system distribution and transmission lines within organizational facilities. |
The organization conducting the inspection/assessment obtains and examines the documented security safeguards to ensure the organization being inspected/assessed defines security safeguards to control physical access to organization-defined information system distribution and transmission lines within organizational facilities.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents security safeguards to control physical access to organization-defined information system distribution and transmission lines within organizational facilities.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
Access Control For Transmission Medium |
PE-4 |
PE-4.3 |
Physical security safeguards applied to information system distribution and transmission lines help to prevent accidental damage, disruption, and physical tampering. In addition, physical safeguards may be necessary to help prevent eavesdropping or in transit modification of unencrypted transmissions. Security safeguards to control physical access to system distribution and transmission lines include, for example: (i) locked wiring closets; (ii) disconnected or locked spare jacks; and/or (iii) protection of cabling by conduit or cable trays. Related controls: MP-2, MP-4, PE-2, PE-3, PE-5, SC-7, SC-8. |
The organization controls physical access to [Assignment: organization-defined information system distribution and transmission lines] within organizational facilities using
[Assignment: organization-defined security safeguards]. |
| CCI-002932 |
The organization controls physical access to output from organization-defined output devices. |
The organization conducting the inspection/assessment obtains and examines the documented process and inspects the physical access controls surrounding a sampling of output devices to ensure the organization being inspected/assessed controls physical access to output from output devices defined in PE-5 (1), CCI 2933. |
The organization being inspected/assessed documents and implements a process to control physical access to output from output devices defined in PE-5 (1), CCI 2933. |
Access Control For Output Devices | Access To Output By Authorized Individuals |
PE-5 (1) |
PE-5(1).1 |
Controlling physical access to selected output devices includes, for example, placing printers, copiers, and facsimile machines in controlled areas with keypad access controls or limiting access to individuals with certain types of badges. |
The organization:
(a) Controls physical access to output from [Assignment: organization-defined output devices]; and
(b) Ensures that only authorized individuals receive output from the device. |
| CCI-002933 |
The organization defines output devices for which physical access to output is controlled. |
The organization conducting the inspection/assessment obtains and examines the documented output devices to ensure the organization being inspected/assessed defines output devices for which physical access to output is controlled.
DoD has determined the output devices are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents output devices for which physical access to output is controlled.
DoD has determined the output devices are not appropriate to define at the Enterprise level. |
Access Control For Output Devices | Access To Output By Authorized Individuals |
PE-5 (1) |
PE-5(1).2 |
Controlling physical access to selected output devices includes, for example, placing printers, copiers, and facsimile machines in controlled areas with keypad access controls or limiting access to individuals with certain types of badges. |
The organization:
(a) Controls physical access to output from [Assignment: organization-defined output devices]; and
(b) Ensures that only authorized individuals receive output from the device. |
| CCI-002934 |
The organization ensures that only authorized individuals receive output from organization-defined output devices. |
The organization conducting the inspection/assessment obtains and examines the documented process and inspects the physical access controls surrounding a sampling of output devices to ensure the organization being inspected/assessed ensures that only authorized individuals receive output from the output device defined in PE-5 (1), CCI 2933. |
The organization being inspected/assessed documents and implements a process to ensure that only authorized individuals receive output from the output device defined in PE-5 (1), CCI 2933. |
Access Control For Output Devices | Access To Output By Authorized Individuals |
PE-5 (1) |
PE-5(1).3 |
Controlling physical access to selected output devices includes, for example, placing printers, copiers, and facsimile machines in controlled areas with keypad access controls or limiting access to individuals with certain types of badges. |
The organization:
(a) Controls physical access to output from [Assignment: organization-defined output devices]; and
(b) Ensures that only authorized individuals receive output from the device. |
| CCI-002935 |
The information system controls physical access to output from organization-defined output devices. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to control physical access to output from output devices defined in PE-5 (1), CCI 2933.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2935. |
The organization being inspected/assessed configures the information system to control physical access to output from output devices defined in PE-5 (1), CCI 2933.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2935. |
Access Control For Output Devices | Access To Output By Individual Identity |
PE-5 (2) |
PE-5(2).1 |
Controlling physical access to selected output devices includes, for example, installing security functionality on printers, copiers, and facsimile machines that allows organizations to implement authentication (e.g., using a PIN or hardware token) on output devices prior to the release of output to individuals. |
The information system:
(a) Controls physical access to output from [Assignment: organization-defined output devices]; and
(b) Links individual identity to receipt of the output from the device. |
| CCI-002936 |
The information system links individual identity to receipt of output from organization-defined output devices. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to link individual identity to receipt of the output from the output device defined in PE-5 (1), CCI 2933.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2936. |
The organization being inspected/assessed configures the information system to link individual identity to receipt of the output from the output device defined in PE-5 (1), CCI 2933.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2936. |
Access Control For Output Devices | Access To Output By Individual Identity |
PE-5 (2) |
PE-5(2).2 |
Controlling physical access to selected output devices includes, for example, installing security functionality on printers, copiers, and facsimile machines that allows organizations to implement authentication (e.g., using a PIN or hardware token) on output devices prior to the release of output to individuals. |
The information system:
(a) Controls physical access to output from [Assignment: organization-defined output devices]; and
(b) Links individual identity to receipt of the output from the device. |
| CCI-002937 |
The organization marks organization-defined information system output devices indicating the appropriate security marking of the information permitted to be output from the device. |
The organization conducting the inspection/assessment inspects a sampling of information system components to ensure the organization being inspected/assessed marks all devices if the organizational facility contains classified information indicating the appropriate security marking of the information permitted to be output from the device.
DoD has defined the information system output devices as all devices if the organizational facility contains classified information. |
The organization being inspected/assessed marks all devices if the organizational facility contains classified information indicating the appropriate security marking of the information permitted to be output from the device.
DoD has defined the information system output devices as all devices if the organizational facility contains classified information. |
Access Control For Output Devices | Marking Output Devices |
PE-5 (3) |
PE-5(3).1 |
Outputs devices include, for example, printers, monitors, facsimile machines, scanners, copiers, and audio devices. This control enhancement is generally applicable to information system output devices other than mobiles devices. |
The organization marks [Assignment: organization-defined information system output devices] indicating the appropriate security marking of the information permitted to be output from the device. |
| CCI-002938 |
The organization defines the information system output devices marked indicating the appropriate security marking of the information permitted to be output from the device. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the information system output devices as all devices if the organizational facility contains classified information. |
DoD has defined the information system output devices as all devices if the organizational facility contains classified information. |
Access Control For Output Devices | Marking Output Devices |
PE-5 (3) |
PE-5(3).2 |
Outputs devices include, for example, printers, monitors, facsimile machines, scanners, copiers, and audio devices. This control enhancement is generally applicable to information system output devices other than mobiles devices. |
The organization marks [Assignment: organization-defined information system output devices] indicating the appropriate security marking of the information permitted to be output from the device. |
| CCI-002939 |
The organization monitors physical access to the facility where the information system resides to detect and respond to physical security incidents. |
The organization conducting the inspection/assessment obtains and examines the inspected organization's monitoring procedures addressing physical access monitoring. Organizational personnel with physical access monitoring responsibilities are to be interviewed. The objective of the reviews and interviews is to validate the organization is actively monitoring its physical access intrusion alarms and surveillance equipment to detect and respond to all physical access security incidents. |
The organization being inspected/assessed will implement monitoring procedures to ensure physical access intrusion alarms and surveillance equipment are actively monitored to detect and respond to all physical access security incidents. |
Monitoring Physical Access |
PE-6 |
PE-6.1 |
Organizational incident response capabilities include investigations of and responses to detected physical security incidents. Security incidents include, for example, apparent security violations or suspicious physical access activities. Suspicious physical access activities include, for example: (i) accesses outside of normal work hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for unusual lengths of time; and (iv) out-of-sequence accesses. Related controls: CA-7, IR-4, IR-8. |
The organization:
a. Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;
b. Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and
c. Coordinates results of reviews and investigations with the organizational incident response capability. |
| CCI-002940 |
The organization reviews physical access logs upon occurrence of organization-defined events or potential indications of events. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the records of reviews to ensure the organization being inspected/assessed reviews physical access logs upon occurrence of events or potential indications of events defined in PE-6, CCI 2941. |
The organization being inspected/assessed documents and implements a process to review physical access logs upon occurrence of events or potential indications of events defined in PE-6, CCI 2941.
The organization must maintain records of reviews. |
Monitoring Physical Access |
PE-6 |
PE-6.2 |
Organizational incident response capabilities include investigations of and responses to detected physical security incidents. Security incidents include, for example, apparent security violations or suspicious physical access activities. Suspicious physical access activities include, for example: (i) accesses outside of normal work hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for unusual lengths of time; and (iv) out-of-sequence accesses. Related controls: CA-7, IR-4, IR-8. |
The organization:
a. Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;
b. Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and
c. Coordinates results of reviews and investigations with the organizational incident response capability. |
| CCI-002941 |
The organization defines events or potential indications of events requiring review of physical access logs. |
The organization conducting the inspection/assessment obtains and examines the documented events or potential indications of events to ensure the organization being inspected/assessed defines events or potential indications of events requiring review of physical access logs.
DoD has determined the events or potential indications of events are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents events or potential indications of events requiring review of physical access logs.
DoD has determined the events or potential indications of events are not appropriate to define at the Enterprise level. |
Monitoring Physical Access |
PE-6 |
PE-6.3 |
Organizational incident response capabilities include investigations of and responses to detected physical security incidents. Security incidents include, for example, apparent security violations or suspicious physical access activities. Suspicious physical access activities include, for example: (i) accesses outside of normal work hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for unusual lengths of time; and (iv) out-of-sequence accesses. Related controls: CA-7, IR-4, IR-8. |
The organization:
a. Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;
b. Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and
c. Coordinates results of reviews and investigations with the organizational incident response capability. |
| CCI-002942 |
The organization employs automated mechanisms to recognize organization-defined classes/types of intrusions. |
The organization conducting the inspection/assessment obtains and examines hardware/software lists and/or any other documentation showing the use of automated intrusion detection systems to ensure the organization being inspected/assessed implements automated mechanisms to recognize classes/types of intrusions defined in PE-6 (2), CCI 2943. |
The organization being inspected/assessed implements automated mechanisms to recognize classes/types of intrusions defined in PE-6 (2), CCI 2943. |
Monitoring Physical Access | Automated Intrusion Recognition / Responses |
PE-6 (2) |
PE-6(2).1 |
Related control: SI-4. |
The organization employs automated mechanisms to recognize [Assignment: organization-defined classes/types of intrusions] and initiate [Assignment: organization-defined response actions]. |
| CCI-002943 |
The organization defines classes/types of intrusions to recognize using automated mechanisms. |
The organization conducting the inspection/assessment obtains and examines the documented classes/types of intrusion to ensure the organization being inspected/assessed defines classes/types of intrusions to recognize using automated mechanisms.
DoD has determined the classes/types of intrusions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents classes/types of intrusions to recognize using automated mechanisms.
DoD has determined the classes/types of intrusions are not appropriate to define at the Enterprise level. |
Monitoring Physical Access | Automated Intrusion Recognition / Responses |
PE-6 (2) |
PE-6(2).2 |
Related control: SI-4. |
The organization employs automated mechanisms to recognize [Assignment: organization-defined classes/types of intrusions] and initiate [Assignment: organization-defined response actions]. |
| CCI-002944 |
The organization employs automated mechanisms to initiate organization-defined response actions to organization-defined classes/types of intrusions. |
The organization conducting the inspection/assessment obtains and examines hardware/software lists and/or any other documentation showing the use of automated intrusion detection systems to ensure the organization being inspected/assessed implements automated mechanisms to initiate response actions defined in PE-6 (2), CCI 2945 to classes/types of intrusions defined in PE-6 (2), CCI 2943. |
The organization being inspected/assessed implements automated mechanisms to initiate response actions defined in PE-6 (2), CCI 2945 to classes/types of intrusions defined in PE-6 (2), CCI 2943. |
Monitoring Physical Access | Automated Intrusion Recognition / Responses |
PE-6 (2) |
PE-6(2).3 |
Related control: SI-4. |
The organization employs automated mechanisms to recognize [Assignment: organization-defined classes/types of intrusions] and initiate [Assignment: organization-defined response actions]. |
| CCI-002945 |
The organization defines response actions to initiate when organization-defined classes/types of intrusions are recognized. |
The organization conducting the inspection/assessment obtains and examines the documented response actions to ensure the organization being inspected/assessed defines response actions to initiate when organization-defined classes/types of intrusions are recognized.
DoD has determined the response actions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents response actions to initiate when organization-defined classes/types of intrusions are recognized.
DoD has determined the response actions are not appropriate to define at the Enterprise level. |
Monitoring Physical Access | Automated Intrusion Recognition / Responses |
PE-6 (2) |
PE-6(2).4 |
Related control: SI-4. |
The organization employs automated mechanisms to recognize [Assignment: organization-defined classes/types of intrusions] and initiate [Assignment: organization-defined response actions]. |
| CCI-002946 |
The organization employs video surveillance of organization-defined operational areas. |
The organization conducting the inspection/assessment obtains and examines the documentation of video surveillance a sampling of recorded video surveillance to ensure the organization being inspected/assessed employs video surveillance of operational areas defined in PE-6 (3), CCI 2947. |
The organization being inspected/assessed documents and implements video surveillance of operational areas defined in PE-6 (3), CCI 2947. |
Monitoring Physical Access | Video Surveillance |
PE-6 (3) |
PE-6(3).1 |
This control enhancement focuses on recording surveillance video for purposes of subsequent review, if circumstances so warrant (e.g., a break-in detected by other means). It does not require monitoring surveillance video although organizations may choose to do so. Note that there may be legal considerations when performing and retaining video surveillance, especially if such surveillance is in a public location. |
The organization employs video surveillance of [Assignment: organization-defined operational areas] and retains video recordings for [Assignment: organization-defined time period]. |
| CCI-002947 |
The organization defines the operational areas in which to employ video surveillance. |
The organization conducting the inspection/assessment obtains and examines the documented operational areas to ensure the organization being inspected/assessed defines the operational areas to employ video surveillance.
DoD has determined the operational areas are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the operational areas to employ video surveillance.
DoD has determined the operational areas are not appropriate to define at the Enterprise level. |
Monitoring Physical Access | Video Surveillance |
PE-6 (3) |
PE-6(3).2 |
This control enhancement focuses on recording surveillance video for purposes of subsequent review, if circumstances so warrant (e.g., a break-in detected by other means). It does not require monitoring surveillance video although organizations may choose to do so. Note that there may be legal considerations when performing and retaining video surveillance, especially if such surveillance is in a public location. |
The organization employs video surveillance of [Assignment: organization-defined operational areas] and retains video recordings for [Assignment: organization-defined time period]. |
| CCI-002948 |
The organization retains video surveillance recordings for an organization-defined time period. |
The organization conducting the inspection/assessment obtains and examines the documented process and a sampling of recordings from within 90 days to ensure the organization being inspected/assessed retains video surveillance recordings for at a minimum 90 days.
DoD has defined the time period as at a minimum 90 days. |
The organization being inspected/assessed documents and implements a process to retain video surveillance recordings for at a minimum 90 days.
DoD has defined the time period as at a minimum 90 days. |
Monitoring Physical Access | Video Surveillance |
PE-6 (3) |
PE-6(3).3 |
This control enhancement focuses on recording surveillance video for purposes of subsequent review, if circumstances so warrant (e.g., a break-in detected by other means). It does not require monitoring surveillance video although organizations may choose to do so. Note that there may be legal considerations when performing and retaining video surveillance, especially if such surveillance is in a public location. |
The organization employs video surveillance of [Assignment: organization-defined operational areas] and retains video recordings for [Assignment: organization-defined time period]. |
| CCI-002949 |
The organization defines the time period to retain video surveillance recordings. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as at a minimum 90 days. |
DoD has defined the time period as at a minimum 90 days. |
Monitoring Physical Access | Video Surveillance |
PE-6 (3) |
PE-6(3).4 |
This control enhancement focuses on recording surveillance video for purposes of subsequent review, if circumstances so warrant (e.g., a break-in detected by other means). It does not require monitoring surveillance video although organizations may choose to do so. Note that there may be legal considerations when performing and retaining video surveillance, especially if such surveillance is in a public location. |
The organization employs video surveillance of [Assignment: organization-defined operational areas] and retains video recordings for [Assignment: organization-defined time period]. |
| CCI-002950 |
The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as organization-defined physical spaces containing one or more components of the information system. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the records of monitoring to ensure the organization being inspected/assessed monitors physical access to the information system in addition to the physical access monitoring of the facility as physical spaces containing one or more components of the information system defined in PE-6 (4), CCI 2951. |
The organization being inspected/assessed documents and implements a process to monitor physical access to the information system in addition to the physical access monitoring of the facility as physical spaces containing one or more components of the information system defined in PE-6 (4), CCI 2951.
The organization must maintain records of monitoring. |
Monitoring Physical Access | Monitoring Physical Access To Information Systems |
PE-6 (4) |
PE-6(4).1 |
This control enhancement provides additional monitoring for those areas within facilities where there is a concentration of information system components (e.g., server rooms, media storage areas, communications centers). Related controls: PS-2, PS-3. |
The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as [Assignment: organization-defined physical spaces containing one or more components of the information system]. |
| CCI-002951 |
The organization defines physical spaces containing one or more components of the information system in which physical access is monitored. |
The organization conducting the inspection/assessment obtains and examines the documented physical spaces to ensure the organization being inspected/assessed defines physical spaces containing one or more components of the information system in which physical access is monitored.
DoD has determined the physical spaces are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents physical spaces containing one or more components of the information system in which physical access is monitored.
DoD has determined the physical spaces are not appropriate to define at the Enterprise level. |
Monitoring Physical Access | Monitoring Physical Access To Information Systems |
PE-6 (4) |
PE-6(4).2 |
This control enhancement provides additional monitoring for those areas within facilities where there is a concentration of information system components (e.g., server rooms, media storage areas, communications centers). Related controls: PS-2, PS-3. |
The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as [Assignment: organization-defined physical spaces containing one or more components of the information system]. |
| CCI-002952 |
The organization defines the time period to maintain visitor access records to the facility where the information system resides. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as at least one year. |
DoD has defined the time period as at least one year. |
Visitor Access Records |
PE-8 |
PE-8.2 |
Visitor access records include, for example, names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitor access records are not required for publicly accessible areas. |
The organization:
a. Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and
b. Reviews visitor access records [Assignment: organization-defined frequency]. |
| CCI-002953 |
The organization employs redundant power cabling paths that are physically separated by an organization-defined distance. |
The organization conducting the inspection/assessment obtains and examines cabling diagrams or, if unavailable, inspects power cabling configuration to ensure the organization being inspected/assessed employs redundant power cabling paths that are physically separated by the distance defined in PE-9 (1), CCI 2954. |
The organization being inspected/assessed employs redundant power cabling paths that are physically separated by the distance defined in PE-9 (1), CCI 2954. |
Power Equipment And Cabling | Redundant Cabling |
PE-9 (1) |
PE-9(1).1 |
Physically separate, redundant power cables help to ensure that power continues to flow in the event one of the cables is cut or otherwise damaged. |
The organization employs redundant power cabling paths that are physically separated by [Assignment: organization-defined distance]. |
| CCI-002954 |
The organization defines the distance by which to physically separate redundant power cabling paths. |
The organization conducting the inspection/assessment obtains and examines the documented distance to ensure the organization being inspected/assessed defines the distance to physically separate redundant power cabling paths.
DoD has determined the distance is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the distance to physically separate redundant power cabling paths.
DoD has determined the distance is not appropriate to define at the Enterprise level. |
Power Equipment And Cabling | Redundant Cabling |
PE-9 (1) |
PE-9(1).2 |
Physically separate, redundant power cables help to ensure that power continues to flow in the event one of the cables is cut or otherwise damaged. |
The organization employs redundant power cabling paths that are physically separated by [Assignment: organization-defined distance]. |
| CCI-002955 |
The organization provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system and/or transition of the information system to long-term alternate power in the event of a primary power source loss. |
The organization conducting the inspection/assessment obtains and examines documentation identifying the capacity of the implemented uninterruptible power supply, documentation identifying the power requirements of the system, and documentation identifying the contingency plan in the event of primary power source loss to ensure the organization being inspected/assessed provides uninterruptible power supply with sufficient capacity to support orderly shutdown of the system or transition the system to long-term alternate power in the event of a primary power source loss. |
The organization being inspected/assessed implements an uninterruptible power supply with sufficient capacity to support orderly shutdown of the system or transition the system to long-term alternate power in the event of a primary power source loss. |
Emergency Power |
PE-11 |
PE-11.1 |
Related controls: AT-3, CP-2, CP-7. |
The organization provides a short-term uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the information system; transition of the information system to long-term alternate power] in the event of a primary power source loss. |
| CCI-002956 |
The organization provides a long-term alternate power supply for the information system that is self-contained. |
The organization conducting the inspection/assessment obtains and examines documentation identifying the implemented alternate power supply to ensure the organization being inspected/assessed implements a long-term alternate power supply for the information system that is self-contained. |
The organization being inspected/assessed implements a long-term alternate power supply for the information system that is self-contained. |
Emergency Power | Long-Term Alternate Power Supply - Self-Contained |
PE-11 (2) |
PE-11(2).1 |
This control enhancement can be satisfied, for example, by the use of one or more generators with sufficient capacity to meet the needs of the organization. Long-term alternate power supplies for organizational information systems are either manually or automatically activated. |
The organization provides a long-term alternate power supply for the information system that is:
(a) Self-contained;
(b) Not reliant on external power generation; and
(c) Capable of maintaining [Selection: minimally required operational capability; full operational capability] in the event of an extended loss of the primary power source. |
| CCI-002957 |
The organization provides a long-term alternate power supply for the information system that is not reliant on external power generation. |
The organization conducting the inspection/assessment obtains and examines documentation identifying the implemented alternate power supply to ensure the organization being inspected/assessed implements a long-term alternate power supply for the information system that is not reliant on external power generation. |
The organization being inspected/assessed implements a long-term alternate power supply for the information system that is not reliant on external power generation. |
Emergency Power | Long-Term Alternate Power Supply - Self-Contained |
PE-11 (2) |
PE-11(2).2 |
This control enhancement can be satisfied, for example, by the use of one or more generators with sufficient capacity to meet the needs of the organization. Long-term alternate power supplies for organizational information systems are either manually or automatically activated. |
The organization provides a long-term alternate power supply for the information system that is:
(a) Self-contained;
(b) Not reliant on external power generation; and
(c) Capable of maintaining [Selection: minimally required operational capability; full operational capability] in the event of an extended loss of the primary power source. |
| CCI-002958 |
The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability or full operational capability in the event of an extended loss of the primary power source. |
The organization conducting the inspection/assessment obtains and examines documentation identifying the implemented alternate power supply to ensure the organization being inspected/assessed implements a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability or full operational capability in the event of an extended loss of the primary power source. |
The organization being inspected/assessed implements a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability or full operational capability in the event of an extended loss of the primary power source. |
Emergency Power | Long-Term Alternate Power Supply - Self-Contained |
PE-11 (2) |
PE-11(2).3 |
This control enhancement can be satisfied, for example, by the use of one or more generators with sufficient capacity to meet the needs of the organization. Long-term alternate power supplies for organizational information systems are either manually or automatically activated. |
The organization provides a long-term alternate power supply for the information system that is:
(a) Self-contained;
(b) Not reliant on external power generation; and
(c) Capable of maintaining [Selection: minimally required operational capability; full operational capability] in the event of an extended loss of the primary power source. |
| CCI-002959 |
The organization provides emergency lighting for all areas within the facility supporting essential missions. |
The organization conducting the inspection/assessment inspects areas within the facility supporting essential missions to ensure emergency lighting is implemented. |
The organization being inspected/assessed implements emergency lighting for all areas within the facility supporting essential missions. |
Emergency Lighting | Essential Missions / Business Functions |
PE-12 (1) |
PE-12(1).1 |
|
The organization provides emergency lighting for all areas within the facility supporting essential missions and business functions. |
| CCI-002960 |
The organization provides emergency lighting for all areas within the facility supporting essential business functions. |
The organization conducting the inspection/assessment inspects areas within the facility supporting essential business functions to ensure emergency lighting is implemented. |
The organization being inspected/assessed implements emergency lighting for all areas within the facility supporting essential business functions. |
Emergency Lighting | Essential Missions / Business Functions |
PE-12 (1) |
PE-12(1).2 |
|
The organization provides emergency lighting for all areas within the facility supporting essential missions and business functions. |
| CCI-002961 |
The organization employs fire detection devices/systems for the information system that activate automatically. |
The organization conducting the inspection/assessment obtains and examines the documented evidence of fire detection devices/systems to ensure the organization being inspected/assessed employs fire detection devices/systems for the information system that activate automatically. |
The organization being inspected/assessed documents and implements fire detection devices/systems for the information system that activate automatically. |
Fire Protection | Detection Devices / Systems |
PE-13 (1) |
PE-13(1).1 |
Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information. |
The organization employs fire detection devices/systems for the information system that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire. |
| CCI-002962 |
The organization employs fire detection devices/systems for the information system that automatically activate to notify organization-defined personnel or roles and organization-defined emergency responders in the event of a fire. |
The organization conducting the inspection/assessment obtains and examines the documented evidence of fire detection devices/systems to ensure the organization being inspected/assessed employs fire detection devices/systems for the information system that automatically activate to notify personnel or roles defined in PE-13 (1), CCI 2963 and emergency responders defined in PE-13 (1), CCI 2964 in the event of a fire. |
The organization being inspected/assessed documents and implements fire detection devices/systems for the information system that automatically activate to notify personnel or roles defined in PE-13 (1), CCI 2963 and emergency responders defined in PE-13 (1), CCI 2964 in the event of a fire. |
Fire Protection | Detection Devices / Systems |
PE-13 (1) |
PE-13(1).2 |
Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information. |
The organization employs fire detection devices/systems for the information system that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire. |
| CCI-002963 |
The organization defines the personnel or roles to be notified in the event of a fire. |
The organization conducting the inspection/assessment obtains and examines the documented personnel or roles to ensure the organization being inspected/assessed defines the personnel or roles to be notified in the event of a fire.
DoD has determined the personnel or roles are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the personnel or roles to be notified in the event of a fire.
DoD has determined the personnel or roles are not appropriate to define at the Enterprise level. |
Fire Protection | Detection Devices / Systems |
PE-13 (1) |
PE-13(1).3 |
Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information. |
The organization employs fire detection devices/systems for the information system that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire. |
| CCI-002964 |
The organization defines the emergency responders to be notified in the event of a fire. |
The organization conducting the inspection/assessment obtains and examines the documented emergency responders to ensure the organization being inspected/assessed defines the emergency responders to be notified in the event of a fire.
DoD has determined the emergency responders are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the emergency responders to be notified in the event of a fire.
DoD has determined the emergency responders are not appropriate to define at the Enterprise level. |
Fire Protection | Detection Devices / Systems |
PE-13 (1) |
PE-13(1).4 |
Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information. |
The organization employs fire detection devices/systems for the information system that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire. |
| CCI-002965 |
The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to organization-defined personnel or roles and organization-defined emergency responders. |
The organization conducting the inspection/assessment obtains and examines the documented evidence of fire detection devices/systems to ensure the organization being inspected/assessed employs fire suppression devices/systems for the information system that provide automatic notification of any activation to organization-defined personnel or roles and organization defined emergency responders. |
The organization being inspected/assessed documents and implements fire suppression devices/systems for the information system that provide automatic notification of any activation to organization-defined personnel or roles and organization defined emergency responders. |
Fire Protection | Automatic Fire Suppression/ Systems |
PE-13 (2) |
PE-13(2).1 |
Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information. |
The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders]. |
| CCI-002966 |
The organization defines the personnel or roles to be automatically notified of any activation of fire suppression devices/systems for the information system. |
The organization conducting the inspection/assessment obtains and examines the documented personnel or roles to ensure the organization being inspected/assessed defines the personnel or roles to be automatically notified of any activation of fire suppression devices/systems for the information system.
DoD has determined the personnel or roles are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the personnel or roles to be automatically notified of any activation of fire suppression devices/systems for the information system.
DoD has determined the personnel or roles are not appropriate to define at the Enterprise level. |
Fire Protection | Automatic Fire Suppression/ Systems |
PE-13 (2) |
PE-13(2).2 |
Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information. |
The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders]. |
| CCI-002967 |
The organization defines the emergency responders to be automatically notified of any activation of fire suppression devices/systems for the information system. |
The organization conducting the inspection/assessment obtains and examines the documented emergency responders to ensure the organization being inspected/assessed defines the emergency responders to be automatically notified of any activation of fire suppression devices/systems for the information system.
DoD has determined the emergency responders are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the emergency responders to be automatically notified of any activation of fire suppression devices/systems for the information system.
DoD has determined the emergency responders are not appropriate to define at the Enterprise level. |
Fire Protection | Automatic Fire Suppression/ Systems |
PE-13 (2) |
PE-13(2).3 |
Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information. |
The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders]. |
| CCI-002968 |
The organization ensures that the facility undergoes, on an organization-defined frequency, fire protection inspections by authorized and qualified inspectors. |
The organization conducting the inspection/assessment obtains and examines the record of inspections to ensure the organization being inspected/assessed implements a process to undergo fire protection inspections by authorized and qualified inspectors annually.
DoD has defined the frequency as annually. |
The organization being inspected/assessed implements a process to undergo fire protection inspections by authorized and qualified inspectors annually.
The organization must maintain a record of inspections.
DoD has defined the frequency as annually. |
Fire Protection | Inspections |
PE-13 (4) |
PE-13(4).1 |
|
The organization ensures that the facility undergoes [Assignment: organization-defined frequency] inspections by authorized and qualified inspectors and resolves identified deficiencies within [Assignment: organization-defined time period]. |
| CCI-002969 |
The organization defines a frequency with which the facility undergoes fire protection inspections. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Fire Protection | Inspections |
PE-13 (4) |
PE-13(4).2 |
|
The organization ensures that the facility undergoes [Assignment: organization-defined frequency] inspections by authorized and qualified inspectors and resolves identified deficiencies within [Assignment: organization-defined time period]. |
| CCI-002970 |
The organization resolves deficiencies identified during facility fire protection inspections within an organization-defined time period. |
The organization conducting the inspection/assessment obtains and examines past facility fire protection inspection reports and inspects the facility to ensure all deficiencies identified are resolved in 60 days.
DoD has defined the time period as 60 days. |
The organization being inspected/assessed resolves deficiencies identified during facility fire protection inspections within 60 days.
DoD has defined the time period as 60 days. |
Fire Protection | Inspections |
PE-13 (4) |
PE-13(4).3 |
|
The organization ensures that the facility undergoes [Assignment: organization-defined frequency] inspections by authorized and qualified inspectors and resolves identified deficiencies within [Assignment: organization-defined time period]. |
| CCI-002971 |
The organization defines the time period within which to resolve deficiencies identified during facility fire protection inspections. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 60 days. |
DoD has defined the time period as 60 days. |
Fire Protection | Inspections |
PE-13 (4) |
PE-13(4).4 |
|
The organization ensures that the facility undergoes [Assignment: organization-defined frequency] inspections by authorized and qualified inspectors and resolves identified deficiencies within [Assignment: organization-defined time period]. |
| CCI-002972 |
The organization employs automated mechanisms to detect the presence of water in the vicinity of the information system and alerts organization-defined personnel or roles. |
The organization conducting the inspection/assessment obtains and examines documentation identifying water detection mechanisms to ensure the organization being inspected/assessed implements automated mechanisms to detect the presence of water in the vicinity of the information system and alerts personnel or roles defined in PE-15 (1), CCI 2973. |
The organization being inspected/assessed documents and implements automated mechanisms to detect the presence of water in the vicinity of the information system and alerts personnel or roles defined in PE-15 (1), CCI 2973. |
Water Damage Protection | Automation Support |
PE-15 (1) |
PE-15(1).1 |
Automated mechanisms can include, for example, water detection sensors, alarms, and notification systems. |
The organization employs automated mechanisms to detect the presence of water in the vicinity of the information system and alerts [Assignment: organization-defined personnel or roles]. |
| CCI-002973 |
The organization defines the personnel or roles to be alerted when automated mechanisms detect the presence of water in the vicinity of the information system. |
The organization conducting the inspection/assessment obtains and examines the documented personnel or roles to ensure the organization being inspected/assessed defines the personnel or roles to be alerted when automated mechanisms detect the presence of water in the vicinity of the information system.
DoD has determined the personnel or roles are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the personnel or roles to be alerted when automated mechanisms detect the presence of water in the vicinity of the information system.
DoD has determined the personnel or roles are not appropriate to define at the Enterprise level. |
Water Damage Protection | Automation Support |
PE-15 (1) |
PE-15(1).2 |
Automated mechanisms can include, for example, water detection sensors, alarms, and notification systems. |
The organization employs automated mechanisms to detect the presence of water in the vicinity of the information system and alerts [Assignment: organization-defined personnel or roles]. |
| CCI-002974 |
The organization defines types of information system components to authorize, monitor, and control entering and exiting the facility and to maintain records. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the types of information system components as all system components. |
DoD has defined the types of information system components as all system components. |
Delivery And Removal |
PE-16 |
PE-16.5 |
Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries. Related controls: CM-3, MA-2, MA-3, MP-5, SA-12. |
The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. |
| CCI-002975 |
The organization defines security controls to employ at alternate work sites. |
The organization conducting the inspection/assessment obtains and examines the documented security controls to ensure the organization being inspected/assessed defines security controls to employ at alternate work sites, which must include all applicable building and safety codes for the information system's environment.
DoD has determined the security controls are not appropriate to define at the Enterprise level, but must include all applicable building and safety codes for the information system's environment. |
The organization being inspected/assessed defines and documents security controls to employ at alternate work sites, which must include all applicable building and safety codes for the information system's environment
DoD has determined the security controls are not appropriate to define at the Enterprise level, but must include all applicable building and safety codes for the information system's environment. |
Alternate Work Site |
PE-17 |
PE-17.2 |
Alternate work sites may include, for example, government facilities or private residences of employees. While commonly distinct from alternative processing sites, alternate work sites may provide readily available alternate locations as part of contingency operations. Organizations may define different sets of security controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations and the federal telework initiative. Related controls: AC-17, CP-7. |
The organization:
a. Employs [Assignment: organization-defined security controls] at alternate work sites;
b. Assesses as feasible, the effectiveness of security controls at alternate work sites; and
c. Provides a means for employees to communicate with information security personnel in case of security incidents or problems. |
| CCI-002976 |
The organization defines physical and environmental hazards that could cause potential damage to information system components within the facility. |
The organization conducting the inspection/assessment obtains and examines the documented physical and environmental hazards to ensure the organization being inspected/assessed defines physical and environmental hazards that could cause potential damage to information system components within the facility.
DoD has determined the physical and environmental hazards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents physical and environmental hazards that could cause potential damage to information system components within the facility.
DoD has determined the physical and environmental hazards are not appropriate to define at the Enterprise level. |
Location Of Information System Components |
PE-18 |
PE-18.3 |
Physical and environmental hazards include, for example, flooding, fire, tornados, earthquakes, hurricanes, acts of terrorism, vandalism, electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. In addition, organizations consider the location of physical entry points where unauthorized individuals, while not being granted access, might nonetheless be in close proximity to information systems and therefore increase the potential for unauthorized access to organizational communications (e.g., through the use of wireless sniffers or microphones). Related controls: CP-2, PE-19, RA-3. |
The organization positions information system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access. |
| CCI-002977 |
The organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards. |
The organization conducting the inspection/assessment obtains and examines the documented rationale to ensure the organization being inspected/assessed plans the location or site of the facility where the information system resides with regard to physical and environmental hazards. |
The organization being inspected/assessed plans the location or site of the facility where the information system resides with regard to physical and environmental hazards.
The organization must document the rationale for planning the location or site of the facility. |
Location Of Information System Components | Facility Site |
PE-18 (1) |
PE-18(1).1 |
Related control: PM-8. |
The organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards and for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy. |
| CCI-002978 |
The organization considers the physical and environmental hazards in its risk mitigation strategy for existing facilities. |
The organization conducting the inspection/assessment obtains and examines the physical and environmental risk assessment to ensure the organization being inspected/assessed considers the physical and environmental hazards in its risk mitigation strategy for existing facilities. |
The organization being inspected/assessed considers the physical and environmental hazards in its risk mitigation strategy for existing facilities.
The organization must document the risk assessment. |
Location Of Information System Components | Facility Site |
PE-18 (1) |
PE-18(1).2 |
Related control: PM-8. |
The organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards and for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy. |
| CCI-003047 |
The organization defines the personnel or roles to whom a security planning policy is disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the roles as all personnel organizational personnel with planning responsibilities or information security responsibilities. |
DoD has defined the roles as all organizational personnel with planning responsibilities or information security responsibilities. |
Security Planning Policy And Procedures |
PL-1 |
PL-1.1 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and
b. Reviews and updates the current:
1. Security planning policy [Assignment: organization-defined frequency]; and
2. Security planning procedures [Assignment: organization-defined frequency]. |
| CCI-003048 |
The organization defines the personnel or roles to whom the security planning procedures are disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the roles as all organizational personnel with planning responsibilities or information security responsibilities. |
DoD has defined the roles as all organizational personnel with planning responsibilities or information security responsibilities. |
Security Planning Policy And Procedures |
PL-1 |
PL-1.2 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and
b. Reviews and updates the current:
1. Security planning policy [Assignment: organization-defined frequency]; and
2. Security planning procedures [Assignment: organization-defined frequency]. |
| CCI-003049 |
The organization develops a security plan for the information system. |
The organization conducting the inspection/assessment obtains and examines the documented security plan to ensure the organization being inspected/assessed develops a security plan for the information system. |
The organization being inspected/assessed develops and documents a security plan for the information system. |
System Security Plan |
PL-2 |
PL-2.1 |
Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays.
Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. Related controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17. |
The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization's enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable
8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification. |
| CCI-003050 |
The organization^s security plan for the information system is consistent with the organization^s enterprise architecture. |
The organization conducting the inspection/assessment obtains and examines the security plan and the enterprise architecture to ensure the organization's security plan for the information system is consistent with the organization's enterprise architecture. |
The organization being inspected/assessed defines a security plan for the information system which is consistent with the organization's enterprise architecture. |
System Security Plan |
PL-2 |
PL-2.2 |
Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays.
Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. Related controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17. |
The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization's enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable
8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification. |
| CCI-003051 |
The organization^s security plan for the information system explicitly defines the authorization boundary for the system. |
The organization conducting the inspection/assessment obtains and examines the security plan to ensure the organization being inspected/assessed explicitly defines within the security plan the authorization boundary for the system. |
The organization being inspected/assessed explicitly defines within the security plan the authorization boundary for the system. |
System Security Plan |
PL-2 |
PL-2.3 |
Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays.
Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. Related controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17. |
The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization's enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable
8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification. |
| CCI-003052 |
The organization^s security plan for the information system describes the operational context of the information system in terms of missions and business processes. |
The organization conducting the inspection/assessment obtains and examines the security plan to ensure the organization being inspected/assessed describes within the security plan the operational context of the information system in terms of missions and business processes. |
The organization being inspected/assessed describes within the security plan the operational context of the information system in terms of missions and business processes. |
System Security Plan |
PL-2 |
PL-2.4 |
Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays.
Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. Related controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17. |
The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization's enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable
8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification. |
| CCI-003053 |
The organization^s security plan for the information system provides the security categorization of the information system, including supporting rationale. |
The organization conducting the inspection/assessment obtains and examines the security plan to ensure the organization being inspected/assessed defines within the security plan the security categorization of the information system including supporting rationale. |
The organization being inspected/assessed defines within the security plan the security categorization of the information system including supporting rationale. |
System Security Plan |
PL-2 |
PL-2.5 |
Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays.
Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. Related controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17. |
The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization's enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable
8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification. |
| CCI-003054 |
The organization^s security plan for the information system describes the operational environment for the information system and relationships with, or connections to, other information systems. |
The organization conducting the inspection/assessment obtains and examines the security plan to ensure the organization being inspected/assessed describes within the security plan the operational environment for the information system and relationships with or connections to other information systems. |
The organization being inspected/assessed describes within the security plan the operational environment for the information system and relationships with or connections to other information systems. |
System Security Plan |
PL-2 |
PL-2.6 |
Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays.
Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. Related controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17. |
The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization's enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable
8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification. |
| CCI-003055 |
The organization^s security plan for the information system provides an overview of the security requirements for the system. |
The organization conducting the inspection/assessment obtains and examines the security plan to ensure the organization being inspected/assessed their security plan for the information system provides an overview of the security requirements for the system |
The organization being inspected/assessed documents within the security plan, an overview of the security requirements for the system. |
System Security Plan |
PL-2 |
PL-2.7 |
Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays.
Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. Related controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17. |
The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization's enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable
8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification. |
| CCI-003056 |
The organization^s security plan for the information system identifies any relevant overlays, if applicable. |
The organization conducting the inspection/assessment obtains and examines the security plan to ensure the organization being inspected/assessed identifies within the security plan any relevant overlays, if applicable. |
The organization being inspected/assessed identifies within the security plan any relevant overlays, if applicable. |
System Security Plan |
PL-2 |
PL-2.8 |
Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays.
Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. Related controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17. |
The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization's enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable
8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification. |
| CCI-003057 |
The organization^s security plan for the information system describes the security controls in place or planned for meeting those requirements, including a rationale for the tailoring decisions. |
The organization conducting the inspection/assessment obtains and examines the security plan to ensure the organization being inspected/assessed describes within the security plan the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplementation decisions. |
The organization being inspected/assessed describes within the security plan the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplementation decisions. |
System Security Plan |
PL-2 |
PL-2.9 |
Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays.
Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. Related controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17. |
The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization's enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable
8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification. |
| CCI-003058 |
The organization distributes copies of the security plan to organization-defined personnel or roles. |
|
|
|
|
|
|
|
| CCI-003059 |
The organization distributes copies of the security plan to organization-defined personnel or roles. |
The organization conducting the inspection/assessment obtains and examines the security plan via the organization's information sharing portal to ensure the organization being inspected/assessed distributes copies of the security plan to at a minimum, the ISSO, ISSM and SCA via the organization's information sharing portal.
DoD has defined the personnel or roles as at a minimum, the ISSO, ISSM and SCA. |
The organization being inspected/assessed distributes copies of the security plan to, at a minimum, the ISSO, ISSM and SCA via the organization's information sharing portal.
DoD has defined the personnel or roles as at a minimum, the ISSO, ISSM and SCA. |
System Security Plan |
PL-2 |
PL-2.11 |
Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays.
Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. Related controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17. |
The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization's enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable
8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification. |
| CCI-003060 |
The organization defines the personnel or roles to whom copies of the security plan are distributed. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as at a minimum, the ISSO, ISSM and SCA. |
DoD has defined the personnel or roles as at a minimum, the ISSO, ISSM and SCA. |
System Security Plan |
PL-2 |
PL-2.12 |
Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays.
Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. Related controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17. |
The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization's enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable
8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification. |
| CCI-003061 |
The organization communicates subsequent changes to the security plan to organization-defined personnel or roles. |
The organization conducting the inspection/assessment examines the organization's information sharing portal to ensure at a minimum, the ISSO, ISSM and SCA have been provided changes to the security plan.
DoD has defined the personnel or roles as at a minimum, the ISSO, ISSM and SCA. |
The organization being inspected/assessed distributes changes to the security plan to, at a minimum, the ISSO, ISSM and SCA via the organization's information sharing portal.
DoD has defined the personnel or roles as at a minimum, the ISSO, ISSM and SCA. |
System Security Plan |
PL-2 |
PL-2.13 |
Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays.
Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. Related controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17. |
The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization's enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable
8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification. |
| CCI-003062 |
The organization defines the personnel or roles to whom changes to the security plan are communicated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as at a minimum, the ISSO, ISSM and SCA. |
DoD has defined the personnel or roles as at a minimum, the ISSO, ISSM and SCA. |
System Security Plan |
PL-2 |
PL-2.14 |
Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays.
Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. Related controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17. |
The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization's enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable
8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification. |
| CCI-003063 |
The organization protects the security plan from unauthorized disclosure. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed protects the security plan from unauthorized disclosure. |
The organization being inspected/assessed documents and implements a process to protect the security plan from unauthorized disclosure. |
System Security Plan |
PL-2 |
PL-2.18 |
Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays.
Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. Related controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17. |
The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization's enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable
8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification. |
| CCI-003064 |
The organization protects the security plan from unauthorized modification. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed protects the security plan from unauthorized modification. |
The organization being inspected/assessed documents and implements a process to protect the security plan from unauthorized modification. |
System Security Plan |
PL-2 |
PL-2.19 |
Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays.
Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. Related controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17. |
The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization's enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable
8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification. |
| CCI-003065 |
The organization plans and coordinates security-related activities affecting the information system with organization-defined individuals or groups before conducting such activities in order to reduce the impact on other organizational entities. |
The organization conducting the inspection/assessment obtains and examines the security plan to ensure the organization being inspected/assessed plans and coordinates of security-related activities affecting the information system with individuals or groups defined in PL-2 (3), CCI 3067 before conducting such activities in order to reduce the impact on other organizational entities. |
The organization being inspected/assessed defines and documents within the security plan, the planning and coordination of security-related activities affecting the information system with individuals or groups defined in PL-2 (3), CCI 3067 before conducting such activities in order to reduce the impact on other organizational entities. |
System Security Plan | Plan / Coordinate With Other Organizational Entities |
PL-2 (3) |
PL-2(3).1 |
Security-related activities include, for example, security assessments, audits, hardware and software maintenance, patch management, and contingency plan testing. Advance planning and coordination includes emergency and nonemergency (i.e., planned or nonurgent unplanned) situations. The process defined by organizations to plan and coordinate security-related activities can be included in security plans for information systems or other documents, as appropriate. Related controls: CP-4, IR-4. |
The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities. |
| CCI-003066 |
The organization defines the individuals or groups with whom security-related activities are planned and coordinated. |
|
|
|
|
|
|
|
| CCI-003067 |
The organization defines the individuals or groups with whom security-related activities are planned and coordinated. |
The organization conducting the inspection/assessment obtains and examines the documented individuals or groups to ensure the organization being inspected/assessed defines the individuals or groups with whom security-related activities are planned and coordinated.
DoD has determined the individuals or groups are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the individuals or groups with whom security-related activities are planned and coordinated.
DoD has determined the individuals or groups are not appropriate to define at the Enterprise level. |
System Security Plan | Plan / Coordinate With Other Organizational Entities |
PL-2 (3) |
PL-2(3).2 |
Security-related activities include, for example, security assessments, audits, hardware and software maintenance, patch management, and contingency plan testing. Advance planning and coordination includes emergency and nonemergency (i.e., planned or nonurgent unplanned) situations. The process defined by organizations to plan and coordinate security-related activities can be included in security plans for information systems or other documents, as appropriate. Related controls: CP-4, IR-4. |
The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities. |
| CCI-003068 |
The organization reviews and updates the rules of behavior in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit trail of reviews and updates to ensure the organization being inspected/assessed reviews and updates the rules of behavior annually.
DoD has defined the frequency as annually. |
The organization being inspected/assessed reviews and updates the rules of behavior annually.
The organization must maintain an audit trail of reviews and updates.
DoD has defined the frequency as annually. |
Rules Of Behavior |
PL-4 |
PL-4.4 |
This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior. Related controls: AC-2, AC-6, AC-8, AC-9, AC-17, AC-18, AC-19, AC-20, AT-2, AT-3, CM-11, IA-2, IA-4, IA-5, MP-7, PS-6, PS-8, SA-5. |
The organization:
a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;
b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;
c. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and
d. Requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated. |
| CCI-003069 |
The organization defines the frequency with which to review and update the rules of behavior. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Rules Of Behavior |
PL-4 |
PL-4.5 |
This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior. Related controls: AC-2, AC-6, AC-8, AC-9, AC-17, AC-18, AC-19, AC-20, AT-2, AT-3, CM-11, IA-2, IA-4, IA-5, MP-7, PS-6, PS-8, SA-5. |
The organization:
a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;
b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;
c. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and
d. Requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated. |
| CCI-003070 |
The organization requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated. |
The organization being inspected/assessed documents and implements a process to require individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated.
The signed acknowledgment portion of this control may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. |
Rules Of Behavior |
PL-4 |
PL-4.6 |
This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior. Related controls: AC-2, AC-6, AC-8, AC-9, AC-17, AC-18, AC-19, AC-20, AT-2, AT-3, CM-11, IA-2, IA-4, IA-5, MP-7, PS-6, PS-8, SA-5. |
The organization:
a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;
b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;
c. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and
d. Requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated. |
| CCI-003071 |
The organization develops a security Concept of Operations (CONOPS) for the information system containing, at a minimum, how the organization intends to operate the system from the perspective of information security. |
The organization conducting the inspection/assessment obtains and examines the security CONOPS to ensure the organization being inspected/assessed develops a security CONOPS for the information system containing at a minimum, how the organization intends to operate the system from the perspective of information security. |
The organization being inspected/assessed develops and documents a security Concept of Operations (CONOPS) for the information system containing at a minimum, how the organization intends to operate the system from the perspective of information security. |
Security Concept Of Operations |
PL-7 |
PL-7.1 |
The security CONOPS may be included in the security plan for the information system or in other system development life cycle-related documents, as appropriate. Changes to the CONOPS are reflected in ongoing updates to the security plan, the information security architecture, and other appropriate organizational documents (e.g., security specifications for procurements/acquisitions, system development life cycle documents, and systems/security engineering documents). Related control: PL-2. |
The organization:
a. Develops a security Concept of Operations (CONOPS) for the information system containing at a minimum, how the organization intends to operate the system from the perspective of information security; and
b. Reviews and updates the CONOPS [Assignment: organization - defined frequency]. |
| CCI-003072 |
The organization develops an information security architecture for the information system. |
The organization conducting the inspection/assessment obtains and examines the documented information security architecture to ensure the organization being inspected/assessed develops an information security architecture for the information system. |
The organization being inspected/assessed develops and documents an information security architecture for the information system. |
Information Security Architecture |
PL-8 |
PL-8.1 |
This control addresses actions taken by organizations in the design and development of information systems. The information security architecture at the individual information system level is consistent with and complements the more global, organization-wide information security architecture described in PM-7 that is integral to and developed as part of the enterprise architecture. The information security architecture includes an architectural description, the placement/allocation of security functionality (including security controls), security-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. In addition, the security architecture can include other important security-related information, for example, user roles and access privileges assigned to each role, unique security requirements, the types of information processed, stored, and transmitted by the information system, restoration priorities of information and information system services, and any other specific protection needs.
In today's modern architecture, it is becoming less common for organizations to control all information resources. There are going to be key dependencies on external information services and service providers. Describing such dependencies in the information security architecture is important to developing a comprehensive mission/business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational information systems is critical to implementing and maintaining an effective information security architecture. The development of the information security architecture is coordinated with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) to ensure that security controls needed to support privacy requirements are identified and effectively implemented. PL-8 is primarily directed at organizations (i.e., internally focused) to help ensure that organizations develop an information security architecture for the information system, and that the security architecture is integrated with or tightly coupled to the enterprise architecture through the organization-wide information security architecture. In contrast, SA-17 is primarily directed at external information technology product/system developers and integrators (although SA-17 could be used internally within organizations for in-house system development). SA-17, which is complementary to PL-8, is selected when organizations outsource the development of information systems or information system components to external entities, and there is a need to demonstrate/show consistency with the organization's enterprise architecture and information security architecture. Related controls: CM-2, CM-6, PL-2, PM-7, SA-5, SA-17, Appendix J. |
The organization:
a. Develops an information security architecture for the information system that:
1. Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;
2. Describes how the information security architecture is integrated into and supports the enterprise architecture; and
3. Describes any information security assumptions about, and dependencies on, external services;
b. Reviews and updates the information security architecture [Assignment: organization-defined frequency] to reflect updates in the enterprise architecture; and
c. Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions. |
| CCI-003073 |
The organization^s information security architecture for the information system describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information. |
The organization conducting the inspection/assessment obtains and examines the information security architecture to ensure the organization being inspected/assessed describes within the information security architecture for the information system, the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information. |
The organization being inspected/assessed describes within the information security architecture for the information system, the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information. |
Information Security Architecture |
PL-8 |
PL-8.2 |
This control addresses actions taken by organizations in the design and development of information systems. The information security architecture at the individual information system level is consistent with and complements the more global, organization-wide information security architecture described in PM-7 that is integral to and developed as part of the enterprise architecture. The information security architecture includes an architectural description, the placement/allocation of security functionality (including security controls), security-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. In addition, the security architecture can include other important security-related information, for example, user roles and access privileges assigned to each role, unique security requirements, the types of information processed, stored, and transmitted by the information system, restoration priorities of information and information system services, and any other specific protection needs.
In today's modern architecture, it is becoming less common for organizations to control all information resources. There are going to be key dependencies on external information services and service providers. Describing such dependencies in the information security architecture is important to developing a comprehensive mission/business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational information systems is critical to implementing and maintaining an effective information security architecture. The development of the information security architecture is coordinated with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) to ensure that security controls needed to support privacy requirements are identified and effectively implemented. PL-8 is primarily directed at organizations (i.e., internally focused) to help ensure that organizations develop an information security architecture for the information system, and that the security architecture is integrated with or tightly coupled to the enterprise architecture through the organization-wide information security architecture. In contrast, SA-17 is primarily directed at external information technology product/system developers and integrators (although SA-17 could be used internally within organizations for in-house system development). SA-17, which is complementary to PL-8, is selected when organizations outsource the development of information systems or information system components to external entities, and there is a need to demonstrate/show consistency with the organization's enterprise architecture and information security architecture. Related controls: CM-2, CM-6, PL-2, PM-7, SA-5, SA-17, Appendix J. |
The organization:
a. Develops an information security architecture for the information system that:
1. Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;
2. Describes how the information security architecture is integrated into and supports the enterprise architecture; and
3. Describes any information security assumptions about, and dependencies on, external services;
b. Reviews and updates the information security architecture [Assignment: organization-defined frequency] to reflect updates in the enterprise architecture; and
c. Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions. |
| CCI-003074 |
The organization^s information security architecture for the information system describes how the information security architecture is integrated into and supports the enterprise architecture. |
The organization conducting the inspection/assessment obtains and examines the information security architecture to ensure the organization being inspected/assessed describes within the information security architecture for the information system, how the information security architecture is integrated into and supports the enterprise architecture. |
The organization being inspected/assessed describes within the information security architecture for the information system, how the information security architecture is integrated into and supports the enterprise architecture. |
Information Security Architecture |
PL-8 |
PL-8.3 |
This control addresses actions taken by organizations in the design and development of information systems. The information security architecture at the individual information system level is consistent with and complements the more global, organization-wide information security architecture described in PM-7 that is integral to and developed as part of the enterprise architecture. The information security architecture includes an architectural description, the placement/allocation of security functionality (including security controls), security-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. In addition, the security architecture can include other important security-related information, for example, user roles and access privileges assigned to each role, unique security requirements, the types of information processed, stored, and transmitted by the information system, restoration priorities of information and information system services, and any other specific protection needs.
In today's modern architecture, it is becoming less common for organizations to control all information resources. There are going to be key dependencies on external information services and service providers. Describing such dependencies in the information security architecture is important to developing a comprehensive mission/business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational information systems is critical to implementing and maintaining an effective information security architecture. The development of the information security architecture is coordinated with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) to ensure that security controls needed to support privacy requirements are identified and effectively implemented. PL-8 is primarily directed at organizations (i.e., internally focused) to help ensure that organizations develop an information security architecture for the information system, and that the security architecture is integrated with or tightly coupled to the enterprise architecture through the organization-wide information security architecture. In contrast, SA-17 is primarily directed at external information technology product/system developers and integrators (although SA-17 could be used internally within organizations for in-house system development). SA-17, which is complementary to PL-8, is selected when organizations outsource the development of information systems or information system components to external entities, and there is a need to demonstrate/show consistency with the organization's enterprise architecture and information security architecture. Related controls: CM-2, CM-6, PL-2, PM-7, SA-5, SA-17, Appendix J. |
The organization:
a. Develops an information security architecture for the information system that:
1. Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;
2. Describes how the information security architecture is integrated into and supports the enterprise architecture; and
3. Describes any information security assumptions about, and dependencies on, external services;
b. Reviews and updates the information security architecture [Assignment: organization-defined frequency] to reflect updates in the enterprise architecture; and
c. Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions. |
| CCI-003075 |
The organization^s information security architecture for the information system describes any information security assumptions about, and dependencies on, external services. |
The organization conducting the inspection/assessment obtains and examines the information security architecture to ensure the organization being inspected/assessed describes within the information security architecture for the information system, any information security assumptions about, and dependencies on, external services. |
The organization being inspected/assessed describes within the information security architecture for the information system, any information security assumptions about, and dependencies on, external services. |
Information Security Architecture |
PL-8 |
PL-8.4 |
This control addresses actions taken by organizations in the design and development of information systems. The information security architecture at the individual information system level is consistent with and complements the more global, organization-wide information security architecture described in PM-7 that is integral to and developed as part of the enterprise architecture. The information security architecture includes an architectural description, the placement/allocation of security functionality (including security controls), security-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. In addition, the security architecture can include other important security-related information, for example, user roles and access privileges assigned to each role, unique security requirements, the types of information processed, stored, and transmitted by the information system, restoration priorities of information and information system services, and any other specific protection needs.
In today's modern architecture, it is becoming less common for organizations to control all information resources. There are going to be key dependencies on external information services and service providers. Describing such dependencies in the information security architecture is important to developing a comprehensive mission/business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational information systems is critical to implementing and maintaining an effective information security architecture. The development of the information security architecture is coordinated with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) to ensure that security controls needed to support privacy requirements are identified and effectively implemented. PL-8 is primarily directed at organizations (i.e., internally focused) to help ensure that organizations develop an information security architecture for the information system, and that the security architecture is integrated with or tightly coupled to the enterprise architecture through the organization-wide information security architecture. In contrast, SA-17 is primarily directed at external information technology product/system developers and integrators (although SA-17 could be used internally within organizations for in-house system development). SA-17, which is complementary to PL-8, is selected when organizations outsource the development of information systems or information system components to external entities, and there is a need to demonstrate/show consistency with the organization's enterprise architecture and information security architecture. Related controls: CM-2, CM-6, PL-2, PM-7, SA-5, SA-17, Appendix J. |
The organization:
a. Develops an information security architecture for the information system that:
1. Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;
2. Describes how the information security architecture is integrated into and supports the enterprise architecture; and
3. Describes any information security assumptions about, and dependencies on, external services;
b. Reviews and updates the information security architecture [Assignment: organization-defined frequency] to reflect updates in the enterprise architecture; and
c. Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions. |
| CCI-003076 |
The organization reviews and updates the information security architecture in accordance with organization-defined frequency to reflect updates in the enterprise architecture. |
The organization conducting the inspection/assessment obtains and examines the audit trail of reviews and updates to ensure the organization being inspected/assessed reviews and updates the information security architecture annually to reflect updates in the enterprise architecture.
DoD has defined the frequency as annually. |
The organization being inspected/assessed reviews and updates the information security architecture annually to reflect updates in the enterprise architecture.
The organization must maintain an audit trail of reviews and updates.
DoD has defined the frequency as annually. |
Information Security Architecture |
PL-8 |
PL-8.5 |
This control addresses actions taken by organizations in the design and development of information systems. The information security architecture at the individual information system level is consistent with and complements the more global, organization-wide information security architecture described in PM-7 that is integral to and developed as part of the enterprise architecture. The information security architecture includes an architectural description, the placement/allocation of security functionality (including security controls), security-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. In addition, the security architecture can include other important security-related information, for example, user roles and access privileges assigned to each role, unique security requirements, the types of information processed, stored, and transmitted by the information system, restoration priorities of information and information system services, and any other specific protection needs.
In today's modern architecture, it is becoming less common for organizations to control all information resources. There are going to be key dependencies on external information services and service providers. Describing such dependencies in the information security architecture is important to developing a comprehensive mission/business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational information systems is critical to implementing and maintaining an effective information security architecture. The development of the information security architecture is coordinated with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) to ensure that security controls needed to support privacy requirements are identified and effectively implemented. PL-8 is primarily directed at organizations (i.e., internally focused) to help ensure that organizations develop an information security architecture for the information system, and that the security architecture is integrated with or tightly coupled to the enterprise architecture through the organization-wide information security architecture. In contrast, SA-17 is primarily directed at external information technology product/system developers and integrators (although SA-17 could be used internally within organizations for in-house system development). SA-17, which is complementary to PL-8, is selected when organizations outsource the development of information systems or information system components to external entities, and there is a need to demonstrate/show consistency with the organization's enterprise architecture and information security architecture. Related controls: CM-2, CM-6, PL-2, PM-7, SA-5, SA-17, Appendix J. |
The organization:
a. Develops an information security architecture for the information system that:
1. Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;
2. Describes how the information security architecture is integrated into and supports the enterprise architecture; and
3. Describes any information security assumptions about, and dependencies on, external services;
b. Reviews and updates the information security architecture [Assignment: organization-defined frequency] to reflect updates in the enterprise architecture; and
c. Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions. |
| CCI-003077 |
The organization defines the frequency with which to review and update the information system architecture. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Information Security Architecture |
PL-8 |
PL-8.6 |
This control addresses actions taken by organizations in the design and development of information systems. The information security architecture at the individual information system level is consistent with and complements the more global, organization-wide information security architecture described in PM-7 that is integral to and developed as part of the enterprise architecture. The information security architecture includes an architectural description, the placement/allocation of security functionality (including security controls), security-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. In addition, the security architecture can include other important security-related information, for example, user roles and access privileges assigned to each role, unique security requirements, the types of information processed, stored, and transmitted by the information system, restoration priorities of information and information system services, and any other specific protection needs.
In today's modern architecture, it is becoming less common for organizations to control all information resources. There are going to be key dependencies on external information services and service providers. Describing such dependencies in the information security architecture is important to developing a comprehensive mission/business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational information systems is critical to implementing and maintaining an effective information security architecture. The development of the information security architecture is coordinated with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) to ensure that security controls needed to support privacy requirements are identified and effectively implemented. PL-8 is primarily directed at organizations (i.e., internally focused) to help ensure that organizations develop an information security architecture for the information system, and that the security architecture is integrated with or tightly coupled to the enterprise architecture through the organization-wide information security architecture. In contrast, SA-17 is primarily directed at external information technology product/system developers and integrators (although SA-17 could be used internally within organizations for in-house system development). SA-17, which is complementary to PL-8, is selected when organizations outsource the development of information systems or information system components to external entities, and there is a need to demonstrate/show consistency with the organization's enterprise architecture and information security architecture. Related controls: CM-2, CM-6, PL-2, PM-7, SA-5, SA-17, Appendix J. |
The organization:
a. Develops an information security architecture for the information system that:
1. Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;
2. Describes how the information security architecture is integrated into and supports the enterprise architecture; and
3. Describes any information security assumptions about, and dependencies on, external services;
b. Reviews and updates the information security architecture [Assignment: organization-defined frequency] to reflect updates in the enterprise architecture; and
c. Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions. |
| CCI-003078 |
The organization ensures that planned information security architecture changes are reflected in the security plan. |
The organization conducting the inspection/assessment obtains and examines the security plan to ensure the organization being inspected/assessed includes planned information security architecture changes in the security plan. |
The organization being inspected/assessed includes planned information security architecture changes in the security plan. |
Information Security Architecture |
PL-8 |
PL-8.7 |
This control addresses actions taken by organizations in the design and development of information systems. The information security architecture at the individual information system level is consistent with and complements the more global, organization-wide information security architecture described in PM-7 that is integral to and developed as part of the enterprise architecture. The information security architecture includes an architectural description, the placement/allocation of security functionality (including security controls), security-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. In addition, the security architecture can include other important security-related information, for example, user roles and access privileges assigned to each role, unique security requirements, the types of information processed, stored, and transmitted by the information system, restoration priorities of information and information system services, and any other specific protection needs.
In today's modern architecture, it is becoming less common for organizations to control all information resources. There are going to be key dependencies on external information services and service providers. Describing such dependencies in the information security architecture is important to developing a comprehensive mission/business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational information systems is critical to implementing and maintaining an effective information security architecture. The development of the information security architecture is coordinated with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) to ensure that security controls needed to support privacy requirements are identified and effectively implemented. PL-8 is primarily directed at organizations (i.e., internally focused) to help ensure that organizations develop an information security architecture for the information system, and that the security architecture is integrated with or tightly coupled to the enterprise architecture through the organization-wide information security architecture. In contrast, SA-17 is primarily directed at external information technology product/system developers and integrators (although SA-17 could be used internally within organizations for in-house system development). SA-17, which is complementary to PL-8, is selected when organizations outsource the development of information systems or information system components to external entities, and there is a need to demonstrate/show consistency with the organization's enterprise architecture and information security architecture. Related controls: CM-2, CM-6, PL-2, PM-7, SA-5, SA-17, Appendix J. |
The organization:
a. Develops an information security architecture for the information system that:
1. Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;
2. Describes how the information security architecture is integrated into and supports the enterprise architecture; and
3. Describes any information security assumptions about, and dependencies on, external services;
b. Reviews and updates the information security architecture [Assignment: organization-defined frequency] to reflect updates in the enterprise architecture; and
c. Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions. |
| CCI-003079 |
The organization ensures that planned information security architecture changes are reflected in the security Concept of Operations (CONOPS). |
The organization conducting the inspection/assessment obtains and examines security CONOPS to ensure the organization being inspected/assessed includes planned information security architecture changes in the security CONOPS. |
The organization being inspected/assessed includes planned information security architecture changes in the security Concept of Operations (CONOPS). |
Information Security Architecture |
PL-8 |
PL-8.8 |
This control addresses actions taken by organizations in the design and development of information systems. The information security architecture at the individual information system level is consistent with and complements the more global, organization-wide information security architecture described in PM-7 that is integral to and developed as part of the enterprise architecture. The information security architecture includes an architectural description, the placement/allocation of security functionality (including security controls), security-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. In addition, the security architecture can include other important security-related information, for example, user roles and access privileges assigned to each role, unique security requirements, the types of information processed, stored, and transmitted by the information system, restoration priorities of information and information system services, and any other specific protection needs.
In today's modern architecture, it is becoming less common for organizations to control all information resources. There are going to be key dependencies on external information services and service providers. Describing such dependencies in the information security architecture is important to developing a comprehensive mission/business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational information systems is critical to implementing and maintaining an effective information security architecture. The development of the information security architecture is coordinated with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) to ensure that security controls needed to support privacy requirements are identified and effectively implemented. PL-8 is primarily directed at organizations (i.e., internally focused) to help ensure that organizations develop an information security architecture for the information system, and that the security architecture is integrated with or tightly coupled to the enterprise architecture through the organization-wide information security architecture. In contrast, SA-17 is primarily directed at external information technology product/system developers and integrators (although SA-17 could be used internally within organizations for in-house system development). SA-17, which is complementary to PL-8, is selected when organizations outsource the development of information systems or information system components to external entities, and there is a need to demonstrate/show consistency with the organization's enterprise architecture and information security architecture. Related controls: CM-2, CM-6, PL-2, PM-7, SA-5, SA-17, Appendix J. |
The organization:
a. Develops an information security architecture for the information system that:
1. Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;
2. Describes how the information security architecture is integrated into and supports the enterprise architecture; and
3. Describes any information security assumptions about, and dependencies on, external services;
b. Reviews and updates the information security architecture [Assignment: organization-defined frequency] to reflect updates in the enterprise architecture; and
c. Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions. |
| CCI-003080 |
The organization ensures that planned information security architecture changes are reflected in organizational procurements/acquisitions. |
The organization conducting the inspection/assessment obtains and examines a sampling of procurement materials to ensure the organization being inspected/assessed includes planned information security architecture changes in organizational procurements/acquisitions. |
The organization being inspected/assessed includes planned information security architecture changes in organizational procurements/acquisitions. |
Information Security Architecture |
PL-8 |
PL-8.9 |
This control addresses actions taken by organizations in the design and development of information systems. The information security architecture at the individual information system level is consistent with and complements the more global, organization-wide information security architecture described in PM-7 that is integral to and developed as part of the enterprise architecture. The information security architecture includes an architectural description, the placement/allocation of security functionality (including security controls), security-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. In addition, the security architecture can include other important security-related information, for example, user roles and access privileges assigned to each role, unique security requirements, the types of information processed, stored, and transmitted by the information system, restoration priorities of information and information system services, and any other specific protection needs.
In today's modern architecture, it is becoming less common for organizations to control all information resources. There are going to be key dependencies on external information services and service providers. Describing such dependencies in the information security architecture is important to developing a comprehensive mission/business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational information systems is critical to implementing and maintaining an effective information security architecture. The development of the information security architecture is coordinated with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) to ensure that security controls needed to support privacy requirements are identified and effectively implemented. PL-8 is primarily directed at organizations (i.e., internally focused) to help ensure that organizations develop an information security architecture for the information system, and that the security architecture is integrated with or tightly coupled to the enterprise architecture through the organization-wide information security architecture. In contrast, SA-17 is primarily directed at external information technology product/system developers and integrators (although SA-17 could be used internally within organizations for in-house system development). SA-17, which is complementary to PL-8, is selected when organizations outsource the development of information systems or information system components to external entities, and there is a need to demonstrate/show consistency with the organization's enterprise architecture and information security architecture. Related controls: CM-2, CM-6, PL-2, PM-7, SA-5, SA-17, Appendix J. |
The organization:
a. Develops an information security architecture for the information system that:
1. Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;
2. Describes how the information security architecture is integrated into and supports the enterprise architecture; and
3. Describes any information security assumptions about, and dependencies on, external services;
b. Reviews and updates the information security architecture [Assignment: organization-defined frequency] to reflect updates in the enterprise architecture; and
c. Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions. |
| CCI-003081 |
The organization designs its security architecture using a defense-in-depth approach that allocates organization-defined security safeguards to organization-defined locations. |
The organization conducting the inspection/assessment obtains and examines the security architecture to ensure the organization being inspected/assessed designs its security architecture using a defense-in-depth approach that allocates security safeguards defined in PL-8 (1), CCI 3083 to locations defined in PL-8 (1), CCI 3085. |
The organization being inspected/assessed designs and documents its security architecture using a defense-in-depth approach that allocates security safeguards defined in PL-8 (1), CCI 3083 to locations defined in PL-8 (1), CCI 3085. |
Information Security Architecture | Defense-In-Depth |
PL-8 (1) |
PL-8(1).1 |
Organizations strategically allocate security safeguards (procedural, technical, or both) in the security architecture so that adversaries have to overcome multiple safeguards to achieve their objective. Requiring adversaries to defeat multiple mechanisms makes it more difficult to successfully attack critical information resources (i.e., increases adversary work factor) and also increases the likelihood of detection. The coordination of allocated safeguards is essential to ensure that an attack that involves one safeguard does not create adverse unintended consequences (e.g., lockout, cascading alarms) by interfering with another safeguard. Placement of security safeguards is a key activity. Greater asset criticality or information value merits additional layering. Thus, an organization may choose to place anti-virus software at organizational boundary layers, email/web servers, notebook computers, and workstations to maximize the number of related safeguards adversaries must penetrate before compromising the information and information systems. Related controls: SC-29, SC-36. |
The organization designs its security architecture using a defense-in-depth approach that:
(a) Allocates [Assignment: organization-defined security safeguards] to [Assignment: organization-defined locations and architectural layers]; and
(b) Ensures that the allocated security safeguards operate in a coordinated and mutually reinforcing manner. |
| CCI-003082 |
The organization designs its security architecture using a defense-in-depth approach that allocates organization-defined security safeguards to organization-defined architectural layers. |
The organization conducting the inspection/assessment obtains and examines the security architecture to ensure the organization being inspected/assessed designs its security architecture using a defense-in-depth approach that allocates security safeguards defined in PL-8 (1), CCI 3084 to architectural layers defined in PL-8 (1), CCI 3086. |
The organization being inspected/assessed designs and documents its security architecture using a defense-in-depth approach that allocates security safeguards defined in PL-8 (1), CCI 3084 to architectural layers defined in PL-8 (1), CCI 3086. |
Information Security Architecture | Defense-In-Depth |
PL-8 (1) |
PL-8(1).2 |
Organizations strategically allocate security safeguards (procedural, technical, or both) in the security architecture so that adversaries have to overcome multiple safeguards to achieve their objective. Requiring adversaries to defeat multiple mechanisms makes it more difficult to successfully attack critical information resources (i.e., increases adversary work factor) and also increases the likelihood of detection. The coordination of allocated safeguards is essential to ensure that an attack that involves one safeguard does not create adverse unintended consequences (e.g., lockout, cascading alarms) by interfering with another safeguard. Placement of security safeguards is a key activity. Greater asset criticality or information value merits additional layering. Thus, an organization may choose to place anti-virus software at organizational boundary layers, email/web servers, notebook computers, and workstations to maximize the number of related safeguards adversaries must penetrate before compromising the information and information systems. Related controls: SC-29, SC-36. |
The organization designs its security architecture using a defense-in-depth approach that:
(a) Allocates [Assignment: organization-defined security safeguards] to [Assignment: organization-defined locations and architectural layers]; and
(b) Ensures that the allocated security safeguards operate in a coordinated and mutually reinforcing manner. |
| CCI-003083 |
The organization defines the security safeguards to be allocated to organization-defined locations. |
The organization conducting the inspection/assessment obtains and examines the documented security safeguards to ensure the organization being inspected/assessed defines the security safeguards to be allocated to organization-defined locations.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security safeguards to be allocated to organization-defined locations.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
Information Security Architecture | Defense-In-Depth |
PL-8 (1) |
PL-8(1).3 |
Organizations strategically allocate security safeguards (procedural, technical, or both) in the security architecture so that adversaries have to overcome multiple safeguards to achieve their objective. Requiring adversaries to defeat multiple mechanisms makes it more difficult to successfully attack critical information resources (i.e., increases adversary work factor) and also increases the likelihood of detection. The coordination of allocated safeguards is essential to ensure that an attack that involves one safeguard does not create adverse unintended consequences (e.g., lockout, cascading alarms) by interfering with another safeguard. Placement of security safeguards is a key activity. Greater asset criticality or information value merits additional layering. Thus, an organization may choose to place anti-virus software at organizational boundary layers, email/web servers, notebook computers, and workstations to maximize the number of related safeguards adversaries must penetrate before compromising the information and information systems. Related controls: SC-29, SC-36. |
The organization designs its security architecture using a defense-in-depth approach that:
(a) Allocates [Assignment: organization-defined security safeguards] to [Assignment: organization-defined locations and architectural layers]; and
(b) Ensures that the allocated security safeguards operate in a coordinated and mutually reinforcing manner. |
| CCI-003084 |
The organization defines the security safeguards to be allocated to organization-defined architectural layers. |
The organization conducting the inspection/assessment obtains and examines the documented security safeguards to ensure the organization being inspected/assessed defines the security safeguards to be allocated to organization-defined architectural layers.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security safeguards to be allocated to organization-defined architectural layers.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
Information Security Architecture | Defense-In-Depth |
PL-8 (1) |
PL-8(1).4 |
Organizations strategically allocate security safeguards (procedural, technical, or both) in the security architecture so that adversaries have to overcome multiple safeguards to achieve their objective. Requiring adversaries to defeat multiple mechanisms makes it more difficult to successfully attack critical information resources (i.e., increases adversary work factor) and also increases the likelihood of detection. The coordination of allocated safeguards is essential to ensure that an attack that involves one safeguard does not create adverse unintended consequences (e.g., lockout, cascading alarms) by interfering with another safeguard. Placement of security safeguards is a key activity. Greater asset criticality or information value merits additional layering. Thus, an organization may choose to place anti-virus software at organizational boundary layers, email/web servers, notebook computers, and workstations to maximize the number of related safeguards adversaries must penetrate before compromising the information and information systems. Related controls: SC-29, SC-36. |
The organization designs its security architecture using a defense-in-depth approach that:
(a) Allocates [Assignment: organization-defined security safeguards] to [Assignment: organization-defined locations and architectural layers]; and
(b) Ensures that the allocated security safeguards operate in a coordinated and mutually reinforcing manner. |
| CCI-003085 |
The organization defines the locations to which it allocates organization-defined security safeguards in the security architecture. |
The organization conducting the inspection/assessment obtains and examines the documented locations to ensure the organization being inspected/assessed defines the locations to which it allocates organization-defined security safeguards in the security architecture.
DoD has determined the locations are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the locations to which it allocates organization-defined security safeguards in the security architecture.
DoD has determined the locations are not appropriate to define at the Enterprise level. |
Information Security Architecture | Defense-In-Depth |
PL-8 (1) |
PL-8(1).5 |
Organizations strategically allocate security safeguards (procedural, technical, or both) in the security architecture so that adversaries have to overcome multiple safeguards to achieve their objective. Requiring adversaries to defeat multiple mechanisms makes it more difficult to successfully attack critical information resources (i.e., increases adversary work factor) and also increases the likelihood of detection. The coordination of allocated safeguards is essential to ensure that an attack that involves one safeguard does not create adverse unintended consequences (e.g., lockout, cascading alarms) by interfering with another safeguard. Placement of security safeguards is a key activity. Greater asset criticality or information value merits additional layering. Thus, an organization may choose to place anti-virus software at organizational boundary layers, email/web servers, notebook computers, and workstations to maximize the number of related safeguards adversaries must penetrate before compromising the information and information systems. Related controls: SC-29, SC-36. |
The organization designs its security architecture using a defense-in-depth approach that:
(a) Allocates [Assignment: organization-defined security safeguards] to [Assignment: organization-defined locations and architectural layers]; and
(b) Ensures that the allocated security safeguards operate in a coordinated and mutually reinforcing manner. |
| CCI-003086 |
The organization defines the architectural layers to which it allocates organization-defined security safeguards in the security architecture. |
The organization conducting the inspection/assessment obtains and examines the documented architectural layers to ensure the organization being inspected/assessed defines the architectural layers to which it allocates organization-defined security safeguards in the security architecture.
DoD has determined the architectural layers are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the architectural layers to which it allocates organization-defined security safeguards in the security architecture.
DoD has determined the architectural layers are not appropriate to define at the Enterprise level. |
Information Security Architecture | Defense-In-Depth |
PL-8 (1) |
PL-8(1).6 |
Organizations strategically allocate security safeguards (procedural, technical, or both) in the security architecture so that adversaries have to overcome multiple safeguards to achieve their objective. Requiring adversaries to defeat multiple mechanisms makes it more difficult to successfully attack critical information resources (i.e., increases adversary work factor) and also increases the likelihood of detection. The coordination of allocated safeguards is essential to ensure that an attack that involves one safeguard does not create adverse unintended consequences (e.g., lockout, cascading alarms) by interfering with another safeguard. Placement of security safeguards is a key activity. Greater asset criticality or information value merits additional layering. Thus, an organization may choose to place anti-virus software at organizational boundary layers, email/web servers, notebook computers, and workstations to maximize the number of related safeguards adversaries must penetrate before compromising the information and information systems. Related controls: SC-29, SC-36. |
The organization designs its security architecture using a defense-in-depth approach that:
(a) Allocates [Assignment: organization-defined security safeguards] to [Assignment: organization-defined locations and architectural layers]; and
(b) Ensures that the allocated security safeguards operate in a coordinated and mutually reinforcing manner. |
| CCI-003087 |
The organization designs its security architecture using a defense-in-depth approach that ensures that the allocated security safeguards operate in a coordinated and mutually reinforcing manner. |
The organization conducting the inspection/assessment obtains and examines security architecture to ensure the organization being inspected/assessed designs its security architecture using a defense-in-depth approach that ensures that the allocated security safeguards operate in a coordinated and mutually reinforcing manner. |
The organization being inspected/assessed designs and documents its security architecture using a defense-in-depth approach that ensures that the allocated security safeguards operate in a coordinated and mutually reinforcing manner. |
Information Security Architecture | Defense-In-Depth |
PL-8 (1) |
PL-8(1).7 |
Organizations strategically allocate security safeguards (procedural, technical, or both) in the security architecture so that adversaries have to overcome multiple safeguards to achieve their objective. Requiring adversaries to defeat multiple mechanisms makes it more difficult to successfully attack critical information resources (i.e., increases adversary work factor) and also increases the likelihood of detection. The coordination of allocated safeguards is essential to ensure that an attack that involves one safeguard does not create adverse unintended consequences (e.g., lockout, cascading alarms) by interfering with another safeguard. Placement of security safeguards is a key activity. Greater asset criticality or information value merits additional layering. Thus, an organization may choose to place anti-virus software at organizational boundary layers, email/web servers, notebook computers, and workstations to maximize the number of related safeguards adversaries must penetrate before compromising the information and information systems. Related controls: SC-29, SC-36. |
The organization designs its security architecture using a defense-in-depth approach that:
(a) Allocates [Assignment: organization-defined security safeguards] to [Assignment: organization-defined locations and architectural layers]; and
(b) Ensures that the allocated security safeguards operate in a coordinated and mutually reinforcing manner. |
| CCI-003088 |
The organization requires that organization-defined security safeguards allocated to organization-defined locations and architectural layers be obtained from different suppliers. |
The organization conducting the inspection/assessment obtains and examines procurement records to ensure that different suppliers are used to procure security safeguards defined in PL-8 (1), CCIs 3083 and 3084 allocated to locations and architectural layers defined in PL-8 (1) CCIs 3085 and 3086. |
The organization being inspected/assessed obtains from different suppliers security safeguards defined in PL-8 (1), CCIs 3083 and 3084 allocated to locations and architectural layers defined in PL-8 (1) CCIs 3085 and 3086. |
Information Security Architecture | Supplier Diversity |
PL-8 (2) |
PL-8(2).1 |
Different information technology products have different strengths and weaknesses. Providing a broad spectrum of products complements the individual offerings. For example, vendors offering malicious code protection typically update their products at different times, often developing solutions for known viruses, Trojans, or worms according to their priorities and development schedules. By having different products at different locations (e.g., server, boundary, desktop) there is an increased likelihood that at least one will detect the malicious code. Related control: SA-12. |
The organization requires that [Assignment: organization-defined security safeguards] allocated to [Assignment: organization-defined locations and architectural layers] are obtained from different suppliers. |
| CCI-003017 |
The organization defines the personnel or roles to whom a personnel security policy is disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the roles as organizational personnel with access control responsibilities. |
DoD has defined the roles as organizational personnel with access control responsibilities. |
Personnel Security Policy And Procedures |
PS-1 |
PS-1.1 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and
b. Reviews and updates the current:
1. Personnel security policy [Assignment: organization-defined frequency]; and
2. Personnel security procedures [Assignment: organization-defined frequency]. |
| CCI-003018 |
The organization defines the personnel or roles to whom the personnel security procedures are disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the roles as organizational personnel with access control responsibilities. |
DoD has defined the roles as organizational personnel with access control responsibilities. |
Personnel Security Policy And Procedures |
PS-1 |
PS-1.2 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and
b. Reviews and updates the current:
1. Personnel security policy [Assignment: organization-defined frequency]; and
2. Personnel security procedures [Assignment: organization-defined frequency]. |
| CCI-003019 |
The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection have valid access authorizations that are demonstrated by assigned official government duties. |
The organization conducting the inspection/assessment obtains and examines the documented process and a sampling of access authorizations to ensure individuals accessing an information system processing, storing, or transmitting information requiring special protection have valid access authorizations that are demonstrated by assigned official government duties. |
The organization being inspected/assessed documents and implements a process to ensure that individuals accessing an information system processing, storing, or transmitting information requiring special protection have valid access authorizations that are demonstrated by assigned official government duties. |
Personnel Screening | Information With Special Protection Measures |
PS-3 (3) |
PS-3(3).1 |
Organizational information requiring special protection includes, for example, Controlled Unclassified Information (CUI) and Sources and Methods Information (SAMI). Personnel security criteria include, for example, position sensitivity background screening requirements. |
The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection:
(a) Have valid access authorizations that are demonstrated by assigned official government duties; and
(b) Satisfy [Assignment: organization-defined additional personnel screening criteria]. |
| CCI-003020 |
The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection satisfy organization-defined additional personnel screening criteria. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed implements a process to ensure that individuals accessing an information system processing, storing, or transmitting information requiring special protection satisfy additional personnel screening criteria defined in PS-3 (3), CCI 3021. |
The organization being inspected/assessed documents and implements a process to ensure that individuals accessing an information system processing, storing, or transmitting information requiring special protection satisfy additional personnel screening criteria defined in PS-3 (3), CCI 3021. |
Personnel Screening | Information With Special Protection Measures |
PS-3 (3) |
PS-3(3).2 |
Organizational information requiring special protection includes, for example, Controlled Unclassified Information (CUI) and Sources and Methods Information (SAMI). Personnel security criteria include, for example, position sensitivity background screening requirements. |
The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection:
(a) Have valid access authorizations that are demonstrated by assigned official government duties; and
(b) Satisfy [Assignment: organization-defined additional personnel screening criteria]. |
| CCI-003021 |
The organization defines additional personnel screening criteria that individuals accessing an information system processing, storing, or transmitting information requiring protection must satisfy. |
The organization conducting the inspection/assessment obtains and examines the documented additional personnel screening criteria to ensure the organization being inspected/assessed defines additional personnel screening criteria that individuals accessing an information system processing, storing, or transmitting information requiring protection must satisfy.
DoD has determined the additional personnel screening criteria is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents additional personnel screening criteria that individuals accessing an information system processing, storing, or transmitting information requiring protection must satisfy.
DoD has determined the additional personnel screening criteria is not appropriate to define at the Enterprise level. |
Personnel Screening | Information With Special Protection Measures |
PS-3 (3) |
PS-3(3).3 |
Organizational information requiring special protection includes, for example, Controlled Unclassified Information (CUI) and Sources and Methods Information (SAMI). Personnel security criteria include, for example, position sensitivity background screening requirements. |
The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection:
(a) Have valid access authorizations that are demonstrated by assigned official government duties; and
(b) Satisfy [Assignment: organization-defined additional personnel screening criteria]. |
| CCI-003016 |
The organization, upon termination of individual employment, notifies organization-defined personnel or roles within an organization-defined time period. |
The organization conducting the inspection/assessment obtains and examines records of termination notification to ensure the organization being inspected/assessed notifies at a minimum, the ISSO and personnel responsible for revoking credentials immediately or within 24 hours upon termination of individual employment.
DoD has defined the personnel or roles as at a minimum, the ISSO and personnel responsible for revoking credentials.
DoD has defined the time period as immediately or within 24 hours. |
The organization being inspected/assessed notifies at a minimum, the ISSO and personnel responsible for revoking credentials immediately or within 24 hours upon termination of individual employment.
The organization must maintain records of termination notification.
DoD has defined the personnel or roles as at a minimum, the ISSO and personnel responsible for revoking credentials.
DoD has defined the time period as immediately or within 24 hours. |
Personnel Termination |
PS-4 |
PS-4.9 |
Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified. Related controls: AC-2, IA-4, PE-2, PS-5, PS-6. |
The organization, upon termination of individual employment:
a. Disables information system access within [Assignment: organization-defined time period];
b. Terminates/revokes any authenticators/credentials associated with the individual;
c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];
d. Retrieves all security-related organizational information system-related property;
e. Retains access to organizational information and information systems formerly controlled by terminated individual; and
f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. |
| CCI-003022 |
The organization defines the time period within which to disable information system access upon termination of individual employment. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as immediately. |
DoD has defined the time period as immediately. |
Personnel Termination |
PS-4 |
PS-4.2 |
Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified. Related controls: AC-2, IA-4, PE-2, PS-5, PS-6. |
The organization, upon termination of individual employment:
a. Disables information system access within [Assignment: organization-defined time period];
b. Terminates/revokes any authenticators/credentials associated with the individual;
c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];
d. Retrieves all security-related organizational information system-related property;
e. Retains access to organizational information and information systems formerly controlled by terminated individual; and
f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. |
| CCI-003023 |
The organization, upon termination of individual employment, terminates/revokes any authenticators/credentials associated with the individual. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as a sampling of records of termination/revocation of any authenticators/credentials to ensure the organization being inspected/assessed terminates/revokes any authenticators/credentials associated with the individual upon termination of individual employment. |
The organization being inspected/assessed documents and implements a process to terminate/revoke any authenticators/credentials associated with the individual upon termination of individual employment.
The organization must maintain records of termination/revocation of any authenticators/credentials. |
Personnel Termination |
PS-4 |
PS-4.3 |
Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified. Related controls: AC-2, IA-4, PE-2, PS-5, PS-6. |
The organization, upon termination of individual employment:
a. Disables information system access within [Assignment: organization-defined time period];
b. Terminates/revokes any authenticators/credentials associated with the individual;
c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];
d. Retrieves all security-related organizational information system-related property;
e. Retains access to organizational information and information systems formerly controlled by terminated individual; and
f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. |
| CCI-003024 |
The organization defines information security topics to be discussed while conducting exit interviews. |
The organization conducting the inspection/assessment obtains and examines the documented information security topics to ensure the organization being inspected/assessed defines information security topics to be discussed while conducting exit interviews.
DoD has determined the information security topics are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents information security topics to be discussed while conducting exit interviews.
DoD has determined the information security topics are not appropriate to define at the Enterprise level. |
Personnel Termination |
PS-4 |
PS-4.5 |
Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified. Related controls: AC-2, IA-4, PE-2, PS-5, PS-6. |
The organization, upon termination of individual employment:
a. Disables information system access within [Assignment: organization-defined time period];
b. Terminates/revokes any authenticators/credentials associated with the individual;
c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];
d. Retrieves all security-related organizational information system-related property;
e. Retains access to organizational information and information systems formerly controlled by terminated individual; and
f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. |
| CCI-003025 |
The organization defines personnel or roles to notify upon termination of individual employment. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as at a minimum, the ISSO and personnel responsible for revoking credentials. |
DoD has defined the personnel or roles as at a minimum, the ISSO and personnel responsible for revoking credentials. |
Personnel Termination |
PS-4 |
PS-4.10 |
Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified. Related controls: AC-2, IA-4, PE-2, PS-5, PS-6. |
The organization, upon termination of individual employment:
a. Disables information system access within [Assignment: organization-defined time period];
b. Terminates/revokes any authenticators/credentials associated with the individual;
c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];
d. Retrieves all security-related organizational information system-related property;
e. Retains access to organizational information and information systems formerly controlled by terminated individual; and
f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. |
| CCI-003026 |
The organization defines the time period within which to notify organization-defined personnel or roles upon termination of individual employment. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as immediately or within 24 hours. |
DoD has defined the time period as immediately or within 24 hours. |
Personnel Termination |
PS-4 |
PS-4.11 |
Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified. Related controls: AC-2, IA-4, PE-2, PS-5, PS-6. |
The organization, upon termination of individual employment:
a. Disables information system access within [Assignment: organization-defined time period];
b. Terminates/revokes any authenticators/credentials associated with the individual;
c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];
d. Retrieves all security-related organizational information system-related property;
e. Retains access to organizational information and information systems formerly controlled by terminated individual; and
f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. |
| CCI-003027 |
The organization notifies terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information. |
The organization conducting the inspection/assessment obtains and examines the record of notifications of post-employment requirements to ensure the organization being inspected/assessed notifies terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information. |
The organization being inspected/assessed notifies terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information.
The organization must maintain a record of notifications of post-employment requirements. |
Personnel Termination | Post-Employment Requirements |
PS-4 (1) |
PS-4(1).1 |
Organizations consult with the Office of the General Counsel regarding matters of post-employment requirements on terminated individuals. |
The organization:
(a) Notifies terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and
(b) Requires terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process. |
| CCI-003028 |
The organization requires terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process. |
The organization conducting the inspection/assessment obtains and examines the personnel security procedures and a sampling of signed acknowledgments of post-employment requirements to ensure the organization being inspected/assessed requires terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process. |
The organization being inspected/assessed documents within their personnel security procedures the requirement for terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process. |
Personnel Termination | Post-Employment Requirements |
PS-4 (1) |
PS-4(1).2 |
Organizations consult with the Office of the General Counsel regarding matters of post-employment requirements on terminated individuals. |
The organization:
(a) Notifies terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and
(b) Requires terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process. |
| CCI-003029 |
The organization employs automated mechanisms to notify organization-defined personnel or roles upon termination of an individual. |
The organization conducting the inspection/assessment examines the configuration of the automated mechanism and any records of notification sent to ensure the organization being inspected/assessed implements automated mechanisms to notify at a minimum, the ISSO and personnel responsible for revoking credentials upon termination of an individual.
DoD has defined the personnel or roles as at a minimum, the ISSO and personnel responsible for revoking credentials. |
The organization being inspected/assessed implements automated mechanisms to notify at a minimum, the ISSO and personnel responsible for revoking credentials upon termination of an individual.
DoD has defined the personnel or roles as at a minimum, the ISSO and personnel responsible for revoking credentials. |
Personnel Termination | Automated Notification |
PS-4 (2) |
PS-4(2).1 |
In organizations with a large number of employees, not all personnel who need to know about termination actions receive the appropriate notifications—or, if such notifications are received, they may not occur in a timely manner. Automated mechanisms can be used to send automatic alerts or notifications to specific organizational personnel or roles (e.g., management personnel, supervisors, personnel security officers, information security officers, systems administrators, or information technology administrators) when individuals are terminated. Such automatic alerts or notifications can be conveyed in a variety of ways, including, for example, telephonically, via electronic mail, via text message, or via websites. |
The organization employs automated mechanisms to notify [Assignment: organization-defined personnel or roles] upon termination of an individual. |
| CCI-003030 |
The organization defines the personnel or roles to be notified by automated mechanism upon termination of an individual. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as at a minimum, the ISSO and personnel responsible for revoking credentials. |
DoD has defined the personnel or roles as at a minimum, the ISSO and personnel responsible for revoking credentials. |
Personnel Termination | Automated Notification |
PS-4 (2) |
PS-4(2).2 |
In organizations with a large number of employees, not all personnel who need to know about termination actions receive the appropriate notifications—or, if such notifications are received, they may not occur in a timely manner. Automated mechanisms can be used to send automatic alerts or notifications to specific organizational personnel or roles (e.g., management personnel, supervisors, personnel security officers, information security officers, systems administrators, or information technology administrators) when individuals are terminated. Such automatic alerts or notifications can be conveyed in a variety of ways, including, for example, telephonically, via electronic mail, via text message, or via websites. |
The organization employs automated mechanisms to notify [Assignment: organization-defined personnel or roles] upon termination of an individual. |
| CCI-003031 |
The organization modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer. |
The organization conducting the inspection/assessment obtains and examines the documented process and a sampling of accounts of users recently transferred or reassigned to ensure the organization being inspected/assessed modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer. |
The organization being inspected/assessed documents and implements a process to modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer. |
Personnel Transfer |
PS-5 |
PS-5.5 |
This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts. Related controls: AC-2, IA-4, PE-2, PS-4. |
The organization:
a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;
b. Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action];
c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and
d. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. |
| CCI-003032 |
The organization notifies organization-defined personnel or roles within an organization-defined time period when individuals are transferred or reassigned to other positions within the organization. |
The organization conducting the inspection/assessment obtains and examines records of transfer/reassignment notifications to ensure the organization being inspected/assessed notifies at a minimum, the ISSO and personnel responsible for transferring credentials within 24 hours when individuals are transferred or reassigned to other positions within the organization.
DoD has defined the personnel or roles as at a minimum, the ISSO and personnel responsible for transferring credentials.
DoD has defined the time period as within 24 hours. |
The organization being inspected/assessed notifies at a minimum, the ISSO and personnel responsible for transferring credentials within 24 hours when individuals are transferred or reassigned to other positions within the organization.
The organization must maintain records of transfer/reassignment notifications.
DoD has defined the personnel or roles as at a minimum, the ISSO and personnel responsible for transferring credentials.
DoD has defined the time period as within 24 hours. |
Personnel Transfer |
PS-5 |
PS-5.6 |
This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts. Related controls: AC-2, IA-4, PE-2, PS-4. |
The organization:
a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;
b. Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action];
c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and
d. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. |
| CCI-003033 |
The organization defines personnel or roles to be notified when individuals are transferred or reassigned to other positions within the organization. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as at a minimum, the ISSO and personnel responsible for transferring credentials. |
DoD has defined the personnel or roles as at a minimum, the ISSO and personnel responsible for transferring credentials. |
Personnel Transfer |
PS-5 |
PS-5.7 |
This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts. Related controls: AC-2, IA-4, PE-2, PS-4. |
The organization:
a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;
b. Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action];
c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and
d. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. |
| CCI-003034 |
The organization defines the time period within which organization-defined personnel or roles are to be notified when individuals are transferred or reassigned to other positions within the organization. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as immediately. |
DoD has defined the time period as immediately. |
Personnel Transfer |
PS-5 |
PS-5.8 |
This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts. Related controls: AC-2, IA-4, PE-2, PS-4. |
The organization:
a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;
b. Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action];
c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and
d. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. |
| CCI-003035 |
The organization develops and documents access agreements for organizational information systems. |
The organization conducting the inspection/assessment obtains and examines the documented access agreements to ensure the organization being inspected/assessed develops and documents access agreements for organizational information systems. |
The organization being inspected/assessed develops and documents access agreements for organizational information systems. |
Access Agreements |
PS-6 |
PS-6.1 |
Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy. Related control: PL-4, PS-2, PS-3, PS-4, PS-8. |
The organization:
a. Develops and documents access agreements for organizational information systems;
b. Reviews and updates the access agreements [Assignment: organization-defined frequency]; and
c. Ensures that individuals requiring access to organizational information and information systems:
1. Sign appropriate access agreements prior to being granted access; and
2. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [Assignment: organization-defined frequency]. |
| CCI-003036 |
The organization ensures that individuals requiring access to organizational information and information systems re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines a sampling of re-signed access agreements to ensure the organization being inspected/assessed requires that individuals re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or when there is a change to the user's level of access.
DoD has defined the frequency as when there is a change to the user's level of access. |
The organization being inspected/assessed requires that individuals re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or when there is a change to the user's level of access.
DoD has defined the frequency as when there is a change to the user's level of access. |
Access Agreements |
PS-6 |
PS-6.5 |
Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy. Related control: PL-4, PS-2, PS-3, PS-4, PS-8. |
The organization:
a. Develops and documents access agreements for organizational information systems;
b. Reviews and updates the access agreements [Assignment: organization-defined frequency]; and
c. Ensures that individuals requiring access to organizational information and information systems:
1. Sign appropriate access agreements prior to being granted access; and
2. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [Assignment: organization-defined frequency]. |
| CCI-003037 |
The organization defines the frequency for individuals requiring access to organization information and information systems to re-sign access agreements. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as when there is a change to the user's level of access. |
DoD has defined the frequency as when there is a change to the user's level of access. |
Access Agreements |
PS-6 |
PS-6.6 |
Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy. Related control: PL-4, PS-2, PS-3, PS-4, PS-8. |
The organization:
a. Develops and documents access agreements for organizational information systems;
b. Reviews and updates the access agreements [Assignment: organization-defined frequency]; and
c. Ensures that individuals requiring access to organizational information and information systems:
1. Sign appropriate access agreements prior to being granted access; and
2. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [Assignment: organization-defined frequency]. |
| CCI-003038 |
The organization notifies individuals of applicable, legally binding post-employment requirements for protection of organizational information. |
The organization conducting the inspection/assessment obtains and examines the records of notifications of post-employment requirements for protection of organizational information to ensure the organization being inspected/assessed notifies individuals of applicable, legally binding post-employment requirements for protection of organizational information. |
The organization being inspected/assessed notifies individuals of applicable, legally binding post-employment requirements for protection of organizational information.
The organization must maintain records of notifications of post-employment requirements for protection of organizational information. |
Access Agreements | Post-Employment Requirements |
PS-6 (3) |
PS-6(3).1 |
Organizations consult with the Office of the General Counsel regarding matters of post-employment requirements on terminated individuals. |
The organization:
(a) Notifies individuals of applicable, legally binding post-employment requirements for protection of organizational information; and
(b) Requires individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information. |
| CCI-003039 |
The organization requires individuals to sign an acknowledgement of legally binding post-employment requirements for protection of organizational information, if applicable, as part of granting initial access to covered information. |
The organization conducting the inspection/assessment obtains and examines the documented process and a sampling of signed acknowledgements to ensure the organization being inspected/assessed requires individuals to sign an acknowledgement of legally binding post-employment requirements for protection of organizational information, if applicable, as part of granting initial access to covered information. |
The organization being inspected/assessed documents and implements a process to require individuals to sign an acknowledgement of legally binding post-employment requirements for protection of organizational information, if applicable, as part of granting initial access to covered information. |
Access Agreements | Post-Employment Requirements |
PS-6 (3) |
PS-6(3).2 |
Organizations consult with the Office of the General Counsel regarding matters of post-employment requirements on terminated individuals. |
The organization:
(a) Notifies individuals of applicable, legally binding post-employment requirements for protection of organizational information; and
(b) Requires individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information. |
| CCI-003040 |
The organization requires third-party providers to comply with personnel security policies and procedures established by the organization. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed requires third-party providers to comply with personnel security policies and procedures established by the organization. |
The organization being inspected/assessed documents and implements a process to require third-party providers to comply with personnel security policies and procedures established by the organization. |
Third-Party Personnel Security |
PS-7 |
PS-7.2 |
Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials/privileges associated with individuals transferred or terminated. Related controls: PS-2, PS-3, PS-4, PS-5, PS-6, SA-9, SA-21. |
The organization:
a. Establishes personnel security requirements including security roles and responsibilities for third-party providers;
b. Requires third-party providers to comply with personnel security policies and procedures established by the organization;
c. Documents personnel security requirements;
d. Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and
e. Monitors provider compliance. |
| CCI-003041 |
The organization requires third-party providers to notify organization-defined personnel or roles of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within an organization-defined time period. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed requires third-party providers to notify at a minimum, the ISSO and personnel responsible for transferring credentials of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges immediately.
DoD has defined the personnel or roles as at a minimum, the ISSO and personnel responsible for transferring credentials.
DoD has defined the time period as immediately. |
The organization being inspected/assessed documents and implements a process to require third-party providers to notify at a minimum, the ISSO and personnel responsible for transferring credentials of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges immediately.
DoD has defined the personnel or roles as at a minimum, the ISSO and personnel responsible for transferring credentials.
DoD has defined the time period as immediately. |
Third-Party Personnel Security |
PS-7 |
PS-7.4 |
Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials/privileges associated with individuals transferred or terminated. Related controls: PS-2, PS-3, PS-4, PS-5, PS-6, SA-9, SA-21. |
The organization:
a. Establishes personnel security requirements including security roles and responsibilities for third-party providers;
b. Requires third-party providers to comply with personnel security policies and procedures established by the organization;
c. Documents personnel security requirements;
d. Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and
e. Monitors provider compliance. |
| CCI-003042 |
The organization defines personnel or roles whom third-party providers are to notify when third-party personnel who possess organizational credentials and /or badges or who have information system privileges are transferred or terminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as at a minimum, the ISSO and personnel responsible for transferring credentials. |
DoD has defined the personnel or roles as at a minimum, the ISSO and personnel responsible for transferring credentials. |
Third-Party Personnel Security |
PS-7 |
PS-7.5 |
Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials/privileges associated with individuals transferred or terminated. Related controls: PS-2, PS-3, PS-4, PS-5, PS-6, SA-9, SA-21. |
The organization:
a. Establishes personnel security requirements including security roles and responsibilities for third-party providers;
b. Requires third-party providers to comply with personnel security policies and procedures established by the organization;
c. Documents personnel security requirements;
d. Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and
e. Monitors provider compliance. |
| CCI-003043 |
The organization defines the time period for third-party providers to notify organization-defined personnel or roles when third-party personnel who possess organizational credentials and /or badges or who have information system privileges are transferred or terminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as immediately. |
DoD has defined the time period as immediately. |
Third-Party Personnel Security |
PS-7 |
PS-7.6 |
Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials/privileges associated with individuals transferred or terminated. Related controls: PS-2, PS-3, PS-4, PS-5, PS-6, SA-9, SA-21. |
The organization:
a. Establishes personnel security requirements including security roles and responsibilities for third-party providers;
b. Requires third-party providers to comply with personnel security policies and procedures established by the organization;
c. Documents personnel security requirements;
d. Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and
e. Monitors provider compliance. |
| CCI-003044 |
The organization notifies organization-defined personnel or roles within an organization-defined time period when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. |
The organization conducting the inspection/assessment obtains and examines the records of notifications of employee sanctions to ensure the organization being inspected/assessed notifies at a minimum, the ISSO immediately when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.
DoD has defined the personnel or roles as at a minimum, the ISSO.
DoD has defined the time period as immediately. |
The organization being inspected/assessed notifies at a minimum, the ISSO immediately when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.
The organization must maintain records of notifications of employee sanctions.
DoD has defined the personnel or roles as at a minimum, the ISSO.
DoD has defined the time period as immediately. |
Personnel Sanctions |
PS-8 |
PS-8.3 |
Organizational sanctions processes reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Sanctions processes are described in access agreements and can be included as part of general personnel policies and procedures for organizations. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions. Related controls: PL-4, PS-6. |
The organization:
a. Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and
b. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. |
| CCI-003045 |
The organization defines personnel or roles who are to be notified when a formal employee sanctions process is initiated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as at a minimum, the ISSO. |
DoD has defined the personnel or roles as at a minimum, the ISSO. |
Personnel Sanctions |
PS-8 |
PS-8.4 |
Organizational sanctions processes reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Sanctions processes are described in access agreements and can be included as part of general personnel policies and procedures for organizations. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions. Related controls: PL-4, PS-6. |
The organization:
a. Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and
b. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. |
| CCI-003046 |
The organization defines the time period within which to notify organization-defined personnel or roles when a formal employee sanctions process is initiated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as immediately. |
DoD has defined the time period as immediately. |
Personnel Sanctions |
PS-8 |
PS-8.2 |
Organizational sanctions processes reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Sanctions processes are described in access agreements and can be included as part of general personnel policies and procedures for organizations. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions. Related controls: PL-4, PS-6. |
The organization:
a. Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and
b. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. |
| CCI-002368 |
The organization defines the personnel or roles to whom the risk assessment policy is disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as at a minimum, the ISSM and ISSO. |
DoD has defined the roles as at a minimum, the ISSM and ISSO. |
Risk Assessment Policy And Procedures |
RA-1 |
RA-1.1 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and
b. Reviews and updates the current:
1. Risk assessment policy [Assignment: organization-defined frequency]; and
2. Risk assessment procedures [Assignment: organization-defined frequency]. |
| CCI-002369 |
The organization defines the personnel or roles to whom the risk assessment procedures are disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as at a minimum, the ISSM and ISSO. |
DoD has defined the roles as at a minimum, the ISSM and ISSO. |
Risk Assessment Policy And Procedures |
RA-1 |
RA-1.2 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and
b. Reviews and updates the current:
1. Risk assessment policy [Assignment: organization-defined frequency]; and
2. Risk assessment procedures [Assignment: organization-defined frequency]. |
| CCI-002370 |
The organization disseminates risk assessment results to organization-defined personnel or roles. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed disseminates the risk assessment results to the ISSM, ISSO, AO, and PM.
DoD has defined the personnel or roles as the ISSM, ISSO, AO, and PM. |
The organization being inspected/assessed documents and implements a process to disseminates risk assessment results to the ISSM, ISSO, AO, and PM.
DoD has defined the personnel or roles as the ISSM, ISSO, AO, and PM. |
Risk Assessment |
RA-3 |
RA-3.6 |
Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems.
Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9. |
The organization:
a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
c. Reviews risk assessment results [Assignment: organization-defined frequency];
d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. |
| CCI-002371 |
The organization defines the personnel or roles to whom the risk assessment results will be disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as the ISSM, ISSO, AO, and PM. |
DoD has defined the personnel or roles as the ISSM, ISSO, AO, and PM. |
Risk Assessment |
RA-3 |
RA-3.7 |
Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems.
Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9. |
The organization:
a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
c. Reviews risk assessment results [Assignment: organization-defined frequency];
d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. |
| CCI-002372 |
The organization correlates the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed correlates the output from vulnerability scanning tools to determine the presence of multi-vulnerability/ multi-hop attack vectors. |
The organization being inspected/assessed documents and implements a process to correlate the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors. |
Vulnerability Scanning | Correlate Scanning Information |
RA-5 (10) |
RA-5(10).1 |
|
The organization correlates the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors. |
| CCI-002373 |
The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked). |
The organization conducting the inspection/assessment obtains and examines the software list or vulnerability scanning procedures to ensure the organization being inspected/assessed employs the DoD Enterprise scanning tool. |
The organization being inspected/assessed employs the DoD Enterprise scanning tool. |
Vulnerability Scanning | Breadth / Depth Of Coverage |
RA-5 (3) |
RA-5(3).1 |
|
The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked). |
| CCI-002374 |
The organization defines the corrective actions when information about the information system is discoverable by adversaries. |
The organization conducting the inspection/assessment obtains and examines the documented corrective actions to ensure the organization being inspected/assessed defines the corrective actions when information about the information system is discoverable by adversaries.
DoD has determined the corrective actions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the corrective actions when information about the information system is discoverable by adversaries.
DoD has determined the corrective actions are not appropriate to define at the Enterprise level. |
Vulnerability Scanning | Discoverable Information |
RA-5 (4) |
RA-5(4).2 |
Discoverable information includes information that adversaries could obtain without directly compromising or breaching the information system, for example, by collecting information the system is exposing or by conducting extensive searches of the web. Corrective actions can include, for example, notifying appropriate organizational personnel, removing designated information, or changing the information system to make designated information less relevant or attractive to adversaries. Related control: AU-13. |
The organization determines what information about the information system is discoverable by adversaries and subsequently takes [Assignment: organization-defined corrective actions]. |
| CCI-002375 |
The organization takes organization-defined corrective actions when information about the information system is discoverable by adversaries. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of actions taken to ensure the organization being inspected/assessed takes the corrective actions defined in RA-5 (4), CCI 2374 when information about the information system is discoverable by adversaries. |
The organization being inspected/assessed documents and implements a process to take the corrective actions defined in RA-5 (4), CCI 2374 when information about the information system is discoverable by adversaries.
The organization must maintain a record of actions taken. |
Vulnerability Scanning | Discoverable Information |
RA-5 (4) |
RA-5(4).3 |
Discoverable information includes information that adversaries could obtain without directly compromising or breaching the information system, for example, by collecting information the system is exposing or by conducting extensive searches of the web. Corrective actions can include, for example, notifying appropriate organizational personnel, removing designated information, or changing the information system to make designated information less relevant or attractive to adversaries. Related control: AU-13. |
The organization determines what information about the information system is discoverable by adversaries and subsequently takes [Assignment: organization-defined corrective actions]. |
| CCI-002376 |
The organization defines the personnel or roles with whom the information obtained from the vulnerability scanning process and security control assessments will be shared. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
Vulnerability Scanning |
RA-5 |
RA-5.11 |
Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2. |
The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and
e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). |
| CCI-002906 |
The organization defines the vulnerability scanning activities in which the information system implements privileged access authorization to organization-identified information system components. |
The organization conducting the inspection/assessment obtains and examines the documented vulnerability scanning activities to ensure the organization being inspected/assessed defines the vulnerability scanning activities in which the information system implements privileged access authorization to organization-identified information system components.
DoD has determined the vulnerability scanning activities are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the vulnerability scanning activities in which the information system implements privileged access authorization to organization-identified information system components.
DoD has determined the vulnerability scanning activities are not appropriate to define at the Enterprise level. |
Vulnerability Scanning | Privileged Access |
RA-5 (5) |
RA-5(5).3 |
In certain situations, the nature of the vulnerability scanning may be more intrusive or the information system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and also protects the sensitive nature of such scanning. |
The information system implements privileged access authorization to [Assignment: organization-identified information system components] for selected [Assignment: organization-defined vulnerability scanning activities]. |
| CCI-003119 |
The organization employs a technical surveillance countermeasures survey at organization-defined locations on an organization-defined frequency or when organization-defined events or indicators occur. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of surveys to ensure the organization being inspected/assessed employs a technical surveillance countermeasures survey at locations defined in RA-6, CCI 3120 on a frequency defined in RA-6, CCI 3121 or when events or indicators defined in RA-6, CCI 3122 occur. |
The organization being inspected/assessed documents and implements a process to employ a technical surveillance countermeasures survey at locations defined in RA-6, CCI 3120 on a frequency defined in RA-6, CCI 3121 or when events or indicators defined in RA-6, CCI 3122 occur.
The organization must maintain a record of surveys. |
Technical Surveillance Countermeasures Survey |
RA-6 |
RA-6.1 |
Technical surveillance countermeasures surveys are performed by qualified personnel to detect the presence of technical surveillance devices/hazards and to identify technical security weaknesses that could aid in the conduct of technical penetrations of surveyed facilities. Such surveys provide evaluations of the technical security postures of organizations and facilities and typically include thorough visual, electronic, and physical examinations in and about surveyed facilities. The surveys also provide useful input into risk assessments and organizational exposure to potential adversaries. |
The organization employs a technical surveillance countermeasures survey at [Assignment: organization-defined locations] [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined events or indicators occur]]. |
| CCI-003120 |
The organization defines the locations where technical surveillance countermeasures surveys are to be employed. |
The organization conducting the inspection/assessment obtains and examines the documented locations to ensure the organization being inspected/assessed defines the locations where technical surveillance countermeasures surveys are to be employed.
DoD has determined the locations are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the locations where technical surveillance countermeasures surveys are to be employed.
DoD has determined the locations are not appropriate to define at the Enterprise level. |
Technical Surveillance Countermeasures Survey |
RA-6 |
RA-6.2 |
Technical surveillance countermeasures surveys are performed by qualified personnel to detect the presence of technical surveillance devices/hazards and to identify technical security weaknesses that could aid in the conduct of technical penetrations of surveyed facilities. Such surveys provide evaluations of the technical security postures of organizations and facilities and typically include thorough visual, electronic, and physical examinations in and about surveyed facilities. The surveys also provide useful input into risk assessments and organizational exposure to potential adversaries. |
The organization employs a technical surveillance countermeasures survey at [Assignment: organization-defined locations] [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined events or indicators occur]]. |
| CCI-003121 |
The organization defines the frequency on which to employ technical surveillance countermeasures surveys. |
The organization conducting the inspection/assessment obtains and examines the documented frequency to ensure the organization being inspected/assessed defines the frequency on which to employ technical surveillance countermeasures surveys.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the frequency on which to employ technical surveillance countermeasures surveys.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
Technical Surveillance Countermeasures Survey |
RA-6 |
RA-6.3 |
Technical surveillance countermeasures surveys are performed by qualified personnel to detect the presence of technical surveillance devices/hazards and to identify technical security weaknesses that could aid in the conduct of technical penetrations of surveyed facilities. Such surveys provide evaluations of the technical security postures of organizations and facilities and typically include thorough visual, electronic, and physical examinations in and about surveyed facilities. The surveys also provide useful input into risk assessments and organizational exposure to potential adversaries. |
The organization employs a technical surveillance countermeasures survey at [Assignment: organization-defined locations] [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined events or indicators occur]]. |
| CCI-003122 |
The organization defines the events or indicators upon which technical surveillance countermeasures surveys are to be employed. |
The organization conducting the inspection/assessment obtains and examines the documented events or indicators to ensure the organization being inspected/assessed defines the events or indicators upon which technical surveillance countermeasures surveys are to be employed.
DoD has determined the events or indicators are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the events or indicators upon which technical surveillance countermeasures surveys are to be employed.
DoD has determined the events or indicators are not appropriate to define at the Enterprise level. |
Technical Surveillance Countermeasures Survey |
RA-6 |
RA-6.4 |
Technical surveillance countermeasures surveys are performed by qualified personnel to detect the presence of technical surveillance devices/hazards and to identify technical security weaknesses that could aid in the conduct of technical penetrations of surveyed facilities. Such surveys provide evaluations of the technical security postures of organizations and facilities and typically include thorough visual, electronic, and physical examinations in and about surveyed facilities. The surveys also provide useful input into risk assessments and organizational exposure to potential adversaries. |
The organization employs a technical surveillance countermeasures survey at [Assignment: organization-defined locations] [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined events or indicators occur]]. |
| CCI-003089 |
The organization defines the personnel or roles to whom the system and services acquisition policy is disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as all personnel. |
DoD has defined the personnel or roles as all personnel. |
System And Services Acquisition Policy And Procedures |
SA-1 |
SA-1.1 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and
b. Reviews and updates the current:
1. System and services acquisition policy [Assignment: organization-defined frequency]; and
2. System and services acquisition procedures [Assignment: organization-defined frequency]. |
| CCI-003090 |
The organization defines the personnel or roles to whom procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as all personnel. |
DoD has defined the personnel or roles as all personnel. |
System And Services Acquisition Policy And Procedures |
SA-1 |
SA-1.2 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and
b. Reviews and updates the current:
1. System and services acquisition policy [Assignment: organization-defined frequency]; and
2. System and services acquisition procedures [Assignment: organization-defined frequency]. |
| CCI-003091 |
The organization determines information security requirements for the information system or information system service in mission/business process planning. |
The organization conducting the inspection/assessment obtains and examines the documented information security requirements to ensure the organization being inspected/assessed determines information security requirements for the information system or information system service in mission/business process planning. |
The organization being inspected/assessed determines and documents information security requirements for the information system or information system service in mission/business process planning. |
Allocation Of Resources |
SA-2 |
SA-2.1 |
Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service. Related controls: PM-3, PM-11. |
The organization:
a. Determines information security requirements for the information system or information system service in mission/business process planning;
b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and
c. Establishes a discrete line item for information security in organizational programming and budgeting documentation |
| CCI-003092 |
The organization defines a system development life cycle that is used to manage the information system. |
The organization conducting the inspection/assessment obtains and examines the documented system development life cycle to ensure the organization being inspected/assessed defines a system development life cycle that is used to manage the information system.
DoD has determined the system development life cycle is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents a system development life cycle that is used to manage the information system.
DoD has determined the system development life cycle is not appropriate to define at the Enterprise level. |
System Development Life Cycle |
SA-3 |
SA-3.2 |
A well-defined system development life cycle provides the foundation for the successful development, implementation, and operation of organizational information systems. To apply the required security controls within the system development life cycle requires a basic understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions/business functions. The security engineering principles in SA-8 cannot be properly applied if individuals that design, code, and test information systems and system components (including information technology products) do not understand security. Therefore, organizations include qualified personnel, for example, chief information security officers, security architects, security engineers, and information system security officers in system development life cycle activities to ensure that security requirements are incorporated into organizational information systems. It is equally important that developers include individuals on the development team that possess the requisite security expertise and skills to ensure that needed security capabilities are effectively integrated into the information system. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the organizational mission/business processes. This process also facilitates the integration of the information security architecture into the enterprise architecture, consistent with organizational risk management and information security strategies. Related controls: AT-3, PM-7, SA-8. |
The organization:
a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations;
b. Defines and documents information security roles and responsibilities throughout the system development life cycle;
c. Identifies individuals having information security roles and responsibilities; and
d. Integrates the organizational information security risk management process into system development life cycle activities. |
| CCI-003093 |
The organization integrates the organizational information security risk management process into system development life cycle activities. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed integrates the organizational information security risk management process into system development life cycle activities. |
The organization being inspected/assessed documents and implements a process to integrate the organizational information security risk management process into system development life cycle activities. |
System Development Life Cycle |
SA-3 |
SA-3.5 |
A well-defined system development life cycle provides the foundation for the successful development, implementation, and operation of organizational information systems. To apply the required security controls within the system development life cycle requires a basic understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions/business functions. The security engineering principles in SA-8 cannot be properly applied if individuals that design, code, and test information systems and system components (including information technology products) do not understand security. Therefore, organizations include qualified personnel, for example, chief information security officers, security architects, security engineers, and information system security officers in system development life cycle activities to ensure that security requirements are incorporated into organizational information systems. It is equally important that developers include individuals on the development team that possess the requisite security expertise and skills to ensure that needed security capabilities are effectively integrated into the information system. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the organizational mission/business processes. This process also facilitates the integration of the information security architecture into the enterprise architecture, consistent with organizational risk management and information security strategies. Related controls: AT-3, PM-7, SA-8. |
The organization:
a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations;
b. Defines and documents information security roles and responsibilities throughout the system development life cycle;
c. Identifies individuals having information security roles and responsibilities; and
d. Integrates the organizational information security risk management process into system development life cycle activities. |
| CCI-003094 |
The organization includes the security functional requirements, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed includes the security functional requirements, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs including DoDI 8580.1. |
The organization being inspected/assessed documents within contracts/agreements for the information system, system component, or information system service, the security functional requirements, explicitly or by reference, IAW DoDI 8580.1. |
Acquisition Process |
SA-4 |
SA-4.1 |
Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle.
Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA. Related controls: CM-6, PL-2, PS-7, SA-3, SA-5, SA-8, SA-11, SA-12. |
The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:
a. Security functional requirements;
b. Security strength requirements;
c. Security assurance requirements;
d. Security-related documentation requirements;
e. Requirements for protecting security-related documentation;
f. Description of the information system development environment and environment in which the system is intended to operate; and
g. Acceptance criteria. |
| CCI-003095 |
The organization includes the security strength requirements, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed includes the security strength requirements, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs including DoDI 8580.1. |
The organization being inspected/assessed documents within contracts/agreements for the information system, system component, or information system service, the security strength requirements, explicitly or by reference, IAW DoDI 8580.1. |
Acquisition Process |
SA-4 |
SA-4.2 |
Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle.
Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA. Related controls: CM-6, PL-2, PS-7, SA-3, SA-5, SA-8, SA-11, SA-12. |
The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:
a. Security functional requirements;
b. Security strength requirements;
c. Security assurance requirements;
d. Security-related documentation requirements;
e. Requirements for protecting security-related documentation;
f. Description of the information system development environment and environment in which the system is intended to operate; and
g. Acceptance criteria. |
| CCI-003096 |
The organization includes the security assurance requirements, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed includes the security assurance requirements, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs including DoDI 8580.1. |
The organization being inspected/assessed documents within contracts/agreements for the information system, system component, or information system service, the security assurance requirements, explicitly or by reference, IAW DoDI 8580.1. |
Acquisition Process |
SA-4 |
SA-4.3 |
Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle.
Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA. Related controls: CM-6, PL-2, PS-7, SA-3, SA-5, SA-8, SA-11, SA-12. |
The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:
a. Security functional requirements;
b. Security strength requirements;
c. Security assurance requirements;
d. Security-related documentation requirements;
e. Requirements for protecting security-related documentation;
f. Description of the information system development environment and environment in which the system is intended to operate; and
g. Acceptance criteria. |
| CCI-003097 |
The organization includes the security-related documentation requirements, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed includes the security-related documentation requirements, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs. |
The organization being inspected/assessed documents within contracts/agreements for the information system, system component, or information system service, the security-related documentation requirements, explicitly or by reference. |
Acquisition Process |
SA-4 |
SA-4.4 |
Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle.
Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA. Related controls: CM-6, PL-2, PS-7, SA-3, SA-5, SA-8, SA-11, SA-12. |
The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:
a. Security functional requirements;
b. Security strength requirements;
c. Security assurance requirements;
d. Security-related documentation requirements;
e. Requirements for protecting security-related documentation;
f. Description of the information system development environment and environment in which the system is intended to operate; and
g. Acceptance criteria. |
| CCI-003098 |
The organization includes requirements for protecting security-related documentation, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed includes requirements for protecting security-related documentation, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs. |
The organization being inspected/assessed documents within contracts/agreements for the information system, system component, or information system service, requirements for protecting security-related documentation, explicitly or by reference. |
Acquisition Process |
SA-4 |
SA-4.5 |
Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle.
Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA. Related controls: CM-6, PL-2, PS-7, SA-3, SA-5, SA-8, SA-11, SA-12. |
The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:
a. Security functional requirements;
b. Security strength requirements;
c. Security assurance requirements;
d. Security-related documentation requirements;
e. Requirements for protecting security-related documentation;
f. Description of the information system development environment and environment in which the system is intended to operate; and
g. Acceptance criteria. |
| CCI-003099 |
The organization includes description of the information system development environment and environment in which the system is intended to operate, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed includes a description of the information system development environment and environment in which the system is intended to operate, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs. |
The organization being inspected/assessed documents within contracts/agreements for the information system, system component, or information system service, a description of the information system development environment and environment in which the system is intended to operate, explicitly or by reference. |
Acquisition Process |
SA-4 |
SA-4.6 |
Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle.
Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA. Related controls: CM-6, PL-2, PS-7, SA-3, SA-5, SA-8, SA-11, SA-12. |
The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:
a. Security functional requirements;
b. Security strength requirements;
c. Security assurance requirements;
d. Security-related documentation requirements;
e. Requirements for protecting security-related documentation;
f. Description of the information system development environment and environment in which the system is intended to operate; and
g. Acceptance criteria. |
| CCI-003100 |
The organization includes acceptance criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed includes acceptance criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs. |
The organization being inspected/assessed documents within contracts/agreements for the information system, system component, or information system service, acceptance criteria, explicitly or by reference. |
Acquisition Process |
SA-4 |
SA-4.7 |
Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle.
Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA. Related controls: CM-6, PL-2, PS-7, SA-3, SA-5, SA-8, SA-11, SA-12. |
The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:
a. Security functional requirements;
b. Security strength requirements;
c. Security assurance requirements;
d. Security-related documentation requirements;
e. Requirements for protecting security-related documentation;
f. Description of the information system development environment and environment in which the system is intended to operate; and
g. Acceptance criteria. |
| CCI-003101 |
The organization requires the developer of the information system, system component, or information system service to provide design information for the security controls to be employed that includes security-relevant external system interfaces, high-level design, low-level design, source code, hardware schematics, and/or organization-defined design information at an organization-defined level of detail. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires the developer of the information system, system component, or information system service to provide design information for the security controls to be employed that includes security-relevant external system interfaces, high-level design, low-level design, source code and/or hardware schematics and/or design/information defined in SA-4 (2), CCI 3103 at the level of detail defined in SA-4 (2), CCI 3105. |
The organization being inspected/assessed defines and documents in contracts/agreements, the design information for the security controls that the developer will employ in the information system to include security-relevant external system interfaces, high-level design, low-level design, source code, hardware schematics and/or design/information defined in SA-4 (2), CCI 3103 at the level of detail defined in SA-4 (2), CCI 3105. |
Acquisition Process | Design / Implementation Information For Security Controls |
SA-4 (2) |
SA-4(2).1 |
Organizations may require different levels of detail in design and implementation documentation for security controls employed in organizational information systems, system components, or information system services based on mission/business requirements, requirements for trustworthiness/resiliency, and requirements for analysis and testing. Information systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of multiple subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules with particular emphasis on software and firmware (but not excluding hardware) and the interfaces between modules providing security-relevant functionality. Source code and hardware schematics are typically referred to as the implementation representation of the information system. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design/implementation information]] at [Assignment: organization-defined level of detail]. |
| CCI-003102 |
The organization requires the developer of the information system, system component, or information system service to provide implementation information for the security controls to be employed that includes security-relevant external system interfaces, high-level design, low-level design, source code, hardware schematics, and/or organization-defined implementation information at an organization-defined level of detail. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires the developer of the information system, system component, or information system service to provide implementation information for the security controls to be employed that includes security-relevant external system interfaces, high-level design, low-level design, source code and/or hardware schematics and/or implementation information defined in SA-4 (2), CCI 3104 at the level of detail defined in SA-4 (2), CCI 3106. |
The organization being inspected/assessed defines and documents in contracts/agreements, the implementation information for the security controls that the developer will employ in the information system to include security-relevant external system interfaces, high-level design, low-level design, source code and/or hardware schematics and/or implementation information defined in SA-4 (2), CCI 3104 at the level of detail defined in SA-4 (2), CCI 3106. |
Acquisition Process | Design / Implementation Information For Security Controls |
SA-4 (2) |
SA-4(2).2 |
Organizations may require different levels of detail in design and implementation documentation for security controls employed in organizational information systems, system components, or information system services based on mission/business requirements, requirements for trustworthiness/resiliency, and requirements for analysis and testing. Information systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of multiple subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules with particular emphasis on software and firmware (but not excluding hardware) and the interfaces between modules providing security-relevant functionality. Source code and hardware schematics are typically referred to as the implementation representation of the information system. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design/implementation information]] at [Assignment: organization-defined level of detail]. |
| CCI-003103 |
The organization defines the design information that the developer of the information system, system component, or information system service is required to provide for the security controls to be employed. |
The organization conducting the inspection/assessment obtains and examines the documented design information to ensure the organization being inspected/assessed defines the design information that the developer of the information system, system component, or information system service is required to provide for the security controls to be employed.
DoD has determined the design information is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the design information that the developer of the information system, system component, or information system service is required to provide for the security controls to be employed.
DoD has determined the design information is not appropriate to define at the Enterprise level. |
Acquisition Process | Design / Implementation Information For Security Controls |
SA-4 (2) |
SA-4(2).3 |
Organizations may require different levels of detail in design and implementation documentation for security controls employed in organizational information systems, system components, or information system services based on mission/business requirements, requirements for trustworthiness/resiliency, and requirements for analysis and testing. Information systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of multiple subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules with particular emphasis on software and firmware (but not excluding hardware) and the interfaces between modules providing security-relevant functionality. Source code and hardware schematics are typically referred to as the implementation representation of the information system. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design/implementation information]] at [Assignment: organization-defined level of detail]. |
| CCI-003104 |
The organization defines the implementation information that the developer of the information system, system component, or information system service is required to provide for the security controls to be employed. |
The organization conducting the inspection/assessment obtains and examines the documented implementation information to ensure the organization being inspected/assessed defines the implementation information that the developer of the information system, system component, or information system service is required to provide for the security controls to be employed.
DoD has determined the implementation information is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the implementation information that the developer of the information system, system component, or information system service is required to provide for the security controls to be employed.
DoD has determined the implementation information is not appropriate to define at the Enterprise level. |
Acquisition Process | Design / Implementation Information For Security Controls |
SA-4 (2) |
SA-4(2).4 |
Organizations may require different levels of detail in design and implementation documentation for security controls employed in organizational information systems, system components, or information system services based on mission/business requirements, requirements for trustworthiness/resiliency, and requirements for analysis and testing. Information systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of multiple subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules with particular emphasis on software and firmware (but not excluding hardware) and the interfaces between modules providing security-relevant functionality. Source code and hardware schematics are typically referred to as the implementation representation of the information system. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design/implementation information]] at [Assignment: organization-defined level of detail]. |
| CCI-003105 |
The organization defines the level of detail for the design information of the security controls that is required to be provided by the developer of the information system, system component, or information system services. |
The organization conducting the inspection/assessment obtains and examines the documented level of detail to ensure the organization being inspected/assessed defines the level of detail the design information of the security controls is required to be provided by the developer of the information system, system component, or information system services.
DoD has determined the level of detail is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the level of detail the design information of the security controls is required to be provided by the developer of the information system, system component, or information system services.
DoD has determined the level of detail is not appropriate to define at the Enterprise level. |
Acquisition Process | Design / Implementation Information For Security Controls |
SA-4 (2) |
SA-4(2).5 |
Organizations may require different levels of detail in design and implementation documentation for security controls employed in organizational information systems, system components, or information system services based on mission/business requirements, requirements for trustworthiness/resiliency, and requirements for analysis and testing. Information systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of multiple subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules with particular emphasis on software and firmware (but not excluding hardware) and the interfaces between modules providing security-relevant functionality. Source code and hardware schematics are typically referred to as the implementation representation of the information system. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design/implementation information]] at [Assignment: organization-defined level of detail]. |
| CCI-003106 |
The organization defines the level of detail for the implementation information of the security controls that is required to be provided by the developer of the information system, system component, or information system services. |
The organization conducting the inspection/assessment obtains and examines the documented level of detail to ensure the organization being inspected/assessed defines the level of detail the implementation information of the security controls is required to be provided by the developer of the information system, system component, or information system services.
DoD has determined the level of detail is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the level of detail the implementation information of the security controls is required to be provided by the developer of the information system, system component, or information system services.
DoD has determined the level of detail is not appropriate to define at the Enterprise level. |
Acquisition Process | Design / Implementation Information For Security Controls |
SA-4 (2) |
SA-4(2).6 |
Organizations may require different levels of detail in design and implementation documentation for security controls employed in organizational information systems, system components, or information system services based on mission/business requirements, requirements for trustworthiness/resiliency, and requirements for analysis and testing. Information systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of multiple subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules with particular emphasis on software and firmware (but not excluding hardware) and the interfaces between modules providing security-relevant functionality. Source code and hardware schematics are typically referred to as the implementation representation of the information system. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design/implementation information]] at [Assignment: organization-defined level of detail]. |
| CCI-003107 |
The organization requires the developer of the information system, system component, or information system service to demonstrate the use of a system development life cycle that includes organization-defined state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires the developer of the information system, system component, or information system service to demonstrate the use of a system development life cycle that includes the state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes defined in SA-4 (3), CCI 3108. |
The organization being inspected/assessed defines and documents within contracts/agreements, a requirement for the developer to demonstrate the use of a system development life cycle that includes the state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes defined in SA-4 (3), CCI 3108. |
Acquisition Process | Development Methods / Techniques / Practices |
SA-4 (3) |
SA-4(3).1 |
Following a well-defined system development life cycle that includes state-of-the-practice software development methods, systems/security engineering methods, quality control processes, and testing, evaluation, and validation techniques helps to reduce the number and severity of latent errors within information systems, system components, and information system services. Reducing the number/severity of such errors reduces the number of vulnerabilities in those systems, components, and services. Related control: SA-12. |
The organization requires the developer of the information system, system component, or information system service to demonstrate the use of a system development life cycle that includes [Assignment: organization-defined state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes]. |
| CCI-003108 |
The organization defines the state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes that the developer of the information system, system component, or information system service is required to include when demonstrating the use of a system development life cycle. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed defines the state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes that the developer of the information system, system component, or information system service needs to include when demonstrating the use of a system development life cycle. |
The organization being inspected/assessed defines and documents within contracts/agreements, the requirement for the developer to provide information regarding the state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes. |
Acquisition Process | Development Methods / Techniques / Practices |
SA-4 (3) |
SA-4(3).2 |
Following a well-defined system development life cycle that includes state-of-the-practice software development methods, systems/security engineering methods, quality control processes, and testing, evaluation, and validation techniques helps to reduce the number and severity of latent errors within information systems, system components, and information system services. Reducing the number/severity of such errors reduces the number of vulnerabilities in those systems, components, and services. Related control: SA-12. |
The organization requires the developer of the information system, system component, or information system service to demonstrate the use of a system development life cycle that includes [Assignment: organization-defined state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes]. |
| CCI-003109 |
The organization requires the developer of the information system, system component, or information system service to deliver the system, component, or service with organization-defined security configurations implemented. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires he developer of the information system, system component, or information system service to deliver the system, component, or service with security configurations identified by the applicable requirements from DoDI 8510.01 and STIGs/SRGs.
DoD has defined the security configurations as security configurations identified by the applicable requirements from DoDI 8510.01 and STIGs/SRGs. |
The organization being inspected/assessed documents within contracts/agreements, requirements that the developer of the information system, system component, or information system service to deliver the system, component, or service with security configurations identified by the applicable requirements from DoDI 8510.01 and STIGs/SRGs.
DoD has defined the security configurations as security configurations identified by the applicable requirements from DoDI 8510.01 and STIGs/SRGs. |
Acquisition Process | System / Component / Service Configurations |
SA-4 (5) |
SA-4(5).1 |
Security configurations include, for example, the U.S. Government Configuration Baseline (USGCB) and any limitations on functions, ports, protocols, and services. Security characteristics include, for example, requiring that all default passwords have been changed. Related control: CM-8. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and
(b) Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade. |
| CCI-003110 |
The organization defines the security configurations required to be implemented when the developer delivers the information system, system component, or information system service. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the security configurations as security configurations identified by the applicable requirements from DoDI 8510.01 and STIGs/SRGs. |
DoD has defined the security configurations as security configurations identified by the applicable requirements from DoDI 8510.01 and STIGs/SRGs. |
Acquisition Process | System / Component / Service Configurations |
SA-4 (5) |
SA-4(5).2 |
Security configurations include, for example, the U.S. Government Configuration Baseline (USGCB) and any limitations on functions, ports, protocols, and services. Security characteristics include, for example, requiring that all default passwords have been changed. Related control: CM-8. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and
(b) Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade. |
| CCI-003111 |
The organization requires the developer of the information system, system component, or information system service to use the organization-defined security configurations as the default for any subsequent system, component, or service reinstallation or upgrade. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires the developer of the information system, system component, or information system service to use the applicable requirements from DoDI 8510.01 and STIGs/SRGs as the default for any subsequent system, component, or service reinstallation or upgrade.
DoD has defined the security configurations as security configurations identified by the applicable requirements from DoDI 8510.01 and STIGs/SRGs. |
The organization being inspected/assessed documents within contracts/agreements, requirements that the developer of the information system, system component, or information system service to use the applicable requirements from DoDI 8510.01 and STIGs/SRGs as the default for any subsequent system, component, or service reinstallation or upgrade.
DoD has defined the security configurations as security configurations identified by the applicable requirements from DoDI 8510.01 and STIGs/SRGs. |
Acquisition Process | System / Component / Service Configurations |
SA-4 (5) |
SA-4(5).3 |
Security configurations include, for example, the U.S. Government Configuration Baseline (USGCB) and any limitations on functions, ports, protocols, and services. Security characteristics include, for example, requiring that all default passwords have been changed. Related control: CM-8. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and
(b) Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade. |
| CCI-003112 |
The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains an organization-defined level of detail. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service produce a plan for the continuous monitoring of security control effectiveness that contains the level of detail defined in SA-4 (8), CCI 3113. |
The organization being inspected/assessed documents within contracts/agreements, the requirement that the developer of the information system, system component, or information system service produce a plan for the continuous monitoring of security control effectiveness that contains the level of detail defined in SA-4 (8), CCI 3113. |
Acquisition Process | Continuous Monitoring Plan |
SA-4 (8) |
SA-4(8).1 |
The objective of continuous monitoring plans is to determine if the complete set of planned, required, and deployed security controls within the information system, system component, or information system service continue to be effective over time based on the inevitable changes that occur. Developer continuous monitoring plans include a sufficient level of detail such that the information can be incorporated into the continuous monitoring strategies and programs implemented by organizations. Related control: CA-7. |
The organization requires that developers produce a plan for continuous monitoring of security control effectiveness in the information system.
The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains [Assignment: organization-defined level of detail]. |
| CCI-003113 |
The organization defines the level of detail to be contained in the plan for the continuous monitoring of security control effectiveness that the developer of the information system, system component, or information system services is required to produce. |
The organization conducting the inspection/assessment obtains and examines the documented level of detail to ensure the organization being inspected/assessed defines the level of detail to be contained in the plan for the continuous monitoring of security control effectiveness that the developer of the information system, system component, or information system services is required to produce.
DoD has determined the level of detail is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the level of detail to be contained in the plan for the continuous monitoring of security control effectiveness that the developer of the information system, system component, or information system services is required to produce.
DoD has determined the level of detail is not appropriate to define at the Enterprise level. |
Acquisition Process | Continuous Monitoring Plan |
SA-4 (8) |
SA-4(8).2 |
The objective of continuous monitoring plans is to determine if the complete set of planned, required, and deployed security controls within the information system, system component, or information system service continue to be effective over time based on the inevitable changes that occur. Developer continuous monitoring plans include a sufficient level of detail such that the information can be incorporated into the continuous monitoring strategies and programs implemented by organizations. Related control: CA-7. |
The organization requires that developers produce a plan for continuous monitoring of security control effectiveness in the information system.
The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains [Assignment: organization-defined level of detail]. |
| CCI-003114 |
The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use. |
The organization being inspected/assessed documents within contracts/agreements, the requirement that the developer of the information system, system component, or information system service identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use.
Ports identified shall be assessed and planned for in light of DISA's PPSM requirements. |
Acquisition Process | Functions / Ports / Protocols / Services In Use |
SA-4 (9) |
SA-4(9).1 |
The identification of functions, ports, protocols, and services early in the system development life cycle (e.g., during the initial requirements definition and design phases) allows organizations to influence the design of the information system, information system component, or information system service. This early involvement in the life cycle helps organizations to avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services (or when requiring information system service providers to do so). Early identification of functions, ports, protocols, and services avoids costly retrofitting of security controls after the information system, system component, or information system service has been implemented. SA-9 describes requirements for external information system services with organizations identifying which functions, ports, protocols, and services are provided from external sources. Related controls: CM-7, SA-9. |
The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use. |
| CCI-003115 |
The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use. |
|
|
|
|
|
|
|
| CCI-003116 |
The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems. |
The organization conducting the inspection/assessment examines the information system to ensure DoD approved PKI tokens are implemented for identity verification. |
The organization being inspected/assessed employs DoD approved PKI tokens for identity verification. |
Acquisition Process | Use Of Approved PIV Products |
SA-4 (10) |
SA-4(10).1 |
Related controls: IA-2; IA-8. |
The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems. |
| CCI-003124 |
The organization obtains administrator documentation for the information system, system component, or information system service that describes secure configuration of the system, component, or service. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer provide administrator documentation for the information system, system component or information system service that describe secure configuration of the system, component, or service. |
The organization being inspected/assessed documents within contracts/agreements, requirements that the developer provide administrator documentation for the information system, system component or information system service that describe secure configuration of the system, component, or service. |
Information System Documentation |
SA-5 |
SA-5.1 |
This control helps organizational personnel understand the implementation and operation of security controls associated with information systems, system components, and information system services. Organizations consider establishing specific measures to determine the quality/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the information system/component or lack of support from developers and contractors. In those situations, organizations may need to recreate selected documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection provided for selected information system, component, or service documentation is commensurate with the security category or classification of the system. For example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level of protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increased level of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system operation after any lapse in system operation. Related controls: CM-6, CM-8, PL-2, PL-4, PS-2, SA-3, SA-4. |
The organization:
a. Obtains administrator documentation for the information system, system component, or information system service that describes:
1. Secure configuration, installation, and operation of the system, component, or service;
2. Effective use and maintenance of security functions/mechanisms; and
3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
b. Obtains user documentation for the information system, system component, or information system service that describes:
1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
3. User responsibilities in maintaining the security of the system, component, or service;
c. Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and [Assignment: organization-defined actions] in response;
d. Protects documentation as required, in accordance with the risk management strategy; and
e. Distributes documentation to [Assignment: organization-defined personnel or roles]. |
| CCI-003125 |
The organization obtains administrator documentation for the information system, system component, or information system service that describes secure installation of the system, component, or service. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer provide administrator documentation for the information system, system component or information system service that describe secure installation of the system, component, or service. |
The organization being inspected/assessed documents within contracts/agreements, requirements that the developer provide administrator documentation for the information system, system component or information system service that describe secure installation of the system, component, or service. |
Information System Documentation |
SA-5 |
SA-5.2 |
This control helps organizational personnel understand the implementation and operation of security controls associated with information systems, system components, and information system services. Organizations consider establishing specific measures to determine the quality/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the information system/component or lack of support from developers and contractors. In those situations, organizations may need to recreate selected documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection provided for selected information system, component, or service documentation is commensurate with the security category or classification of the system. For example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level of protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increased level of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system operation after any lapse in system operation. Related controls: CM-6, CM-8, PL-2, PL-4, PS-2, SA-3, SA-4. |
The organization:
a. Obtains administrator documentation for the information system, system component, or information system service that describes:
1. Secure configuration, installation, and operation of the system, component, or service;
2. Effective use and maintenance of security functions/mechanisms; and
3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
b. Obtains user documentation for the information system, system component, or information system service that describes:
1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
3. User responsibilities in maintaining the security of the system, component, or service;
c. Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and [Assignment: organization-defined actions] in response;
d. Protects documentation as required, in accordance with the risk management strategy; and
e. Distributes documentation to [Assignment: organization-defined personnel or roles]. |
| CCI-003126 |
The organization obtains administrator documentation for the information system, system component, or information system service that describes secure operation of the system, component, or service. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer provide administrator documentation for the information system, system component or information system service that describe secure operation of the system, component, or service. |
The organization being inspected/assessed documents within contracts/agreements, requirements that the developer provide administrator documentation for the information system, system component or information system service that describe secure operation of the system, component, or service. |
Information System Documentation |
SA-5 |
SA-5.3 |
This control helps organizational personnel understand the implementation and operation of security controls associated with information systems, system components, and information system services. Organizations consider establishing specific measures to determine the quality/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the information system/component or lack of support from developers and contractors. In those situations, organizations may need to recreate selected documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection provided for selected information system, component, or service documentation is commensurate with the security category or classification of the system. For example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level of protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increased level of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system operation after any lapse in system operation. Related controls: CM-6, CM-8, PL-2, PL-4, PS-2, SA-3, SA-4. |
The organization:
a. Obtains administrator documentation for the information system, system component, or information system service that describes:
1. Secure configuration, installation, and operation of the system, component, or service;
2. Effective use and maintenance of security functions/mechanisms; and
3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
b. Obtains user documentation for the information system, system component, or information system service that describes:
1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
3. User responsibilities in maintaining the security of the system, component, or service;
c. Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and [Assignment: organization-defined actions] in response;
d. Protects documentation as required, in accordance with the risk management strategy; and
e. Distributes documentation to [Assignment: organization-defined personnel or roles]. |
| CCI-003127 |
The organization obtains administrator documentation for the information system, system component, or information system services that describes effective use and maintenance of security functions/mechanisms. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer provide administrator documentation for the information system, system component or information system service that describe effective use and maintenance of security functions/mechanisms. |
The organization being inspected/assessed documents within contracts/agreements, requirements that the developer provide administrator documentation for the information system, system component or information system service that describe effective use and maintenance of security functions/mechanisms. |
Information System Documentation |
SA-5 |
SA-5.4 |
This control helps organizational personnel understand the implementation and operation of security controls associated with information systems, system components, and information system services. Organizations consider establishing specific measures to determine the quality/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the information system/component or lack of support from developers and contractors. In those situations, organizations may need to recreate selected documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection provided for selected information system, component, or service documentation is commensurate with the security category or classification of the system. For example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level of protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increased level of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system operation after any lapse in system operation. Related controls: CM-6, CM-8, PL-2, PL-4, PS-2, SA-3, SA-4. |
The organization:
a. Obtains administrator documentation for the information system, system component, or information system service that describes:
1. Secure configuration, installation, and operation of the system, component, or service;
2. Effective use and maintenance of security functions/mechanisms; and
3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
b. Obtains user documentation for the information system, system component, or information system service that describes:
1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
3. User responsibilities in maintaining the security of the system, component, or service;
c. Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and [Assignment: organization-defined actions] in response;
d. Protects documentation as required, in accordance with the risk management strategy; and
e. Distributes documentation to [Assignment: organization-defined personnel or roles]. |
| CCI-003128 |
The organization obtains administrator documentation for the information system, system component, or information system service that describes known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer provide administrator documentation for the information system, system component or information system service that describe known vulnerabilities regarding configuration and use of administrative (i.e. privileged) functions. |
The organization being inspected/assessed documents within contracts/agreements, requirements that the developer provide administrator documentation for the information system, system component or information system service that describe known vulnerabilities regarding configuration and use of administrative (i.e. privileged) functions. |
Information System Documentation |
SA-5 |
SA-5.5 |
This control helps organizational personnel understand the implementation and operation of security controls associated with information systems, system components, and information system services. Organizations consider establishing specific measures to determine the quality/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the information system/component or lack of support from developers and contractors. In those situations, organizations may need to recreate selected documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection provided for selected information system, component, or service documentation is commensurate with the security category or classification of the system. For example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level of protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increased level of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system operation after any lapse in system operation. Related controls: CM-6, CM-8, PL-2, PL-4, PS-2, SA-3, SA-4. |
The organization:
a. Obtains administrator documentation for the information system, system component, or information system service that describes:
1. Secure configuration, installation, and operation of the system, component, or service;
2. Effective use and maintenance of security functions/mechanisms; and
3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
b. Obtains user documentation for the information system, system component, or information system service that describes:
1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
3. User responsibilities in maintaining the security of the system, component, or service;
c. Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and [Assignment: organization-defined actions] in response;
d. Protects documentation as required, in accordance with the risk management strategy; and
e. Distributes documentation to [Assignment: organization-defined personnel or roles]. |
| CCI-003129 |
The organization obtains user documentation for the information system, system component, or information system service that describes user-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer provide user documentation for the information system, system component or information system service that describes user-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms. |
The organization being inspected/assessed documents within contracts/agreements, requirements that the developer provide user documentation for the information system, system component or information system service that describes user-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms. |
Information System Documentation |
SA-5 |
SA-5.6 |
This control helps organizational personnel understand the implementation and operation of security controls associated with information systems, system components, and information system services. Organizations consider establishing specific measures to determine the quality/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the information system/component or lack of support from developers and contractors. In those situations, organizations may need to recreate selected documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection provided for selected information system, component, or service documentation is commensurate with the security category or classification of the system. For example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level of protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increased level of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system operation after any lapse in system operation. Related controls: CM-6, CM-8, PL-2, PL-4, PS-2, SA-3, SA-4. |
The organization:
a. Obtains administrator documentation for the information system, system component, or information system service that describes:
1. Secure configuration, installation, and operation of the system, component, or service;
2. Effective use and maintenance of security functions/mechanisms; and
3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
b. Obtains user documentation for the information system, system component, or information system service that describes:
1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
3. User responsibilities in maintaining the security of the system, component, or service;
c. Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and [Assignment: organization-defined actions] in response;
d. Protects documentation as required, in accordance with the risk management strategy; and
e. Distributes documentation to [Assignment: organization-defined personnel or roles]. |
| CCI-003130 |
The organization obtains user documentation for the information system, system component, or information system service that describes methods for user interaction which enables individuals to use the system, component, or service in a more secure manner. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer provide user documentation for the information system, system component or information system service that describes methods for user interaction which enables individuals to use the system, component, or service in a more secure manner. |
The organization being inspected/assessed documents within contracts/agreements, requirements that the developer provide user documentation for the information system, system component or information system service that describes methods for user interaction which enables individuals to use the system, component, or service in a more secure manner. |
Information System Documentation |
SA-5 |
SA-5.7 |
This control helps organizational personnel understand the implementation and operation of security controls associated with information systems, system components, and information system services. Organizations consider establishing specific measures to determine the quality/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the information system/component or lack of support from developers and contractors. In those situations, organizations may need to recreate selected documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection provided for selected information system, component, or service documentation is commensurate with the security category or classification of the system. For example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level of protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increased level of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system operation after any lapse in system operation. Related controls: CM-6, CM-8, PL-2, PL-4, PS-2, SA-3, SA-4. |
The organization:
a. Obtains administrator documentation for the information system, system component, or information system service that describes:
1. Secure configuration, installation, and operation of the system, component, or service;
2. Effective use and maintenance of security functions/mechanisms; and
3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
b. Obtains user documentation for the information system, system component, or information system service that describes:
1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
3. User responsibilities in maintaining the security of the system, component, or service;
c. Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and [Assignment: organization-defined actions] in response;
d. Protects documentation as required, in accordance with the risk management strategy; and
e. Distributes documentation to [Assignment: organization-defined personnel or roles]. |
| CCI-003131 |
The organization obtains user documentation for the information system, system component, or information system service that describes user responsibilities in maintaining the security of the system, component, or service. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer provide user documentation for the information system, system component or information system service that describes user responsibilities in maintaining the security of the system, component, or service. |
The organization being inspected/assessed documents within contracts/agreements, requirements that the developer provide user documentation for the information system, system component or information system service that describes user responsibilities in maintaining the security of the system, component, or service. |
Information System Documentation |
SA-5 |
SA-5.8 |
This control helps organizational personnel understand the implementation and operation of security controls associated with information systems, system components, and information system services. Organizations consider establishing specific measures to determine the quality/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the information system/component or lack of support from developers and contractors. In those situations, organizations may need to recreate selected documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection provided for selected information system, component, or service documentation is commensurate with the security category or classification of the system. For example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level of protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increased level of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system operation after any lapse in system operation. Related controls: CM-6, CM-8, PL-2, PL-4, PS-2, SA-3, SA-4. |
The organization:
a. Obtains administrator documentation for the information system, system component, or information system service that describes:
1. Secure configuration, installation, and operation of the system, component, or service;
2. Effective use and maintenance of security functions/mechanisms; and
3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
b. Obtains user documentation for the information system, system component, or information system service that describes:
1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
3. User responsibilities in maintaining the security of the system, component, or service;
c. Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and [Assignment: organization-defined actions] in response;
d. Protects documentation as required, in accordance with the risk management strategy; and
e. Distributes documentation to [Assignment: organization-defined personnel or roles]. |
| CCI-003132 |
The organization takes organization-defined actions in response to attempts to obtain either unavailable or nonexistent documentation for the information system, system component, or information system service. |
The organization conducting the inspection/assessment obtains and examines the record of actions taken to ensure the organization being inspected/assessed takes actions defined in SA-5, CCI 3133 in response to attempts to obtain either unavailable or nonexistent documentation for information system, system component, or information system service.
DoD has determined the actions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed takes actions defined in SA-5, CCI 3133 in response to attempts to obtain either unavailable or nonexistent documentation for information system, system component, or information system service.
The organization must maintain a record of actions taken.
DoD has determined the actions are not appropriate to define at the Enterprise level. |
Information System Documentation |
SA-5 |
SA-5.9 |
This control helps organizational personnel understand the implementation and operation of security controls associated with information systems, system components, and information system services. Organizations consider establishing specific measures to determine the quality/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the information system/component or lack of support from developers and contractors. In those situations, organizations may need to recreate selected documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection provided for selected information system, component, or service documentation is commensurate with the security category or classification of the system. For example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level of protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increased level of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system operation after any lapse in system operation. Related controls: CM-6, CM-8, PL-2, PL-4, PS-2, SA-3, SA-4. |
The organization:
a. Obtains administrator documentation for the information system, system component, or information system service that describes:
1. Secure configuration, installation, and operation of the system, component, or service;
2. Effective use and maintenance of security functions/mechanisms; and
3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
b. Obtains user documentation for the information system, system component, or information system service that describes:
1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
3. User responsibilities in maintaining the security of the system, component, or service;
c. Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and [Assignment: organization-defined actions] in response;
d. Protects documentation as required, in accordance with the risk management strategy; and
e. Distributes documentation to [Assignment: organization-defined personnel or roles]. |
| CCI-003133 |
The organization defines actions to be taken in response to attempts to obtain either unavailable or nonexistent documentation for the information system, system component, or information system service. |
The organization conducting inspection/assessment obtains and examines the documented actions to ensure the organization being inspected/assessed defines action to be taken in response to attempts to obtain either unavailable or nonexistent documentation for information system, system component, or information system service.
DoD has determined the actions are not appropriate to define at the Enterprise level.
|
The organization being inspected/assessed defines and documents actions to be taken in response to attempts to obtain either unavailable or nonexistent documentation for information system, system component, or information system service.
DoD has determined the actions are not appropriate to define at the Enterprise level.
|
Information System Documentation |
SA-5 |
SA-5.10 |
This control helps organizational personnel understand the implementation and operation of security controls associated with information systems, system components, and information system services. Organizations consider establishing specific measures to determine the quality/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the information system/component or lack of support from developers and contractors. In those situations, organizations may need to recreate selected documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection provided for selected information system, component, or service documentation is commensurate with the security category or classification of the system. For example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level of protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increased level of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system operation after any lapse in system operation. Related controls: CM-6, CM-8, PL-2, PL-4, PS-2, SA-3, SA-4. |
The organization:
a. Obtains administrator documentation for the information system, system component, or information system service that describes:
1. Secure configuration, installation, and operation of the system, component, or service;
2. Effective use and maintenance of security functions/mechanisms; and
3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
b. Obtains user documentation for the information system, system component, or information system service that describes:
1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
3. User responsibilities in maintaining the security of the system, component, or service;
c. Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and [Assignment: organization-defined actions] in response;
d. Protects documentation as required, in accordance with the risk management strategy; and
e. Distributes documentation to [Assignment: organization-defined personnel or roles]. |
| CCI-003134 |
The organization protects information system, system component, or information system service documentation as required, in accordance with the risk management strategy. |
The organization conducting the inspection/assessment obtains and examines the documented processes to ensure the organization being inspected/assessed stores and handles information system, system component, or information system service documentation as required, in accordance with the risk management strategy. |
The organization being inspected/assessed documents and implements processes to store and handle information system, system component, or information system service documentation as required, in accordance with the risk management strategy. |
Information System Documentation |
SA-5 |
SA-5.12 |
This control helps organizational personnel understand the implementation and operation of security controls associated with information systems, system components, and information system services. Organizations consider establishing specific measures to determine the quality/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the information system/component or lack of support from developers and contractors. In those situations, organizations may need to recreate selected documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection provided for selected information system, component, or service documentation is commensurate with the security category or classification of the system. For example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level of protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increased level of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system operation after any lapse in system operation. Related controls: CM-6, CM-8, PL-2, PL-4, PS-2, SA-3, SA-4. |
The organization:
a. Obtains administrator documentation for the information system, system component, or information system service that describes:
1. Secure configuration, installation, and operation of the system, component, or service;
2. Effective use and maintenance of security functions/mechanisms; and
3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
b. Obtains user documentation for the information system, system component, or information system service that describes:
1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
3. User responsibilities in maintaining the security of the system, component, or service;
c. Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and [Assignment: organization-defined actions] in response;
d. Protects documentation as required, in accordance with the risk management strategy; and
e. Distributes documentation to [Assignment: organization-defined personnel or roles]. |
| CCI-003135 |
The organization distributes information system, system component, or information system service documentation to organization-defined personnel or roles. |
The organization conducting the inspection/assessment obtains and examines the information system, system component, or information system service documentation via the organization's information sharing capability to ensure the organization being inspected/assessed distributes information system, system component, or information system service documentation to at a minimum, the ISSO, ISSM, and SCA.
DoD has defined the personnel or roles as at a minimum, the ISSO, ISSM, and SCA. |
The organization being inspected/assessed distributes information system, system component, or information system service documentation to at a minimum, the ISSO, ISSM, and SCA, via an information sharing capability.
DoD has defined the personnel or roles as at a minimum, the ISSO, ISSM, and SCA. |
Information System Documentation |
SA-5 |
SA-5.13 |
This control helps organizational personnel understand the implementation and operation of security controls associated with information systems, system components, and information system services. Organizations consider establishing specific measures to determine the quality/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the information system/component or lack of support from developers and contractors. In those situations, organizations may need to recreate selected documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection provided for selected information system, component, or service documentation is commensurate with the security category or classification of the system. For example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level of protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increased level of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system operation after any lapse in system operation. Related controls: CM-6, CM-8, PL-2, PL-4, PS-2, SA-3, SA-4. |
The organization:
a. Obtains administrator documentation for the information system, system component, or information system service that describes:
1. Secure configuration, installation, and operation of the system, component, or service;
2. Effective use and maintenance of security functions/mechanisms; and
3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
b. Obtains user documentation for the information system, system component, or information system service that describes:
1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
3. User responsibilities in maintaining the security of the system, component, or service;
c. Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and [Assignment: organization-defined actions] in response;
d. Protects documentation as required, in accordance with the risk management strategy; and
e. Distributes documentation to [Assignment: organization-defined personnel or roles]. |
| CCI-003136 |
The organization defines the personnel or roles to whom information system, system component, or information system service documentation is to be distributed. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as at a minimum, the ISSO, ISSM, and SCA. |
DoD has defined the personnel or roles as at a minimum, the ISSO, ISSM, and SCA. |
Information System Documentation |
SA-5 |
SA-5.14 |
This control helps organizational personnel understand the implementation and operation of security controls associated with information systems, system components, and information system services. Organizations consider establishing specific measures to determine the quality/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the information system/component or lack of support from developers and contractors. In those situations, organizations may need to recreate selected documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection provided for selected information system, component, or service documentation is commensurate with the security category or classification of the system. For example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level of protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increased level of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system operation after any lapse in system operation. Related controls: CM-6, CM-8, PL-2, PL-4, PS-2, SA-3, SA-4. |
The organization:
a. Obtains administrator documentation for the information system, system component, or information system service that describes:
1. Secure configuration, installation, and operation of the system, component, or service;
2. Effective use and maintenance of security functions/mechanisms; and
3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
b. Obtains user documentation for the information system, system component, or information system service that describes:
1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
3. User responsibilities in maintaining the security of the system, component, or service;
c. Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and [Assignment: organization-defined actions] in response;
d. Protects documentation as required, in accordance with the risk management strategy; and
e. Distributes documentation to [Assignment: organization-defined personnel or roles]. |
| CCI-003137 |
The organization defines security controls that providers of external information system services employ in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the security controls as security controls defined by CNSSI 1253. |
DoD has defined the security controls as security controls defined by CNSSI 1253. |
External Information System Services |
SA-9 |
SA-9.3 |
External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance. Related controls: CA-3, IR-7, PS-7. |
The organization:
a. Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and
c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis. |
| CCI-003138 |
The organization employs organization-defined processes, methods, and techniques to monitor security control compliance by external service providers on an ongoing basis. |
The organization conducting the inspection/assessment obtains and examines the records of monitoring to ensure the organization being inspected/assessed implements the processes, methods, and techniques defined in SA-9, CCI 3139 to monitor security control compliance by external service providers on an ongoing basis. |
The organization being inspected/assessed implements the processes, methods, and techniques defined in SA-9, CCI 3139 to monitor security control compliance by external service providers on an ongoing basis.
The organization must maintain records of monitoring. |
External Information System Services |
SA-9 |
SA-9.8 |
External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance. Related controls: CA-3, IR-7, PS-7. |
The organization:
a. Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and
c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis. |
| CCI-003139 |
The organization defines processes, methods, and techniques to employ to monitor security control compliance by external service providers on an ongoing basis. |
The organization conducting the inspection/assessment obtains and examines the documented processes, methods, and techniques to ensure the organization being inspected/assessed defines processes, methods, and techniques to employ to monitor security control compliance by external service providers on an ongoing basis. |
The organization being inspected/assessed defines and documents processes, methods, and techniques to employ to monitor security control compliance by external service providers on an ongoing basis.
DoD has determined the processes, methods, and techniques are not appropriate to define at the Enterprise level. |
External Information System Services |
SA-9 |
SA-9.9 |
External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance. Related controls: CA-3, IR-7, PS-7. |
The organization:
a. Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and
c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis. |
| CCI-003140 |
The organization conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services. |
The organization conducting the inspection/assessment obtains and examines a list of acquired or outsourced information security services and the record of risk assessment to ensure the organization being inspected/assessed conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services. |
The organization being inspected/assessed documents and implements a process to conduct an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services.
The organization must maintain a record of risk assessment. |
External Information Systems | Risk Assessments / Organizational Approvals |
SA-9 (1) |
SA-9(1).1 |
Dedicated information security services include, for example, incident monitoring, analysis and response, operation of information security-related devices such as firewalls, or key management services. Related controls: CA-6, RA-3. |
The organization:
(a) Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and
(b) Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. |
| CCI-003141 |
The organization ensures that the acquisition or outsourcing of dedicated information security services is approved by organization-defined personnel or roles. |
The organization conducting the inspection/assessment obtains and examines a list of acquired or outsourced information security services as well as the record of approvals to ensure the organization being inspected/assessed ensures that the acquisition or outsourcing of dedicated information security services is approved by the DoD Component CIO or their delegate(s).
DoD has defined the personnel or roles the DoD Component CIO or their delegate(s). |
The organization being inspected/assessed ensures that the acquisition or outsourcing of dedicated information security services is approved by the DoD Component CIO or their delegate(s).
The organization must maintain a record of approvals.
DoD has defined the personnel or roles the DoD Component CIO or their delegate(s). |
External Information Systems | Risk Assessments / Organizational Approvals |
SA-9 (1) |
SA-9(1).2 |
Dedicated information security services include, for example, incident monitoring, analysis and response, operation of information security-related devices such as firewalls, or key management services. Related controls: CA-6, RA-3. |
The organization:
(a) Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and
(b) Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. |
| CCI-003142 |
The organization defines the personnel or roles authorized to approve the acquisition or outsourcing of dedicated information security services. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles the DoD Component CIO or their delegate(s). |
DoD has defined the personnel or roles the DoD Component CIO or their delegate(s). |
External Information Systems | Risk Assessments / Organizational Approvals |
SA-9 (1) |
SA-9(1).3 |
Dedicated information security services include, for example, incident monitoring, analysis and response, operation of information security-related devices such as firewalls, or key management services. Related controls: CA-6, RA-3. |
The organization:
(a) Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and
(b) Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. |
| CCI-003143 |
The organization requires providers of organization-defined external information system services to identify the functions, ports, protocols, and other services required for the use of such services. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that providers of all external information system services identify the functions, ports, protocols, and other services required for the use of such services.
DoD has defined the external information system services as all external information system services. |
The organization being inspected/assessed documents within contracts/agreements, the requirement that providers of all external information system services identify the functions, ports, protocols, and other services required for the use of such services.
DoD has defined the external information system services as all external information system services. |
External Information Systems | Identification Of Functions / Ports / Protocols / Services |
SA-9 (2) |
SA-9(2).1 |
Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be particularly useful when the need arises to understand the trade-offs involved in restricting certain functions/services or blocking certain ports/protocols. Related control: CM-7. |
The organization requires providers of [Assignment: organization-defined external information system services] to identify the functions, ports, protocols, and other services required for the use of such services.
|
| CCI-003144 |
The organization defines the external information system services for which the providers are required to identify the functions, ports, protocols, and other services required for the use of such services. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the external information system services as all external information system services. |
DoD has defined the external information system services as all external information system services. |
External Information Systems | Identification Of Functions / Ports / Protocols / Services |
SA-9 (2) |
SA-9(2).2 |
Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be particularly useful when the need arises to understand the trade-offs involved in restricting certain functions/services or blocking certain ports/protocols. Related control: CM-7. |
The organization requires providers of [Assignment: organization-defined external information system services] to identify the functions, ports, protocols, and other services required for the use of such services.
|
| CCI-003145 |
The organization establishes trust relationships with external service providers based on organization-defined security requirements, properties, factors, or conditions defining acceptable trust relationships. |
The organization conducting the inspection/assessment obtains and examines a list of trust relationships with external service providers to ensure those relationships are established based on security requirements, properties, factors, or conditions defining acceptable trust relationship defined in SA-9 (3), CCI 3148. |
The organization being inspected/assessed establishes trust relationships with external service providers based on security requirements, properties, factors, or conditions defining acceptable trust relationship defined in SA-9 (3), CCI 3148. |
External Information Systems | Establish / Maintain Trust Relationship With Providers |
SA-9 (3) |
SA-9(3).1 |
The degree of confidence that the risk from using external services is at an acceptable level depends on the trust that organizations place in the external providers, individually or in combination. Trust relationships can help organization to gain increased levels of confidence that participating service providers are providing adequate protection for the services rendered. Such relationships can be complicated due to the number of potential entities participating in the consumer-provider interactions, subordinate relationships and levels of trust, and the types of interactions between the parties. In some cases, the degree of trust is based on the amount of direct control organizations are able to exert on external service providers with regard to employment of security controls necessary for the protection of the service/information and the evidence brought forth as to the effectiveness of those controls. The level of control is typically established by the terms and conditions of the contracts or service-level agreements and can range from extensive control (e.g., negotiating contracts or agreements that specify security requirements for the providers) to very limited control (e.g., using contracts or service-level agreements to obtain commodity services such as commercial telecommunications services). In other cases, levels of trust are based on factors that convince organizations that required security controls have been employed and that determinations of control effectiveness exist. For example, separately authorized external information system services provided to organizations through well-established business relationships may provide degrees of trust in such services within the tolerable risk range of the organizations using the services. External service providers may also outsource selected services to other external entities, making the trust relationship more difficult and complicated to manage. Depending on the nature of the services, organizations may find it very difficult to place significant trust in external providers. This is not due to any inherent untrustworthiness on the part of providers, but to the intrinsic level of risk in the services. |
The organization establishes, documents, and maintains trust relationships with external service providers based on [Assignment: organization-defined security requirements, properties, factors, or conditions defining acceptable trust relationships]. |
| CCI-003146 |
The organization documents trust relationships with external service providers based on organization-defined security requirements, properties, factors, or conditions defining acceptable trust relationships. |
The organization conducting the inspection/assessment obtains and examines the list of trust relationship with external service providers to ensure it is documented. |
The organization being inspected/assessed documents trust relationships with external service providers based on security requirements, properties, factors, or conditions defining acceptable trust relationships defined in SA-9 (3), CCI 3148. |
External Information Systems | Establish / Maintain Trust Relationship With Providers |
SA-9 (3) |
SA-9(3).2 |
The degree of confidence that the risk from using external services is at an acceptable level depends on the trust that organizations place in the external providers, individually or in combination. Trust relationships can help organization to gain increased levels of confidence that participating service providers are providing adequate protection for the services rendered. Such relationships can be complicated due to the number of potential entities participating in the consumer-provider interactions, subordinate relationships and levels of trust, and the types of interactions between the parties. In some cases, the degree of trust is based on the amount of direct control organizations are able to exert on external service providers with regard to employment of security controls necessary for the protection of the service/information and the evidence brought forth as to the effectiveness of those controls. The level of control is typically established by the terms and conditions of the contracts or service-level agreements and can range from extensive control (e.g., negotiating contracts or agreements that specify security requirements for the providers) to very limited control (e.g., using contracts or service-level agreements to obtain commodity services such as commercial telecommunications services). In other cases, levels of trust are based on factors that convince organizations that required security controls have been employed and that determinations of control effectiveness exist. For example, separately authorized external information system services provided to organizations through well-established business relationships may provide degrees of trust in such services within the tolerable risk range of the organizations using the services. External service providers may also outsource selected services to other external entities, making the trust relationship more difficult and complicated to manage. Depending on the nature of the services, organizations may find it very difficult to place significant trust in external providers. This is not due to any inherent untrustworthiness on the part of providers, but to the intrinsic level of risk in the services. |
The organization establishes, documents, and maintains trust relationships with external service providers based on [Assignment: organization-defined security requirements, properties, factors, or conditions defining acceptable trust relationships]. |
| CCI-003147 |
The organization maintains trust relationships with external service providers based on organization-defined security requirements, properties, factors, or conditions defining acceptable trust relationships. |
The organization conducting the inspection/assessment obtains and examines a list of trust relationships with external service providers to ensure those relationships are maintained based on security requirements, properties, factors, or conditions defining acceptable trust relationship defined in SA-9 (3), CCI 3148. |
The organization being inspected/assessed maintains trust relationships with external service providers based on security requirements, properties, factors, or conditions defining acceptable trust relationships defined in SA-9 (3), CCI 3148. |
External Information Systems | Establish / Maintain Trust Relationship With Providers |
SA-9 (3) |
SA-9(3).3 |
The degree of confidence that the risk from using external services is at an acceptable level depends on the trust that organizations place in the external providers, individually or in combination. Trust relationships can help organization to gain increased levels of confidence that participating service providers are providing adequate protection for the services rendered. Such relationships can be complicated due to the number of potential entities participating in the consumer-provider interactions, subordinate relationships and levels of trust, and the types of interactions between the parties. In some cases, the degree of trust is based on the amount of direct control organizations are able to exert on external service providers with regard to employment of security controls necessary for the protection of the service/information and the evidence brought forth as to the effectiveness of those controls. The level of control is typically established by the terms and conditions of the contracts or service-level agreements and can range from extensive control (e.g., negotiating contracts or agreements that specify security requirements for the providers) to very limited control (e.g., using contracts or service-level agreements to obtain commodity services such as commercial telecommunications services). In other cases, levels of trust are based on factors that convince organizations that required security controls have been employed and that determinations of control effectiveness exist. For example, separately authorized external information system services provided to organizations through well-established business relationships may provide degrees of trust in such services within the tolerable risk range of the organizations using the services. External service providers may also outsource selected services to other external entities, making the trust relationship more difficult and complicated to manage. Depending on the nature of the services, organizations may find it very difficult to place significant trust in external providers. This is not due to any inherent untrustworthiness on the part of providers, but to the intrinsic level of risk in the services. |
The organization establishes, documents, and maintains trust relationships with external service providers based on [Assignment: organization-defined security requirements, properties, factors, or conditions defining acceptable trust relationships]. |
| CCI-003148 |
The organization defines security requirements, properties, factors, or conditions defining acceptable trust relationships with external service providers. |
The organization conducting the inspection/assessment obtains and examines the documented security requirements, properties, factors, or conditions to ensure the organization being inspected/assessed defines security requirements, properties, factors, or conditions defining acceptable trust relationships with external service providers.
DoD has determined the security requirements, properties, factors, or conditions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents security requirements, properties, factors, or conditions defining acceptable trust relationships with external service providers.
DoD has determined the security requirements, properties, factors, or conditions are not appropriate to define at the Enterprise level. |
External Information Systems | Establish / Maintain Trust Relationship With Providers |
SA-9 (3) |
SA-9(3).4 |
The degree of confidence that the risk from using external services is at an acceptable level depends on the trust that organizations place in the external providers, individually or in combination. Trust relationships can help organization to gain increased levels of confidence that participating service providers are providing adequate protection for the services rendered. Such relationships can be complicated due to the number of potential entities participating in the consumer-provider interactions, subordinate relationships and levels of trust, and the types of interactions between the parties. In some cases, the degree of trust is based on the amount of direct control organizations are able to exert on external service providers with regard to employment of security controls necessary for the protection of the service/information and the evidence brought forth as to the effectiveness of those controls. The level of control is typically established by the terms and conditions of the contracts or service-level agreements and can range from extensive control (e.g., negotiating contracts or agreements that specify security requirements for the providers) to very limited control (e.g., using contracts or service-level agreements to obtain commodity services such as commercial telecommunications services). In other cases, levels of trust are based on factors that convince organizations that required security controls have been employed and that determinations of control effectiveness exist. For example, separately authorized external information system services provided to organizations through well-established business relationships may provide degrees of trust in such services within the tolerable risk range of the organizations using the services. External service providers may also outsource selected services to other external entities, making the trust relationship more difficult and complicated to manage. Depending on the nature of the services, organizations may find it very difficult to place significant trust in external providers. This is not due to any inherent untrustworthiness on the part of providers, but to the intrinsic level of risk in the services. |
The organization establishes, documents, and maintains trust relationships with external service providers based on [Assignment: organization-defined security requirements, properties, factors, or conditions defining acceptable trust relationships]. |
| CCI-003149 |
The organization employs organization-defined security safeguards to ensure that the interests of organization-defined external service providers are consistent with and reflect organizational interests. |
The organization conducting the inspection/assessment obtains and examines a list of external service providers as well as records of safeguard review to ensure the organization being inspected/assessed employs the security safeguards defined in SA-9 (4), CCI 3150 to ensure that the interests of all external service providers from whom services are solicited are consistent with and reflect organizational interests.
DoD has defined the external service providers as all external service providers from whom services are solicited. |
The organization being inspected/assessed employs the security safeguards defined in SA-9 (4), CCI 3150 to ensure that the interests of all external service providers from whom services are solicited are consistent with and reflect organizational interests.
The organization must maintain records of safeguard review.
DoD has defined the external service providers as all external service providers from whom services are solicited. |
External Information Systems | Consistent Interests Of Consumers And Providers |
SA-9 (4) |
SA-9(4).1 |
As organizations increasingly use external service providers, the possibility exists that the interests of the service providers may diverge from organizational interests. In such situations, simply having the correct technical, procedural, or operational safeguards in place may not be sufficient if the service providers that implement and control those safeguards are not operating in a manner consistent with the interests of the consuming organizations. Possible actions that organizations might take to address such concerns include, for example, requiring background checks for selected service provider personnel, examining ownership records, employing only trustworthy service providers (i.e., providers with which organizations have had positive experiences), and conducting periodic/unscheduled visits to service provider facilities. |
The organization employs [Assignment: organization-defined security safeguards] to ensure that the interests of [Assignment: organization-defined external service providers] are consistent with and reflect organizational interests. |
| CCI-003150 |
The organization defines security safeguards to employ to ensure that the interests of organization-defined external service providers are consistent with and reflect organizational interests. |
The organization conducting the inspection/assessment obtains and examines the documented security safeguards to ensure the organization being inspected/assessed
defines security safeguards to employ to ensure that the interests of organization-defined external service providers are consistent with and reflect organizational interests.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents security safeguards to employ to ensure that the interests of organization-defined external service providers are consistent with and reflect organizational interests.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
External Information Systems | Consistent Interests Of Consumers And Providers |
SA-9 (4) |
SA-9(4).2 |
As organizations increasingly use external service providers, the possibility exists that the interests of the service providers may diverge from organizational interests. In such situations, simply having the correct technical, procedural, or operational safeguards in place may not be sufficient if the service providers that implement and control those safeguards are not operating in a manner consistent with the interests of the consuming organizations. Possible actions that organizations might take to address such concerns include, for example, requiring background checks for selected service provider personnel, examining ownership records, employing only trustworthy service providers (i.e., providers with which organizations have had positive experiences), and conducting periodic/unscheduled visits to service provider facilities. |
The organization employs [Assignment: organization-defined security safeguards] to ensure that the interests of [Assignment: organization-defined external service providers] are consistent with and reflect organizational interests. |
| CCI-003151 |
The organization defines external service providers whose interests are consistent with and reflect organizational interests. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the external service providers as all external service providers from whom services are solicited. |
DoD has defined the external service providers as all external service providers from whom services are solicited. |
External Information Systems | Consistent Interests Of Consumers And Providers |
SA-9 (4) |
SA-9(4).3 |
As organizations increasingly use external service providers, the possibility exists that the interests of the service providers may diverge from organizational interests. In such situations, simply having the correct technical, procedural, or operational safeguards in place may not be sufficient if the service providers that implement and control those safeguards are not operating in a manner consistent with the interests of the consuming organizations. Possible actions that organizations might take to address such concerns include, for example, requiring background checks for selected service provider personnel, examining ownership records, employing only trustworthy service providers (i.e., providers with which organizations have had positive experiences), and conducting periodic/unscheduled visits to service provider facilities. |
The organization employs [Assignment: organization-defined security safeguards] to ensure that the interests of [Assignment: organization-defined external service providers] are consistent with and reflect organizational interests. |
| CCI-003152 |
The organization restricts the location of information processing, information/data, and/or information system services to organization-defined locations based on organization-defined requirements or conditions. |
The organization conducting the inspection/assessment obtains and examines a list of locations of information processing, information/data, and/or information system services to ensure the organization being inspected/assessed restricts the location of information processing, information/data, and/or information system services to locations defined in SA-9 (5), CCI 3153 based on requirements or conditions defined in SA-9 (5), CCI 3154. |
The organization being inspected/assessed restricts the location of information processing, information/data, and/or information system services to locations defined in SA-9 (5), CCI 3153 based on requirements or conditions defined in SA-9 (5), CCI 3154. |
External Information Systems | Processing, Storage, And Service Location |
SA-9 (5) |
SA-9(5).1 |
The location of information processing, information/data storage, or information system services that are critical to organizations can have a direct impact on the ability of those organizations to successfully execute their missions/business functions. This situation exists when external providers control the location of processing, storage or services. The criteria external providers use for the selection of processing, storage, or service locations may be different from organizational criteria. For example, organizations may want to ensure that data/information storage locations are restricted to certain locations to facilitate incident response activities (e.g., forensic analyses, after-the-fact investigations) in case of information security breaches/compromises. Such incident response activities may be adversely affected by the governing laws or protocols in the locations where processing and storage occur and/or the locations from which information system services emanate. |
The organization restricts the location of [Selection (one or more): information processing; information/data; information system services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions]. |
| CCI-003153 |
The organization defines the locations for which to restrict information processing, information/data, and/or information system services based on organization-defined requirements or conditions. |
The organization conducting the inspection/assessment obtains and examines the documented locations to ensure the organization being inspected/assessed defines the locations to restrict information processing, information/data, and/or information system services based on organization-defined requirements or conditions.
DoD has determined the location is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the locations to restrict information processing, information/data, and/or information system services based on organization-defined requirements or conditions.
Definitions should take into account regulatory guidelines in place to protect the data being stored or processed.
DoD has determined the location is not appropriate to define at the Enterprise level. |
External Information Systems | Processing, Storage, And Service Location |
SA-9 (5) |
SA-9(5).2 |
The location of information processing, information/data storage, or information system services that are critical to organizations can have a direct impact on the ability of those organizations to successfully execute their missions/business functions. This situation exists when external providers control the location of processing, storage or services. The criteria external providers use for the selection of processing, storage, or service locations may be different from organizational criteria. For example, organizations may want to ensure that data/information storage locations are restricted to certain locations to facilitate incident response activities (e.g., forensic analyses, after-the-fact investigations) in case of information security breaches/compromises. Such incident response activities may be adversely affected by the governing laws or protocols in the locations where processing and storage occur and/or the locations from which information system services emanate. |
The organization restricts the location of [Selection (one or more): information processing; information/data; information system services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions]. |
| CCI-003154 |
The organization defines the requirements or conditions on which to base restricting the location of information processing, information/data, and/or information system services to organization-defined locations. |
The organization conducting the inspection/assessment obtains and examines the documented requirements or conditions to ensure the organization being inspected/assessed defines the requirements or conditions on which to base restricting the location of information processing, information/data, and/or information system services to organization-defined locations.
DoD has determined the requirements or conditions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the requirements or conditions on which to base restricting the location of information processing, information/data, and/or information system services to organization-defined locations.
Definitions should take into account regulatory guidelines in place to protect the data being stored or processed.
DoD has determined the requirements or conditions are not appropriate to define at the Enterprise level. |
External Information Systems | Processing, Storage, And Service Location |
SA-9 (5) |
SA-9(5).3 |
The location of information processing, information/data storage, or information system services that are critical to organizations can have a direct impact on the ability of those organizations to successfully execute their missions/business functions. This situation exists when external providers control the location of processing, storage or services. The criteria external providers use for the selection of processing, storage, or service locations may be different from organizational criteria. For example, organizations may want to ensure that data/information storage locations are restricted to certain locations to facilitate incident response activities (e.g., forensic analyses, after-the-fact investigations) in case of information security breaches/compromises. Such incident response activities may be adversely affected by the governing laws or protocols in the locations where processing and storage occur and/or the locations from which information system services emanate. |
The organization restricts the location of [Selection (one or more): information processing; information/data; information system services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions]. |
| CCI-003155 |
The organization requires the developer of the information system, system component, or information system service to perform configuration management during system, component, or service design, development, implementation and/or operation. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires the developer of the information system, system component, or information system service perform configuration management during system, component or service design, development, implementation and/or operation. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service perform configuration management during system, component or service design, development, implementation and/or operation. The configuration management process applies to:
1. Documentation developed or used in the lifecycle, including requirements and interface specifications;
2. Elements including design libraries;
3. Tools including design tools and test tools;
4. Technical data including test data; and
5. Information on element and system lifecycle processes
|
Developer Configuration Management |
SA-10 |
SA-10.1 |
This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle. Related controls: CM-3, CM-4, CM-9, SA-12, SI-2. |
The organization requires the developer of the information system, system component, or information system service to:
a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];
b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
c. Implement only organization-approved changes to the system, component, or service;
d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]. |
| CCI-003156 |
The organization requires the developer of the information system, system component, or information system service to document the integrity of changes to organization-defined configuration items under configuration management. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service document the integrity of changes to configuration items under configuration management defined in SA-10, CCI 3159. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service document the integrity of changes to configuration items under configuration management defined in SA-10, CCI 3159. |
Developer Configuration Management |
SA-10 |
SA-10.2 |
This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle. Related controls: CM-3, CM-4, CM-9, SA-12, SI-2. |
The organization requires the developer of the information system, system component, or information system service to:
a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];
b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
c. Implement only organization-approved changes to the system, component, or service;
d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]. |
| CCI-003157 |
The organization requires the developer of the information system, system component, or information system service to manage the integrity of changes to organization-defined configuration items under configuration management. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service manage the integrity of changes to configuration items under configuration management defined in SA-10, CCI 3159. |
The organization being inspected/assessed requires within contracts/agreements the requirement that the developer of the information system, system component, or information system service manage the integrity of changes to configuration items under configuration management defined in SA-10, CCI 3159. |
Developer Configuration Management |
SA-10 |
SA-10.3 |
This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle. Related controls: CM-3, CM-4, CM-9, SA-12, SI-2. |
The organization requires the developer of the information system, system component, or information system service to:
a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];
b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
c. Implement only organization-approved changes to the system, component, or service;
d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]. |
| CCI-003158 |
The organization requires the developer of the information system, system component, or information system service to control the integrity of changes to organization-defined configuration items under configuration management. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service control the integrity of changes to configuration items under configuration management defined in SA-10, CCI 3159. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service control the integrity of changes to configuration items under configuration management defined in SA-10, CCI 3159. |
Developer Configuration Management |
SA-10 |
SA-10.4 |
This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle. Related controls: CM-3, CM-4, CM-9, SA-12, SI-2. |
The organization requires the developer of the information system, system component, or information system service to:
a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];
b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
c. Implement only organization-approved changes to the system, component, or service;
d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]. |
| CCI-003159 |
The organization defines the configuration items under configuration management that require the integrity of changes to be documented, managed and controlled. |
The organization conducting the inspection/assessment obtains and examines the documented configuration items to ensure the organization being inspected/assessed defines the configuration items under configuration management that require the integrity of changes to be documented, managed and controlled.
DoD has determined the configuration items are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the configuration items under configuration management that require the integrity of changes to be documented, managed and controlled.
DoD has determined the configuration items are not appropriate to define at the Enterprise level. |
Developer Configuration Management |
SA-10 |
SA-10.5 |
This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle. Related controls: CM-3, CM-4, CM-9, SA-12, SI-2. |
The organization requires the developer of the information system, system component, or information system service to:
a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];
b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
c. Implement only organization-approved changes to the system, component, or service;
d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]. |
| CCI-003160 |
The organization requires the developer of the information system, system component, or information system service to document the potential security impacts of approved changes to the system, component, or service. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service document the potential security impacts of approved changes to the system, component, or service. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service document the potential security impacts of approved changes to the system, component, or service. |
Developer Configuration Management |
SA-10 |
SA-10.8 |
This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle. Related controls: CM-3, CM-4, CM-9, SA-12, SI-2. |
The organization requires the developer of the information system, system component, or information system service to:
a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];
b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
c. Implement only organization-approved changes to the system, component, or service;
d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]. |
| CCI-003161 |
The organization requires the developer of the information system, system component, or information system service to track security flaws within the system, component, or service. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service track security flaws within the system, component, or service. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service track security flaws within the system, component, or service. |
Developer Configuration Management |
SA-10 |
SA-10.9 |
This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle. Related controls: CM-3, CM-4, CM-9, SA-12, SI-2. |
The organization requires the developer of the information system, system component, or information system service to:
a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];
b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
c. Implement only organization-approved changes to the system, component, or service;
d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]. |
| CCI-003162 |
The organization requires the developer of the information system, system component, or information system service to track flaw resolution within the system, component, or service. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service track flaw resolution within the system, component, or service. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service track flaw resolution within the system, component, or service. |
Developer Configuration Management |
SA-10 |
SA-10.10 |
This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle. Related controls: CM-3, CM-4, CM-9, SA-12, SI-2. |
The organization requires the developer of the information system, system component, or information system service to:
a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];
b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
c. Implement only organization-approved changes to the system, component, or service;
d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]. |
| CCI-003163 |
The organization requires the developer of the information system, system component, or information system service to report findings of security flaws and flaw resolution within the system, component, or service to organization-defined personnel. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service report security flaws and flaw resolution within the system, component, or service findings to at a minimum, the ISSO and ISSM.
DoD has defined the personnel as at a minimum, the ISSO and ISSM. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service report security flaws and flaw resolution within the system, component, or service findings to at a minimum, the ISSO and ISSM.
DoD has defined the personnel as at a minimum, the ISSO and ISSM. |
Developer Configuration Management |
SA-10 |
SA-10.11 |
This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle. Related controls: CM-3, CM-4, CM-9, SA-12, SI-2. |
The organization requires the developer of the information system, system component, or information system service to:
a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];
b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
c. Implement only organization-approved changes to the system, component, or service;
d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]. |
| CCI-003164 |
The organization defines the personnel to whom security flaw findings and flaw resolution within the system, component, or service are reported. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel as at a minimum, the ISSO and ISSM. |
DoD has defined the personnel as at a minimum, the ISSO and ISSM. |
Developer Configuration Management |
SA-10 |
SA-10.12 |
This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle. Related controls: CM-3, CM-4, CM-9, SA-12, SI-2. |
The organization requires the developer of the information system, system component, or information system service to:
a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];
b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
c. Implement only organization-approved changes to the system, component, or service;
d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]. |
| CCI-003165 |
The organization requires the developer of the information system, system component, or information system service to enable integrity verification of hardware components. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service enable integrity verification of hardware components. |
The organization being inspected/assessed documents within contracts/agreements, the requirement that the developer of the information system, system component, or information system service enable integrity verification of hardware components. |
Developer Configuration Management | Hardware Integrity Verification |
SA-10 (3) |
SA-10(3).1 |
This control enhancement allows organizations to detect unauthorized changes to hardware components through the use of tools, techniques, and/or mechanisms provided by developers. Organizations verify the integrity of hardware components, for example, with hard-to-copy labels and verifiable serial numbers provided by developers, and by requiring the implementation of anti-tamper technologies. Delivered hardware components also include updates to such components. Related control: SI-7. |
The organization requires the developer of the information system, system component, or information system service to enable integrity verification of hardware components. |
| CCI-003166 |
The organization requires the developer of the information system, system component, or information system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions with previous versions. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service employ tools for comparing newly generated versions of security-relevant hardware descriptions with previous versions. |
The organization being inspected/assessed documents within contracts/agreements the requirement that the developer of the information system, system component, or information system service employ tools for comparing newly generated versions of security-relevant hardware descriptions with previous versions. |
Developer Configuration Management | Trusted Generation |
SA-10 (4) |
SA-10(4).1 |
This control enhancement addresses changes to hardware, software, and firmware components between versions during development. In contrast, SA-10 (1) and SA-10 (3) allow organizations to detect unauthorized changes to hardware, software, and firmware components through the use of tools, techniques, and/or mechanisms provided by developers. |
The organization requires the developer of the information system, system component, or information system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions and software/firmware source and object code with previous versions. |
| CCI-003167 |
The organization requires the developer of the information system, system component, or information system service to employ tools for comparing newly generated versions of software/firmware source code with previous versions. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service employ tools for comparing newly generated versions of software/firmware source code with previous versions. |
The organization being inspected/assessed documents within contracts/agreements the requirement that the developer of the information system, system component, or information system service employ tools for comparing newly generated versions of software/firmware source code with previous versions. |
Developer Configuration Management | Trusted Generation |
SA-10 (4) |
SA-10(4).2 |
This control enhancement addresses changes to hardware, software, and firmware components between versions during development. In contrast, SA-10 (1) and SA-10 (3) allow organizations to detect unauthorized changes to hardware, software, and firmware components through the use of tools, techniques, and/or mechanisms provided by developers. |
The organization requires the developer of the information system, system component, or information system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions and software/firmware source and object code with previous versions. |
| CCI-003168 |
The organization requires the developer of the information system, system component, or information system service to employ tools for comparing newly generated versions of object code with previous versions. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service employ tools for comparing newly generated versions of object code with previous versions. |
The organization being inspected/assessed documents within contracts/agreements the requirement that the developer of the information system, system component, or information system service employ tools for comparing newly generated versions of object code with previous versions. |
Developer Configuration Management | Trusted Generation |
SA-10 (4) |
SA-10(4).3 |
This control enhancement addresses changes to hardware, software, and firmware components between versions during development. In contrast, SA-10 (1) and SA-10 (3) allow organizations to detect unauthorized changes to hardware, software, and firmware components through the use of tools, techniques, and/or mechanisms provided by developers. |
The organization requires the developer of the information system, system component, or information system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions and software/firmware source and object code with previous versions. |
| CCI-003169 |
The organization requires the developer of the information system, system component, or information system service to maintain the integrity of the mapping between the master build data (hardware drawings and software/firmware code) describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service maintain the integrity of the mapping between the master build data (hardware drawings and software/firmware code) describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version. |
The organization being inspected/assessed documents within contracts/agreements, the requirement that the developer of the information system, system component, or information system service maintain the integrity of the mapping between the master build data (hardware drawings and software/firmware code) describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version. |
Developer Configuration Management | Mapping Integrity For Version Control |
SA-10 (5) |
SA-10(5).1 |
This control enhancement addresses changes to hardware, software, and firmware components during initial development and during system life cycle updates. Maintaining the integrity between the master copies of security-relevant hardware, software, and firmware (including designs and source code) and the equivalent data in master copies on-site in operational environments is essential to ensure the availability of organizational information systems supporting critical missions and/or business functions. |
The organization requires the developer of the information system, system component, or information system service to maintain the integrity of the mapping between the master build data (hardware drawings and software/firmware code) describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version. |
| CCI-003170 |
The organization requires the developer of the information system, system component, or information system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies. |
The organization being inspected/assessed documents within contracts/agreements, the requirement that the developer of the information system, system component, or information system service execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies. |
Developer Configuration Management | Trusted Distribution |
SA-10 (6) |
SA-10(6).1 |
The trusted distribution of security-relevant hardware, software, and firmware updates helps to ensure that such updates are faithful representations of the master copies maintained by the developer and have not been tampered with during distribution. |
The organization requires the developer of the information system, system component, or information system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies. |
| CCI-003171 |
The organization requires the developer of the information system, system component, or information system service to create a security assessment plan. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service create a security assessment plan. |
The organization being inspected/assessed requires that the developer create and document a security assessment plan that includes:
1. The types of analyses, testing, evaluation, and reviews of software and firmware components;
2. The degree of rigor to be applied; and
3. The types of artifacts produced during those processes. |
Developer Security Testing And Evaluation |
SA-11 |
SA-11.1 |
Developmental security testing/evaluation occurs at all post?design phases of the system development life cycle. Such testing/evaluation confirms that the required security controls are implemented correctly, operating as intended, enforcing the desired security policy, and meeting established security requirements. Security properties of information systems may be affected by the interconnection of system components or changes to those components. These interconnections or changes (e.g., upgrading or replacing applications and operating systems) may adversely affect previously implemented security controls. This control provides additional types of security testing/evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Developers can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Security assessment plans provide the specific activities that developers plan to carry out including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, and the types of artifacts produced during those processes. The depth of security testing/evaluation refers to the rigor and level of detail associated with the assessment process (e.g., black box, gray box, or white box testing). The coverage of security testing/evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security assessment plans, flaw remediation processes, and the evidence that the plans/processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements. Related controls: CA-2, CM-4, SA-3, SA-4, SA-5, SI-2. |
The organization requires the developer of the information system, system component, or information system service to:
a. Create and implement a security assessment plan;
b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage];
c. Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;
d. Implement a verifiable flaw remediation process; and
e. Correct flaws identified during security testing/evaluation. |
| CCI-003172 |
The organization requires the developer of the information system, system component, or information system service to implement a security assessment plan. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service implement a security assessment plan. |
The organization being inspected/assessed requires that the developer implement the security assessment plan developed in SA-11, CCI 003171. |
Developer Security Testing And Evaluation |
SA-11 |
SA-11.2 |
Developmental security testing/evaluation occurs at all post?design phases of the system development life cycle. Such testing/evaluation confirms that the required security controls are implemented correctly, operating as intended, enforcing the desired security policy, and meeting established security requirements. Security properties of information systems may be affected by the interconnection of system components or changes to those components. These interconnections or changes (e.g., upgrading or replacing applications and operating systems) may adversely affect previously implemented security controls. This control provides additional types of security testing/evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Developers can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Security assessment plans provide the specific activities that developers plan to carry out including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, and the types of artifacts produced during those processes. The depth of security testing/evaluation refers to the rigor and level of detail associated with the assessment process (e.g., black box, gray box, or white box testing). The coverage of security testing/evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security assessment plans, flaw remediation processes, and the evidence that the plans/processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements. Related controls: CA-2, CM-4, SA-3, SA-4, SA-5, SI-2. |
The organization requires the developer of the information system, system component, or information system service to:
a. Create and implement a security assessment plan;
b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage];
c. Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;
d. Implement a verifiable flaw remediation process; and
e. Correct flaws identified during security testing/evaluation. |
| CCI-003173 |
The organization requires the developer of the information system, system component, or information system service to perform unit, integration, system, and/or regression testing/evaluation at an organization-defined depth and coverage. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service perform unit, integration, system, and/or regression testing/evaluation at depth and coverage defined in SA-11, CCI 3174. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service perform unit, integration, system, and/or regression testing/evaluation at depth and coverage defined in SA-11, CCI 3174. |
Developer Security Testing And Evaluation |
SA-11 |
SA-11.3 |
Developmental security testing/evaluation occurs at all post?design phases of the system development life cycle. Such testing/evaluation confirms that the required security controls are implemented correctly, operating as intended, enforcing the desired security policy, and meeting established security requirements. Security properties of information systems may be affected by the interconnection of system components or changes to those components. These interconnections or changes (e.g., upgrading or replacing applications and operating systems) may adversely affect previously implemented security controls. This control provides additional types of security testing/evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Developers can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Security assessment plans provide the specific activities that developers plan to carry out including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, and the types of artifacts produced during those processes. The depth of security testing/evaluation refers to the rigor and level of detail associated with the assessment process (e.g., black box, gray box, or white box testing). The coverage of security testing/evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security assessment plans, flaw remediation processes, and the evidence that the plans/processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements. Related controls: CA-2, CM-4, SA-3, SA-4, SA-5, SI-2. |
The organization requires the developer of the information system, system component, or information system service to:
a. Create and implement a security assessment plan;
b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage];
c. Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;
d. Implement a verifiable flaw remediation process; and
e. Correct flaws identified during security testing/evaluation. |
| CCI-003174 |
The organization defines the depth and coverage at which to perform unit, integration, system, and/or regression testing/evaluation. |
The organization conducting the inspection/assessment obtains and examines the documented depth and coverage to ensure the organization being inspected/assessed defines the depth and coverage to perform unit, integration, system, and/or regression testing/evaluation.
DoD has determined the depth and coverage are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the depth and coverage to perform unit, integration, system, and/or regression testing/evaluation. Examples of approaches or tool types that could be required are:
1. Approaches such as static analyses, dynamic analyses, binary analysis, or a hybrid of the three approaches; and
2. Tools such as web-based application scanners, static analysis tools, binary analyzers.
DoD has determined the depth and coverage are not appropriate to define at the Enterprise level.
|
Developer Security Testing And Evaluation |
SA-11 |
SA-11.4 |
Developmental security testing/evaluation occurs at all post?design phases of the system development life cycle. Such testing/evaluation confirms that the required security controls are implemented correctly, operating as intended, enforcing the desired security policy, and meeting established security requirements. Security properties of information systems may be affected by the interconnection of system components or changes to those components. These interconnections or changes (e.g., upgrading or replacing applications and operating systems) may adversely affect previously implemented security controls. This control provides additional types of security testing/evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Developers can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Security assessment plans provide the specific activities that developers plan to carry out including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, and the types of artifacts produced during those processes. The depth of security testing/evaluation refers to the rigor and level of detail associated with the assessment process (e.g., black box, gray box, or white box testing). The coverage of security testing/evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security assessment plans, flaw remediation processes, and the evidence that the plans/processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements. Related controls: CA-2, CM-4, SA-3, SA-4, SA-5, SI-2. |
The organization requires the developer of the information system, system component, or information system service to:
a. Create and implement a security assessment plan;
b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage];
c. Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;
d. Implement a verifiable flaw remediation process; and
e. Correct flaws identified during security testing/evaluation. |
| CCI-003175 |
The organization requires the developer of the information system, system component, or information system service to produce evidence of the execution of the security assessment plan. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service produce evidence of the execution of the security assessment plan. |
The organization being inspected/assessed requires the developer to produce and provide evidence of the execution of the security assessment plan. |
Developer Security Testing And Evaluation |
SA-11 |
SA-11.5 |
Developmental security testing/evaluation occurs at all post?design phases of the system development life cycle. Such testing/evaluation confirms that the required security controls are implemented correctly, operating as intended, enforcing the desired security policy, and meeting established security requirements. Security properties of information systems may be affected by the interconnection of system components or changes to those components. These interconnections or changes (e.g., upgrading or replacing applications and operating systems) may adversely affect previously implemented security controls. This control provides additional types of security testing/evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Developers can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Security assessment plans provide the specific activities that developers plan to carry out including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, and the types of artifacts produced during those processes. The depth of security testing/evaluation refers to the rigor and level of detail associated with the assessment process (e.g., black box, gray box, or white box testing). The coverage of security testing/evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security assessment plans, flaw remediation processes, and the evidence that the plans/processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements. Related controls: CA-2, CM-4, SA-3, SA-4, SA-5, SI-2. |
The organization requires the developer of the information system, system component, or information system service to:
a. Create and implement a security assessment plan;
b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage];
c. Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;
d. Implement a verifiable flaw remediation process; and
e. Correct flaws identified during security testing/evaluation. |
| CCI-003176 |
The organization requires the developer of the information system, system component, or information system service to produce the results of the security testing/evaluation. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service produce the results of the security testing/evaluation. |
The organization being inspected/assessed requires the developer to produce and provide results of the security testing/evaluation. |
Developer Security Testing And Evaluation |
SA-11 |
SA-11.6 |
Developmental security testing/evaluation occurs at all post?design phases of the system development life cycle. Such testing/evaluation confirms that the required security controls are implemented correctly, operating as intended, enforcing the desired security policy, and meeting established security requirements. Security properties of information systems may be affected by the interconnection of system components or changes to those components. These interconnections or changes (e.g., upgrading or replacing applications and operating systems) may adversely affect previously implemented security controls. This control provides additional types of security testing/evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Developers can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Security assessment plans provide the specific activities that developers plan to carry out including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, and the types of artifacts produced during those processes. The depth of security testing/evaluation refers to the rigor and level of detail associated with the assessment process (e.g., black box, gray box, or white box testing). The coverage of security testing/evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security assessment plans, flaw remediation processes, and the evidence that the plans/processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements. Related controls: CA-2, CM-4, SA-3, SA-4, SA-5, SI-2. |
The organization requires the developer of the information system, system component, or information system service to:
a. Create and implement a security assessment plan;
b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage];
c. Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;
d. Implement a verifiable flaw remediation process; and
e. Correct flaws identified during security testing/evaluation. |
| CCI-003177 |
The organization requires the developer of the information system, system component, or information system service to implement a verifiable flaw remediation process. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service implement a verifiable flaw remediation process. |
The organization being inspected/assessed requires the developer to implement a verifiable flaw remediation process.
|
Developer Security Testing And Evaluation |
SA-11 |
SA-11.7 |
Developmental security testing/evaluation occurs at all post?design phases of the system development life cycle. Such testing/evaluation confirms that the required security controls are implemented correctly, operating as intended, enforcing the desired security policy, and meeting established security requirements. Security properties of information systems may be affected by the interconnection of system components or changes to those components. These interconnections or changes (e.g., upgrading or replacing applications and operating systems) may adversely affect previously implemented security controls. This control provides additional types of security testing/evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Developers can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Security assessment plans provide the specific activities that developers plan to carry out including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, and the types of artifacts produced during those processes. The depth of security testing/evaluation refers to the rigor and level of detail associated with the assessment process (e.g., black box, gray box, or white box testing). The coverage of security testing/evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security assessment plans, flaw remediation processes, and the evidence that the plans/processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements. Related controls: CA-2, CM-4, SA-3, SA-4, SA-5, SI-2. |
The organization requires the developer of the information system, system component, or information system service to:
a. Create and implement a security assessment plan;
b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage];
c. Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;
d. Implement a verifiable flaw remediation process; and
e. Correct flaws identified during security testing/evaluation. |
| CCI-003178 |
The organization requires the developer of the information system, system component, or information system service to correct flaws identified during security testing/evaluation. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service correct flaws identified during security testing/evaluation and provide evidence. |
The organization being inspected/assessed requires the developer to correct flaws identified during security testing/evaluation and to document and provide evidence that the flaws were corrected.
|
Developer Security Testing And Evaluation |
SA-11 |
SA-11.8 |
Developmental security testing/evaluation occurs at all post?design phases of the system development life cycle. Such testing/evaluation confirms that the required security controls are implemented correctly, operating as intended, enforcing the desired security policy, and meeting established security requirements. Security properties of information systems may be affected by the interconnection of system components or changes to those components. These interconnections or changes (e.g., upgrading or replacing applications and operating systems) may adversely affect previously implemented security controls. This control provides additional types of security testing/evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Developers can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Security assessment plans provide the specific activities that developers plan to carry out including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, and the types of artifacts produced during those processes. The depth of security testing/evaluation refers to the rigor and level of detail associated with the assessment process (e.g., black box, gray box, or white box testing). The coverage of security testing/evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security assessment plans, flaw remediation processes, and the evidence that the plans/processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements. Related controls: CA-2, CM-4, SA-3, SA-4, SA-5, SI-2. |
The organization requires the developer of the information system, system component, or information system service to:
a. Create and implement a security assessment plan;
b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage];
c. Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;
d. Implement a verifiable flaw remediation process; and
e. Correct flaws identified during security testing/evaluation. |
| CCI-003179 |
The organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service employ static code analysis tools to identify common flaws. |
The organization being inspected/assessed includes the requirement within contracts/agreements that the developer of the information system, system component, or information system service employ static code analysis tools to identify common flaws. |
Developer Security Testing And Evaluation | Static Code Analysis |
SA-11 (1) |
SA-11(1).1 |
Static code analysis provides a technology and methodology for security reviews. Such analysis can be used to identify security vulnerabilities and enforce security coding practices. Static code analysis is most effective when used early in the development process, when each code change can be automatically scanned for potential weaknesses. Static analysis can provide clear remediation guidance along with defects to enable developers to fix such defects. Evidence of correct implementation of static analysis can include, for example, aggregate defect density for critical defect types, evidence that defects were inspected by developers or security professionals, and evidence that defects were fixed. An excessively high density of ignored findings (commonly referred to as ignored or false positives) indicates a potential problem with the analysis process or tool. In such cases, organizations weigh the validity of the evidence against evidence from other sources. |
The organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws and document the results of the analysis. |
| CCI-003180 |
The organization requires the developer of the information system, system component, or information system service to document the results of static code analysis. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service document the results of static code analysis. |
The organization being inspected/assessed requires that the developer of the information system, system component, or information system service document the type of static code analysis that was performed and the results (including defects). |
Developer Security Testing And Evaluation | Static Code Analysis |
SA-11 (1) |
SA-11(1).2 |
Static code analysis provides a technology and methodology for security reviews. Such analysis can be used to identify security vulnerabilities and enforce security coding practices. Static code analysis is most effective when used early in the development process, when each code change can be automatically scanned for potential weaknesses. Static analysis can provide clear remediation guidance along with defects to enable developers to fix such defects. Evidence of correct implementation of static analysis can include, for example, aggregate defect density for critical defect types, evidence that defects were inspected by developers or security professionals, and evidence that defects were fixed. An excessively high density of ignored findings (commonly referred to as ignored or false positives) indicates a potential problem with the analysis process or tool. In such cases, organizations weigh the validity of the evidence against evidence from other sources. |
The organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws and document the results of the analysis. |
| CCI-003181 |
The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analysis. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service perform threat and vulnerability analysis. |
The organization being inspected/assessed requires the developer to document and perform threat and vulnerability analysis to ensure that design or implementation changes, and resulting vulnerabilities, are accounted for early in the life cycle.
Threat analysis may be performed through the use of open source threat information. Vulnerability analyses should be informed by system design documentation and may include static analyses, dynamic analyses, simulations, and penetration testing. The developer must document the type of vulnerability analysis that was performed, the results (including defects) and any follow on actions. |
Developer Security Testing And Evaluation | Threat And Vulnerability Analyses |
SA-11 (2) |
SA-11(2).1 |
Applications may deviate significantly from the functional and design specifications created during the requirements and design phases of the system development life cycle. Therefore, threat and vulnerability analyses of information systems, system components, and information system services prior to delivery are critical to the effective operation of those systems, components, and services. Threat and vulnerability analyses at this phase of the life cycle help to ensure that design or implementation changes have been accounted for, and that any new vulnerabilities created as a result of those changes have been reviewed and mitigated. Related controls: PM-15, RA-5. |
The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service. |
| CCI-003182 |
The organization requires the developer of the information system, system component, or information system service to perform testing/evaluation of the as-built system, component, or service subsequent to threat and vulnerability analysis. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service perform testing/evaluation of the as-built system, component, or service subsequent to threat and vulnerability analysis. |
The organization being inspected/assessed requires within contracts/agreements that the developer the information system, system component, or information system service perform testing/evaluation of the as-built system, component, or service based on threat and vulnerability analysis. |
Developer Security Testing And Evaluation | Threat And Vulnerability Analyses |
SA-11 (2) |
SA-11(2).2 |
Applications may deviate significantly from the functional and design specifications created during the requirements and design phases of the system development life cycle. Therefore, threat and vulnerability analyses of information systems, system components, and information system services prior to delivery are critical to the effective operation of those systems, components, and services. Threat and vulnerability analyses at this phase of the life cycle help to ensure that design or implementation changes have been accounted for, and that any new vulnerabilities created as a result of those changes have been reviewed and mitigated. Related controls: PM-15, RA-5. |
The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service. |
| CCI-003183 |
The organization requires an independent agent satisfying organization-defined independence criteria to verify the correct implementation of the developer security assessment plan. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that an independent agent satisfying independence criteria defined in SA-11 (3), CCI 3185 verify the correct implementation of the developer security assessment plan. |
The organization being inspected/assessed requires within contracts/agreements that an independent agent satisfying independence criteria defined in SA-11 (3), CCI 3185 verify the correct implementation of the developer security assessment plan. |
Developer Security Testing And Evaluation | Independent Verification Of Assessment Plans / Evidence |
SA-11 (3) |
SA-11(3).1 |
Independent agents have the necessary qualifications (i.e., expertise, skills, training, and experience) to verify the correct implementation of developer security assessment plans. Related controls: AT-3, CA-7, RA-5, SA-12. |
The organization:
(a) Requires an independent agent satisfying [Assignment: organization-defined independence criteria] to verify the correct implementation of the developer security assessment plan and the evidence produced during security testing/evaluation; and
(b) Ensures that the independent agent either is provided with sufficient information to complete the verification process or has been granted the authority to obtain such information. |
| CCI-003184 |
The organization requires an independent agent satisfying organization-defined independence criteria to verify the evidence produced during security testing/evaluation. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that an independent agent satisfying independence criteria defined in SA-11 (3), CCI 3185 verify the evidence produced during security testing/evaluation. |
The organization being inspected/assessed requires within contracts/agreements that an independent agent satisfying independence criteria defined in SA-11 (3), CCI 3185 verify the evidence produced during security testing/evaluation. |
Developer Security Testing And Evaluation | Independent Verification Of Assessment Plans / Evidence |
SA-11 (3) |
SA-11(3).2 |
Independent agents have the necessary qualifications (i.e., expertise, skills, training, and experience) to verify the correct implementation of developer security assessment plans. Related controls: AT-3, CA-7, RA-5, SA-12. |
The organization:
(a) Requires an independent agent satisfying [Assignment: organization-defined independence criteria] to verify the correct implementation of the developer security assessment plan and the evidence produced during security testing/evaluation; and
(b) Ensures that the independent agent either is provided with sufficient information to complete the verification process or has been granted the authority to obtain such information. |
| CCI-003185 |
The organization defines the independence criteria the independent agent must satisfy prior to verifying the correct implementation of the developer security assessment plan and the evidence produced during security testing/evaluation. |
The organization conducting the inspection/assessment obtains and examines the documented independence criteria to ensure the organization being inspected/assessed defines the independence criteria the independent agent must satisfy prior to verifying the correct implementation of the developer security assessment plan and the evidence produced during security testing/evaluation.
DoD has determined the independence criteria is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the independence criteria the independent agent must satisfy prior to verifying the correct implementation of the developer security assessment plan and the evidence produced during security testing/evaluation.
DoD has determined the independence criteria is not appropriate to define at the Enterprise level. |
Developer Security Testing And Evaluation | Independent Verification Of Assessment Plans / Evidence |
SA-11 (3) |
SA-11(3).3 |
Independent agents have the necessary qualifications (i.e., expertise, skills, training, and experience) to verify the correct implementation of developer security assessment plans. Related controls: AT-3, CA-7, RA-5, SA-12. |
The organization:
(a) Requires an independent agent satisfying [Assignment: organization-defined independence criteria] to verify the correct implementation of the developer security assessment plan and the evidence produced during security testing/evaluation; and
(b) Ensures that the independent agent either is provided with sufficient information to complete the verification process or has been granted the authority to obtain such information. |
| CCI-003186 |
The organization ensures that the independent agent either is provided with sufficient information to complete the verification process or has been granted the authority to obtain such information. |
The organization conducting the inspection/assessment obtains and examines the record of information provided to ensure the organization being inspected/assessed provides the independent agent with sufficient information and access/authority to complete the verification process. |
The organization being inspected/assessed provides the independent agent with sufficient information and access/authority to complete the verification process.
The organization must maintain a record of information provided. |
Developer Security Testing And Evaluation | Independent Verification Of Assessment Plans / Evidence |
SA-11 (3) |
SA-11(3).4 |
Independent agents have the necessary qualifications (i.e., expertise, skills, training, and experience) to verify the correct implementation of developer security assessment plans. Related controls: AT-3, CA-7, RA-5, SA-12. |
The organization:
(a) Requires an independent agent satisfying [Assignment: organization-defined independence criteria] to verify the correct implementation of the developer security assessment plan and the evidence produced during security testing/evaluation; and
(b) Ensures that the independent agent either is provided with sufficient information to complete the verification process or has been granted the authority to obtain such information. |
| CCI-003187 |
The organization requires the developer of the information system, system component, or information system service to perform a manual code review of organization-defined specific code using organization-defined processes, procedures, and/or techniques. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service perform a manual code review of specific code defined in SA-11 (4), CCI 3188 using processes, procedures, and/or techniques defined in SA-11 (4), CCI 3189. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service perform a manual code review of specific code defined in SA-11 (4), CCI 3188 using processes, procedures, and/or techniques defined in SA-11 (4), CCI 3189. |
Developer Security Testing And Evaluation | Manual Code Reviews |
SA-11 (4) |
SA-11(4).1 |
Manual code reviews are usually reserved for the critical software and firmware components of information systems. Such code reviews are uniquely effective at identifying weaknesses that require knowledge of the application's requirements or context which are generally unavailable to more automated analytic tools and techniques such as static or dynamic analysis. Components benefiting from manual review include for example, verifying access control matrices against application controls and reviewing more detailed aspects of cryptographic implementations and controls. |
The organization requires the developer of the information system, system component, or information system service to perform a manual code review of [Assignment: organization-defined specific code] using [Assignment: organization-defined processes, procedures, and/or techniques]. |
| CCI-003188 |
The organization defines the specific code for which the developer of the information system, system component, or information system service is required to perform a manual code review using organization-defined process, procedures, and/or techniques. |
The organization conducting the inspection/assessment obtains and examines the documented specific code to ensure the organization being inspected/assessed defines the specific code that requires the developer of the information system, system component, or information system service to perform a manual code review against using organization-defined process, procedures, and/or techniques.
DoD has determined the specific code is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the specific code that requires the developer of the information system, system component, or information system service to perform a manual code review against using organization-defined process, procedures, and/or techniques.
The defined code shall include:
1. random samples; and
2. critical software and firmware components of information systems.
DoD has determined the specific code is not appropriate to define at the Enterprise level. |
Developer Security Testing And Evaluation | Manual Code Reviews |
SA-11 (4) |
SA-11(4).2 |
Manual code reviews are usually reserved for the critical software and firmware components of information systems. Such code reviews are uniquely effective at identifying weaknesses that require knowledge of the application's requirements or context which are generally unavailable to more automated analytic tools and techniques such as static or dynamic analysis. Components benefiting from manual review include for example, verifying access control matrices against application controls and reviewing more detailed aspects of cryptographic implementations and controls. |
The organization requires the developer of the information system, system component, or information system service to perform a manual code review of [Assignment: organization-defined specific code] using [Assignment: organization-defined processes, procedures, and/or techniques]. |
| CCI-003189 |
The organization defines the processes, procedures, and/or techniques to be used by the developer of the information system, system component, or information system service to perform a manual code review of organization-defined specific code. |
The organization conducting the inspection/assessment obtains and examines the documented processes, procedures, and/or techniques to ensure the organization being inspected/assessed defines the processes, procedures, and/or techniques to be used by the developer of the information system, system component, or information system service to perform a manual code review of organization-defined specific code.
DoD has determined the processes, procedures, and/or techniques are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed requires in contracts/agreements that the developer define and document the processes, procedures, and/or techniques to be used to perform a manual code review of organization-defined specific code.
Manual code reviews identify weaknesses which are generally unavailable to more automated analytic tools and techniques such as static or dynamic analysis. Manual code reviews should be performed in conjunction with automated testing, such as static or dynamic analysis, to provide greater levels of analysis.
DoD has determined the processes, procedures, and/or techniques are not appropriate to define at the Enterprise level. |
Developer Security Testing And Evaluation | Manual Code Reviews |
SA-11 (4) |
SA-11(4).3 |
Manual code reviews are usually reserved for the critical software and firmware components of information systems. Such code reviews are uniquely effective at identifying weaknesses that require knowledge of the application's requirements or context which are generally unavailable to more automated analytic tools and techniques such as static or dynamic analysis. Components benefiting from manual review include for example, verifying access control matrices against application controls and reviewing more detailed aspects of cryptographic implementations and controls. |
The organization requires the developer of the information system, system component, or information system service to perform a manual code review of [Assignment: organization-defined specific code] using [Assignment: organization-defined processes, procedures, and/or techniques]. |
| CCI-003190 |
The organization requires the developer of the information system, system component, or information system service to perform penetration testing at an organization-defined breadth/depth and with organization-defined constraints. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service perform penetration testing at a breadth/depth defined in SA-11 (5), CCI 3191 and with constraints defined in SA-11 (5), CCI 3192. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service perform penetration testing at a breadth/depth defined in SA-11 (5), CCI 3191 and with constraints defined in SA-11 (5), CCI 3192. |
Developer Security Testing And Evaluation | Penetration Testing / Analysis |
SA-11 (5) |
SA-11(5).1 |
Penetration testing is an assessment methodology in which assessors, using all available information technology product and/or information system documentation (e.g., product/system design specifications, source code, and administrator/operator manuals) and working under specific constraints, attempt to circumvent implemented security features of information technology products and information systems. Penetration testing can include, for example, white, gray, or black box testing with analyses performed by skilled security professionals simulating adversary actions. The objective of penetration testing is to uncover potential vulnerabilities in information technology products and information systems resulting from implementation errors, configuration faults, or other operational deployment weaknesses or deficiencies. Penetration tests can be performed in conjunction with automated and manual code reviews to provide greater levels of analysis than would ordinarily be possible. |
The organization requires the developer of the information system, system component, or information system service to perform penetration testing at [Assignment: organization-defined breadth/depth] and with [Assignment: organization-defined constraints]. |
| CCI-003191 |
The organization defines the breadth/depth at which the developer of the information system, system component, or information system service is required to perform penetration testing. |
The organization conducting the inspection/assessment obtains and examines the documented breadth/depth to ensure the organization being inspected/assessed defines the breadth/depth the developer of the information system, system component, or information system service is required to perform penetration testing.
DoD has determined the constraints are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the breadth/depth the developer of the information system, system component, or information system service is required to perform penetration testing.
DoD has determined the breadth/depth are not appropriate to define at the Enterprise level. |
Developer Security Testing And Evaluation | Penetration Testing / Analysis |
SA-11 (5) |
SA-11(5).2 |
Penetration testing is an assessment methodology in which assessors, using all available information technology product and/or information system documentation (e.g., product/system design specifications, source code, and administrator/operator manuals) and working under specific constraints, attempt to circumvent implemented security features of information technology products and information systems. Penetration testing can include, for example, white, gray, or black box testing with analyses performed by skilled security professionals simulating adversary actions. The objective of penetration testing is to uncover potential vulnerabilities in information technology products and information systems resulting from implementation errors, configuration faults, or other operational deployment weaknesses or deficiencies. Penetration tests can be performed in conjunction with automated and manual code reviews to provide greater levels of analysis than would ordinarily be possible. |
The organization requires the developer of the information system, system component, or information system service to perform penetration testing at [Assignment: organization-defined breadth/depth] and with [Assignment: organization-defined constraints]. |
| CCI-003192 |
The organization defines the constraints on penetration testing performed by the developer of the information system, system component, or information system service. |
The organization conducting the inspection/assessment obtains and examines the documented constraints to ensure the organization being inspected/assessed defines the constraints on penetration testing performed by developer of the information system, system component, or information system service.
DoD has determined the constraints are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the constraints on penetration testing performed by developer of the information system, system component, or information system service.
Penetration testing should use all available information technology product documentation (e.g., product/system design specifications, source code, and administrator/operator manuals) and can include, for example, white, gray, or black box testing to attempt circumventing security features of the information technology product or system. Penetration testing should be performed:
1. by skilled security professionals working in controlled environments to simulate and execute adversary actions; and
2. in conjunction with automated and manual code reviews to provide greater levels of analysis than would ordinarily be possible.
DoD has determined the constraints are not appropriate to define at the Enterprise level. |
Developer Security Testing And Evaluation | Penetration Testing / Analysis |
SA-11 (5) |
SA-11(5).3 |
Penetration testing is an assessment methodology in which assessors, using all available information technology product and/or information system documentation (e.g., product/system design specifications, source code, and administrator/operator manuals) and working under specific constraints, attempt to circumvent implemented security features of information technology products and information systems. Penetration testing can include, for example, white, gray, or black box testing with analyses performed by skilled security professionals simulating adversary actions. The objective of penetration testing is to uncover potential vulnerabilities in information technology products and information systems resulting from implementation errors, configuration faults, or other operational deployment weaknesses or deficiencies. Penetration tests can be performed in conjunction with automated and manual code reviews to provide greater levels of analysis than would ordinarily be possible. |
The organization requires the developer of the information system, system component, or information system service to perform penetration testing at [Assignment: organization-defined breadth/depth] and with [Assignment: organization-defined constraints]. |
| CCI-003193 |
The organization requires the developer of the information system, system component, or information system service to perform attack surface reviews. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service perform and document attack surface reviews. |
The organization being inspected/assessed requires within contracts/agreements that the developer perform and document attack surface reviews to uncover any accessible areas where weaknesses or deficiencies in the design and functionality of information systems (including the hardware, software, and firmware components) provide opportunities for adversaries to exploit vulnerabilities.
Attack surface reviews may include:
1. Analyzing both design and implementation changes to information systems;
2. Testing the system with debug options off, or making the debug capabilities inaccessible to unauthorized users;
3. Mitigating attack vectors generated as a result of the changes. Correction of identified flaws includes, for example, deprecation of unsafe functions; and
4. Using configuration documents that describe how to configure OTS elements to limit their functionality or increase their security. These include DISA Security Technical Implementation Guides (STIGs) and NSA Security configuration guides. Perform this as early in the lifecycle as possible, so that unnecessary or dangerous functionality is not depended upon or does not go unnoticed. |
Developer Security Testing And Evaluation | Attack Surface Reviews |
SA-11 (6) |
SA-11(6).1 |
Attack surfaces of information systems are exposed areas that make those systems more vulnerable to cyber attacks. This includes any accessible areas where weaknesses or deficiencies in information systems (including the hardware, software, and firmware components) provide opportunities for adversaries to exploit vulnerabilities. Attack surface reviews ensure that developers: (i) analyze both design and implementation changes to information systems; and (ii) mitigate attack vectors generated as a result of the changes. Correction of identified flaws includes, for example, deprecation of unsafe functions. |
The organization requires the developer of the information system, system component, or information system service to perform attack surface reviews. |
| CCI-003194 |
The organization requires the developer of the information system, system component, or information system service to verify that the scope of security testing/evaluation provides complete coverage of required security controls at an organization-defined depth of testing/evaluation. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service verify that the scope of security testing/evaluation provides complete coverage of required security controls at the depth of testing/evaluation defined in SA-11 (7), CCI 3195. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service verify that the scope of security testing/evaluation provides complete coverage of required security controls at the depth of testing/evaluation defined in SA-11 (7), CCI 3195.
|
Developer Security Testing And Evaluation | Verify Scope Of Testing / Evaluation |
SA-11 (7) |
SA-11(7).1 |
Verifying that security testing/evaluation provides complete coverage of required security controls can be accomplished by a variety of analytic techniques ranging from informal to formal. Each of these techniques provides an increasing level of assurance corresponding to the degree of formality of the analysis. Rigorously demonstrating security control coverage at the highest levels of assurance can be provided by the use of formal modeling and analysis techniques including correlation between control implementation and corresponding test cases. |
The organization requires the developer of the information system, system component, or information system service to verify that the scope of security testing/evaluation provides complete coverage of required security controls at [Assignment: organization-defined depth of testing/evaluation]. |
| CCI-003195 |
The organization defines the depth of testing/evaluation to which the developer of the information system, system component, or information system service is required to verify that the scope of security testing/evaluation provides complete coverage of the required security controls. |
The organization conducting the inspection/assessment obtains and examines the documented depth of testing/evaluation to ensure the organization being inspected/assessed defines the depth of testing/evaluation to which the developer of the information system, system component, or information system service is required to verify that the scope of security testing/evaluation provides complete coverage of the required security controls.
DoD has determined the depth of testing/evaluation is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the depth of testing/evaluation to which the developer of the information system, system component, or information system service is required to verify that the scope of security testing/evaluation provides complete coverage of the required security controls.
The developer can accomplish scope verification through a variety of analytic techniques that provide an increasing level of assurance corresponding to the degree of formality of the analysis. High levels of assurance can be provided by the use of formal modeling and analysis techniques including theorem provers, model checkers, and correlation between control implementation and corresponding test cases.
DoD has determined the depth of testing/evaluation is not appropriate to define at the Enterprise level. |
Developer Security Testing And Evaluation | Verify Scope Of Testing / Evaluation |
SA-11 (7) |
SA-11(7).2 |
Verifying that security testing/evaluation provides complete coverage of required security controls can be accomplished by a variety of analytic techniques ranging from informal to formal. Each of these techniques provides an increasing level of assurance corresponding to the degree of formality of the analysis. Rigorously demonstrating security control coverage at the highest levels of assurance can be provided by the use of formal modeling and analysis techniques including correlation between control implementation and corresponding test cases. |
The organization requires the developer of the information system, system component, or information system service to verify that the scope of security testing/evaluation provides complete coverage of required security controls at [Assignment: organization-defined depth of testing/evaluation]. |
| CCI-003196 |
The organization requires the developer of the information system, system component, or information system service to employ dynamic code analysis tools to identify common flaws. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service employ dynamic code analysis tools to identify common flaws. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service employ dynamic code analysis tools to identify common flaws.
Dynamic code analysis tools include fuzz testing, using simulation, and white and black box testing. Dynamic code analysis should be performed in conjunction with static code analysis to provide greater levels of analysis. |
Developer Security Testing And Evaluation | Dynamic Code Analysis |
SA-11 (8) |
SA-11(8).1 |
Dynamic code analysis provides run-time verification of software programs, using tools capable of monitoring programs for memory corruption, user privilege issues, and other potential security problems. Dynamic code analysis employs run-time tools to help to ensure that security functionality performs in the manner in which it was designed. A specialized type of dynamic analysis, known as fuzz testing, induces program failures by deliberately introducing malformed or random data into software programs. Fuzz testing strategies derive from the intended use of applications and the functional and design specifications for the applications. To understand the scope of dynamic code analysis and hence the assurance provided, organizations may also consider conducting code coverage analysis (checking the degree to which the code has been tested using metrics such as percent of subroutines tested or percent of program statements called during execution of the test suite) and/or concordance analysis (checking for words that are out of place in software code such as non-English language words or derogatory terms). |
The organization requires the developer of the information system, system component, or information system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis. |
| CCI-003197 |
The organization requires the developer of the information system, system component, or information system service to document the results of the dynamic code analysis. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service document the results of the dynamic code analysis. |
The organization being inspected/assessed requires that the developer of the information system, system component, or information system service document the type of dynamic analysis that was performed and the results (including defects). |
Developer Security Testing And Evaluation | Dynamic Code Analysis |
SA-11 (8) |
SA-11(8).2 |
Dynamic code analysis provides run-time verification of software programs, using tools capable of monitoring programs for memory corruption, user privilege issues, and other potential security problems. Dynamic code analysis employs run-time tools to help to ensure that security functionality performs in the manner in which it was designed. A specialized type of dynamic analysis, known as fuzz testing, induces program failures by deliberately introducing malformed or random data into software programs. Fuzz testing strategies derive from the intended use of applications and the functional and design specifications for the applications. To understand the scope of dynamic code analysis and hence the assurance provided, organizations may also consider conducting code coverage analysis (checking the degree to which the code has been tested using metrics such as percent of subroutines tested or percent of program statements called during execution of the test suite) and/or concordance analysis (checking for words that are out of place in software code such as non-English language words or derogatory terms). |
The organization requires the developer of the information system, system component, or information system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis. |
| CCI-003198 |
The organization employs organization-defined tailored acquisition strategies, contract tools, and procurement methods for the purchase of the information system, system component, or information system service from suppliers. |
The organization conducting the inspection/assessment obtains and examines documentation tracing the strategies, tools, and methods implemented to the organization-defined strategies, tools, and methods to ensure that the tailored acquisition strategies, contract tools, and procurement methods identified in SA-12 (1), CCI 3199 have been implemented. |
The organization being inspected/assessed implements IAW the DoDI 5200.44 "Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN)” tailored acquisition strategies, contract tools, and procurement methods defined in SA-12 (1), CCI 3199 as a means to mitigate supply chain risk.
The organization being inspected/assessed must maintain documentation tracing the strategies, tools, and methods implemented to the organization-defined strategies, tools, and methods. |
Supply Chain Protection | Acquisition Strategies / Tools / Methods |
SA-12 (1) |
SA-12(1).1 |
The use of acquisition and procurement processes by organizations early in the system development life cycle provides an important vehicle to protect the supply chain. Organizations use available all-source intelligence analysis to inform the tailoring of acquisition strategies, tools, and methods. There are a number of different tools and techniques available (e.g., obscuring the end use of an information system or system component, using blind or filtered buys). Organizations also consider creating incentives for suppliers who: (i) implement required security safeguards; (ii) promote transparency into their organizational processes and security practices; (iii) provide additional vetting of the processes and security practices of subordinate suppliers, critical information system components, and services; (iv) restrict purchases from specific suppliers or countries; and (v) provide contract language regarding the prohibition of tainted or counterfeit components. In addition, organizations consider minimizing the time between purchase decisions and required delivery to limit opportunities for adversaries to corrupt information system components or products. Finally, organizations can use trusted/controlled distribution, delivery, and warehousing options to reduce supply chain risk (e.g., requiring tamper-evident packaging of information system components during shipping and warehousing). Related control: SA-19. |
The organization employs [Assignment: organization-defined tailored acquisition strategies, contract tools, and procurement methods] for the purchase of the information system, system component, or information system service from suppliers. |
| CCI-003199 |
The organization defines tailored acquisition strategies, contract tools, and procurement methods to employ for the purchase of the information system, system component, or information system service from suppliers. |
The organization conducting the inspection/assessment obtains and examines the documentation containing the tailored acquisition strategies, contract tools, and procurement methods to ensure they have been defined IAW DoDI 5200.44, "Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN)."
DoD has determined the tailored acquisition strategies, contract tools, and procurement methods are not appropriate to define at the Enterprise level.
|
The organization being inspected/assessed defines and documents the tailored acquisition strategies, contract tools, and procurement methods IAW DoDI 5200.44, "Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN)." Examples include:
1. Transferring a portion of the risk to the developer or supplier through the use of contract language and incentives;
2. Using contract language that requires the implementation of SCRM throughout the system lifecycle in applicable contracts and other acquisition and assistance instruments (grants, cooperative agreements, Cooperative Research and Development Agreements (CRADAs),and other transactions) examples include:
a. Language outlined in the Defense Acquisition Guidebook section 13.13. Contracting;
b. Language requiring the use of protected mechanisms to deliver elements and data about elements, processes, and delivery mechanisms;
c. Language that articulates that requirements flow down supply chain tiers to sub-prime suppliers.
3. Incentives for suppliers that:
a. Implement required security safeguards and SCRM best practices;
b. Promote transparency into their organizational processes and security practices;
c. Provide additional vetting of the processes and security practices of subordinate suppliers, critical information system components, and services; and
d. Implement contract to reduce SC risk down the contract stack.
4. Gaining insight into supplier security practices;
5. Using contract language and incentives to enable more robust risk management later in the lifecycle;
6. Using a centralized intermediary or “Blind Buy” approaches to acquire element(s) to hide actual usage locations from an untrustworthy supplier or adversary;
7. Exercise the authorities provided in section 806 of the 2011 NDAA, through Public Law 111-383 referenced in the Defense Federal Acquisition Regulation Supplement (DFAR); interim rule part 252.239-7018 Supply Chain Risk.
DoD has determined the tailored acquisition strategies, contract tools, and procurement methods are not appropriate to define at the Enterprise level.
|
Supply Chain Protection | Acquisition Strategies / Tools / Methods |
SA-12 (1) |
SA-12(1).2 |
The use of acquisition and procurement processes by organizations early in the system development life cycle provides an important vehicle to protect the supply chain. Organizations use available all-source intelligence analysis to inform the tailoring of acquisition strategies, tools, and methods. There are a number of different tools and techniques available (e.g., obscuring the end use of an information system or system component, using blind or filtered buys). Organizations also consider creating incentives for suppliers who: (i) implement required security safeguards; (ii) promote transparency into their organizational processes and security practices; (iii) provide additional vetting of the processes and security practices of subordinate suppliers, critical information system components, and services; (iv) restrict purchases from specific suppliers or countries; and (v) provide contract language regarding the prohibition of tainted or counterfeit components. In addition, organizations consider minimizing the time between purchase decisions and required delivery to limit opportunities for adversaries to corrupt information system components or products. Finally, organizations can use trusted/controlled distribution, delivery, and warehousing options to reduce supply chain risk (e.g., requiring tamper-evident packaging of information system components during shipping and warehousing). Related control: SA-19. |
The organization employs [Assignment: organization-defined tailored acquisition strategies, contract tools, and procurement methods] for the purchase of the information system, system component, or information system service from suppliers. |
| CCI-003200 |
The organization conducts a supplier review prior to entering into a contractual agreement to acquire the information system, system component, or information system service. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of supplier review to ensure the organization being inspected/assessed documents and implements a process to conduct a supplier review prior to entering into a contractual agreement to acquire the information system, system component, or information system service. |
The organization being inspected/assessed documents and implements a process to conduct a supplier review prior to entering into a contractual agreement to acquire the information system, system component, or information system service. Examples of items that can be considered in the review are the supplier's:
1. Organization and process certifications;
2. Security policies, procedures, and activities across the lifecycle;
3. Supply chain and the criteria and methodology for selecting/managing their suppliers/service providers;
4. Financials to determine if the supplier is financially stable;
5. Foreign Ownership, Control, and Influence;
6. Past performance and any documented supply chain incidents;
7. Business relationships; and
8. Maturity of business processes.
The organization must maintain a record of supplier review. |
Supply Chain Protection | Supplier Reviews |
SA-12 (2) |
SA-12(2).1 |
Supplier reviews include, for example: (i) analysis of supplier processes used to design, develop, test, implement, verify, deliver, and support information systems, system components, and information system services; and (ii) assessment of supplier training and experience in developing systems, components, or services with the required security capability. These reviews provide organizations with increased levels of visibility into supplier activities during the system development life cycle to promote more effective supply chain risk management. Supplier reviews can also help to determine whether primary suppliers have security safeguards in place and a practice for vetting subordinate suppliers, for example, second- and third-tier suppliers, and any subcontractors. |
The organization conducts a supplier review prior to entering into a contractual agreement to acquire the information system, system component, or information system service. |
| CCI-003201 |
The organization employs organization-defined security safeguards to limit harm from potential adversaries identifying and targeting the organizational supply chain. |
The organization conducting the inspection/assessment obtains and examines the record of security safeguards supplied to ensure the organization being inspected/assessed employs security safeguards defined in SA-12 (5), CCI 3202 to limit harm from potential adversaries identifying and targeting the organizational supply chain. |
The organization being inspected/assessed employs security safeguards defined in SA-12 (5), CCI 3202 to limit harm from potential adversaries identifying and targeting the organizational supply chain.
The organization must maintain a record of security safeguards employed.
|
Supply Chain Protection | Limitation Of Harm |
SA-12 (5) |
SA-12(5).1 |
Supply chain risk is part of the advanced persistent threat (APT). Security safeguards and countermeasures to reduce the probability of adversaries successfully identifying and targeting the supply chain include, for example: (i) avoiding the purchase of custom configurations to reduce the risk of acquiring information systems, components, or products that have been corrupted via supply chain actions targeted at specific organizations; (ii) employing a diverse set of suppliers to limit the potential harm from any given supplier in the supply chain; (iii) employing approved vendor lists with standing reputations in industry, and (iv) using procurement carve outs (i.e., exclusions to commitments or obligations). |
The organization employs [Assignment: organization-defined security safeguards] to limit harm from potential adversaries identifying and targeting the organizational supply chain. |
| CCI-003202 |
The organization defines security safeguards to employ to limit harm from potential adversaries identifying and targeting the organizational supply chain. |
The conducting the inspection/assessment obtains and examines the documented security safeguards to ensure they have been defined IAW DoDI 5200.44.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level.
|
The organization being inspected/assessed defines and documents security safeguards to employ to limit harm from potential adversaries identifying and targeting the organizational supply chain IAW DoDI 5200.44.
Examples of security safeguards that the organization should consider implementing to limit the harm from potential adversaries targeting the organizational supply chain, are:
1. Using trusted physical delivery mechanisms that do not permit access to the element during delivery (ship via a protected carrier, use cleared/official couriers, or a diplomatic pouch);
2. Using trusted electronic delivery of products and services (require downloading from approved, verification-enhanced sites);
3. Avoiding the purchase of custom configurations, where feasible;
4. Using procurement carve outs (i.e., exclusions to commitments or obligations), where feasible;
5. Using defensive design approaches;
6. Employing system OPSEC principles;
7. Employing a diverse set of suppliers;
8. Employing approved vendor lists with standing reputations in industry;
9. Using a centralized intermediary and “Blind Buy” approaches to acquire element(s) to hide actual usage locations from an untrustworthy supplier or adversary Employing inventory management policies and processes;
10. Using flexible agreements during each acquisition and procurement phase so that it is possible to meet emerging needs or requirements to address supply chain risk without requiring complete revision or re-competition of an acquisition or procurement;
11. Using international, national, commercial or government standards to increase potential supply base;
12. Limiting the disclosure of information that can become publicly available; and
13. Minimizing the time between purchase decisions and required delivery.
Organizations should reference the SCRM Key Practices and Implementation Guide for DoD for additional guidance.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
Supply Chain Protection | Limitation Of Harm |
SA-12 (5) |
SA-12(5).2 |
Supply chain risk is part of the advanced persistent threat (APT). Security safeguards and countermeasures to reduce the probability of adversaries successfully identifying and targeting the supply chain include, for example: (i) avoiding the purchase of custom configurations to reduce the risk of acquiring information systems, components, or products that have been corrupted via supply chain actions targeted at specific organizations; (ii) employing a diverse set of suppliers to limit the potential harm from any given supplier in the supply chain; (iii) employing approved vendor lists with standing reputations in industry, and (iv) using procurement carve outs (i.e., exclusions to commitments or obligations). |
The organization employs [Assignment: organization-defined security safeguards] to limit harm from potential adversaries identifying and targeting the organizational supply chain. |
| CCI-003203 |
The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update. |
The organization conducting the inspection/assessment obtains and examines documented assessment(s) that were conducted by the organization prior to selection, acceptance, or update to ensure that the organization being inspected/assessed is assessing information systems, system components, or information system services prior to selection, acceptance, or update. |
The organization being inspected/assessed or an independent, third-party entity must perform and document assessments that may include static analyses, dynamic analyses, simulations, white, gray, and black box testing, fuzz testing, penetration testing, and ensure that components or services are genuine (e.g., using tags, cryptographic hash verifications, or digital signatures). Where possible, testing should employ threat profiles based on the threats that the system is likely to face in the operational environment. |
Supply Chain Protection | Assessments Prior To Selection / Acceptance / Update |
SA-12 (7) |
SA-12(7).1 |
Assessments include, for example, testing, evaluations, reviews, and analyses. Independent, third-party entities or organizational personnel conduct assessments of systems, components, products, tools, and services. Organizations conduct assessments to uncover unintentional vulnerabilities and intentional vulnerabilities including, for example, malicious code, malicious processes, defective software, and counterfeits. Assessments can include, for example, static analyses, dynamic analyses, simulations, white, gray, and black box testing, fuzz testing, penetration testing, and ensuring that components or services are genuine (e.g., using tags, cryptographic hash verifications, or digital signatures). Evidence generated during security assessments is documented for follow-on actions carried out by organizations. Related controls: CA-2, SA-11. |
The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update. |
| CCI-003204 |
The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update. |
|
|
|
|
|
|
|
| CCI-003205 |
The organization uses all-source intelligence analysis of suppliers and potential suppliers of the information system, system component, or information system service. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed implements a process IAW DoDI 5200.44 to use all-source intelligence analysis of suppliers and potential suppliers of the information system, system component, or information system service. |
The organization being inspected/assessed documents and implements a process IAW DoDI 5200.44 to use all-source intelligence analysis of suppliers and potential suppliers of the information system, system component, or information system service.
All-source intelligence of suppliers that the organization may use includes:
1. Defense Intelligence Agency (DIA) Threat Assessment Center (TAC), the enterprise focal point for supplier threat assessments for the DoD acquisition community risks;
2. Other U.S. Government resources including:
a. Government Industry Data Exchange Program (GIDEP) – Database where government and industry can record issues with suppliers, including counterfeits; and
b. System for Award Management (SAM) – Database of companies that are barred from doing business with the US Government.
3. Open source and commercial research.
|
Supply Chain Protection | Use Of All-Source Intelligence |
SA-12 (8) |
SA-12(8).1 |
All-source intelligence analysis is employed by organizations to inform engineering, acquisition, and risk management decisions. All-source intelligence consists of intelligence products and/or organizations and activities that incorporate all sources of information, most frequently including human intelligence, imagery intelligence, measurement and signature intelligence, signals intelligence, and open source data in the production of finished intelligence. Where available, such information is used to analyze the risk of both intentional and unintentional vulnerabilities from development, manufacturing, and delivery processes, people, and the environment. This review is performed on suppliers at multiple tiers in the supply chain sufficient to manage risks. Related control: SA-15. |
The organization uses all-source intelligence analysis of suppliers and potential suppliers of the information system, system component, or information system service. |
| CCI-003206 |
The organization employs organization-defined Operations Security (OPSEC) safeguards in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service. |
The organization conducting the inspection/assessment obtains and examines any applicable artifacts showing the use of OPSEC safeguards to ensure the organization being inspected/assessed implements OPSEC safeguards defined in SA-12 (9), CCI 3206 to protect supply chain-related information for the information system, system component, or information system service.
DoD has determined the OPSEC safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed implements Operations Security (OPSEC) safeguards defined in SA-12 (9), CCI 3206 to protect supply chain-related information for the information system, system component, or information system service. |
Supply Chain Protection | Operations Security |
SA-12 (9) |
SA-12(9).1 |
Supply chain information includes, for example: user identities; uses for information systems, information system components, and information system services; supplier identities; supplier processes; security requirements; design specifications; testing and evaluation results; and system/component configurations. This control enhancement expands the scope of OPSEC to include suppliers and potential suppliers. OPSEC is a process of identifying critical information and subsequently analyzing friendly actions attendant to operations and other activities to: (i) identify those actions that can be observed by potential adversaries; (ii) determine indicators that adversaries might obtain that could be interpreted or pieced together to derive critical information in sufficient time to cause harm to organizations; (iii) implement safeguards or countermeasures to eliminate or reduce to an acceptable level, exploitable vulnerabilities; and (iv) consider how aggregated information may compromise the confidentiality of users or uses of the supply chain. OPSEC may require organizations to withhold critical mission/business information from suppliers and may include the use of intermediaries to hide the end use, or users, of information systems, system components, or information system services. Related control: PE-21. |
The organization employs [Assignment: organization-defined Operations Security (OPSEC) safeguards] in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service. |
| CCI-003207 |
The organization employs organization-defined tailored acquisition strategies, contract tools, and procurement methods for the purchase of the information system, system component, or information system service from suppliers. |
|
|
|
|
|
|
|
| CCI-003208 |
The organization employs organization-defined tailored acquisition strategies, contract tools, and procurement methods for the purchase of the information system, system component, or information system service from suppliers. |
|
|
|
|
|
|
|
| CCI-003209 |
The organization employs organization-defined tailored acquisition strategies, contract tools, and procurement methods for the purchase of the information system, system component, or information system service from suppliers. |
|
|
|
|
|
|
|
| CCI-003210 |
The organization defines the Operations Security (OPSEC) safeguards to be employed in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service. |
The organization being inspected/assessed obtains and examines the documented OPSEC safeguards to ensure they have been defined IAW DoDD 5205.02E, DoD Manual 5205.02, and DoDI 5200.44.
DoD has determined the OPSEC safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents Operations Security (OPSEC) safeguards IAW DoDD 5205.02E, DoD Manual 5205.02, and DoDI 5200.44.
OPSEC safeguards may include:
1. Limiting the disclosure of information needed to design, develop, test, produce, deliver, and support the element for example, supplier identities, supplier processes, potential suppliers, security requirements, design specifications, testing and evaluation result, and system/component configurations, including the use of direct shipping, blind buys, etc.;
2. Extending supply chain awareness, education, and training for suppliers, intermediate users, and end users;
3. Extending the range of OPSEC tactics, techniques, and procedures to potential suppliers, contracted suppliers, or sub-prime contractor tier of suppliers; and
4. Using centralized support and maintenance services to minimize direct interactions between end users and original suppliers.
DoD has determined the OPSEC safeguards are not appropriate to define at the Enterprise level. |
Supply Chain Protection | Operations Security |
SA-12 (9) |
SA-12(9).2 |
Supply chain information includes, for example: user identities; uses for information systems, information system components, and information system services; supplier identities; supplier processes; security requirements; design specifications; testing and evaluation results; and system/component configurations. This control enhancement expands the scope of OPSEC to include suppliers and potential suppliers. OPSEC is a process of identifying critical information and subsequently analyzing friendly actions attendant to operations and other activities to: (i) identify those actions that can be observed by potential adversaries; (ii) determine indicators that adversaries might obtain that could be interpreted or pieced together to derive critical information in sufficient time to cause harm to organizations; (iii) implement safeguards or countermeasures to eliminate or reduce to an acceptable level, exploitable vulnerabilities; and (iv) consider how aggregated information may compromise the confidentiality of users or uses of the supply chain. OPSEC may require organizations to withhold critical mission/business information from suppliers and may include the use of intermediaries to hide the end use, or users, of information systems, system components, or information system services. Related control: PE-21. |
The organization employs [Assignment: organization-defined Operations Security (OPSEC) safeguards] in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service. |
| CCI-003211 |
The organization defines the Operations Security (OPSEC) safeguards to be employed in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service. |
|
|
|
|
|
|
|
| CCI-003212 |
The organization employs organization-defined security safeguards to validate that the information system or system component received is genuine and has not been altered. |
The organization conducting the inspection/assessment obtains and examines the record of information system validation to ensure the organization being inspected/assessed employs security safeguards defined in SA-12 (10), CCI 3213 to validate that the information system or system component received is genuine and has not been altered.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed employs security safeguards to validate that the information system or system component received is genuine and has not been altered defined in SA-12 (10), CCI 3213. The organization must maintain a record of information system validation. The record must identify what safeguards are applied.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
Supply Chain Protection | Validate As Genuine And Not Altered |
SA-12 (10) |
SA-12(10).1 |
For some information system components, especially hardware, there are technical means to help determine if the components are genuine or have been altered. Security safeguards used to validate the authenticity of information systems and information system components include, for example, optical/nanotechnology tagging and side-channel analysis. For hardware, detailed bill of material information can highlight the elements with embedded logic complete with component and production location. |
The organization employs [Assignment: organization-defined security safeguards] to validate that the information system or system component received is genuine and has not been altered. |
| CCI-003213 |
The organization defines the security safeguards to be employed to validate that the information system or system component received is genuine and has not been altered. |
The organization conducting the inspection/assessment obtains and examines the documented security safeguards to ensure they have been defined IAW DoDI 5200.44.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents security safeguards to validate that the information system or system component received is genuine and has not been altered IAW DoDI 5200.44.
Security safeguards may:
1. Examine for:
a. Evidence of unauthorized tampering/modification, intentional bugging/subversion, or harmful features;
b. Indicators of weaknesses such as unexpected size/dimensions, substandard workmanship, mismatched serial number or bar code, altered/ unexpected/ counterfeit trademarks or markings, or XRF (x-ray fluorescence); and
c. Newly manufactured (not refurbished) elements and for valid licensing (including support agreements).
2. Include:
a. Acceptance testing;
b. Anti-tamper mechanisms (tamper-resistant and tamper-evident packaging, anti-tamper fence);
c. Contact angle analysis and chemical surface analysis;
d. Encryption (in motion and at rest);
e. Watermarking mechanisms;
f. Optical/nanotechnology tagging;
g. Side-channel analysis;
h. Performance and sub-element baseline; and
i. Difficult-to-forge marks (such as digital signatures and hologram tags).
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
Supply Chain Protection | Validate As Genuine And Not Altered |
SA-12 (10) |
SA-12(10).2 |
For some information system components, especially hardware, there are technical means to help determine if the components are genuine or have been altered. Security safeguards used to validate the authenticity of information systems and information system components include, for example, optical/nanotechnology tagging and side-channel analysis. For hardware, detailed bill of material information can highlight the elements with embedded logic complete with component and production location. |
The organization employs [Assignment: organization-defined security safeguards] to validate that the information system or system component received is genuine and has not been altered. |
| CCI-003214 |
The organization employs organizational analysis, independent third-party analysis, organizational penetration testing and/or independent third-party penetration testing of organization-defined supply chain elements, processes, and actors associated with the information system, system component, or information system service. |
The organization conducting the inspection/assessment obtains and examines the documented processes to ensure the organization being inspected/assessed employs organizational analysis, independent third-party analysis, organizational penetration testing and/or independent third-party penetration testing of supply chain elements, processes and actors defined in SA-12 (11), CCI 3215 associated with the information system, system component, or information system service. |
The organization being inspected/assessed documents and implements processes to employ organizational analysis, independent third-party analysis, organizational penetration testing and/or independent third-party penetration testing of supply chain elements, processes and actors defined in SA-12 (11), CCI 3215 associated with the information system, system component, or information system service.
Penetration testing/analysis should be performed:
1. On potential system elements before accepting the system;
2. As a realistic simulation of the active adversary's known adversary tactics, techniques, procedures (TTPs), and tools; and
3. Throughout the lifecycle on physical and logical systems, elements, and processes. |
Supply Chain Protection | Penetration Testing / Analysis Of Elements, Processes, And Actors |
SA-12 (11) |
SA-12(11).1 |
This control enhancement addresses analysis and/or testing of the supply chain, not just delivered items. Supply chain elements are information technology products or product components that contain programmable logic and that are critically important to information system functions. Supply chain processes include, for example: (i) hardware, software, and firmware development processes; (ii) shipping/handling procedures; (iii) personnel and physical security programs; (iv) configuration management tools/measures to maintain provenance; or (v) any other programs, processes, or procedures associated with the production/distribution of supply chain elements. Supply chain actors are individuals with specific roles and responsibilities in the supply chain. The evidence generated during analyses and testing of supply chain elements, processes, and actors is documented and used to inform organizational risk management activities and decisions. Related control: RA-5. |
The organization employs [Selection (one or more): organizational analysis, independent third-party analysis, organizational penetration testing, independent third-party penetration testing] of [Assignment: organization-defined supply chain elements, processes, and actors] associated with the information system, system component, or information system service. |
| CCI-003215 |
The organization defines the supply chain elements, processes, and actors associated with the information system, system component, or information system service for organizational analysis, independent third-party analysis, organizational penetration testing and/or independent third-party penetration testing. |
The organization conducting the inspection/assessment obtains and examines the documented supply chain elements, processes, and actors to ensure the organization being inspected/assessed defines the supply chain elements, processes, and actors associated with the information system, system component, or information system service for organizational analysis, independent third-party analysis, organizational penetration testing and/or independent third-party penetration testing IAW DoDI 5200.44.
DoD has determined the elements, processes, and actions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the supply chain elements, processes, and actors associated with the information system, system component, or information system service for organizational analysis, independent third-party analysis, organizational penetration testing and/or independent third-party penetration testing.
Penetration testing should be performed throughout the lifecycle on physical and logical systems, elements, and processes including:
1. Hardware, software, and firmware development processes;
2. Shipping/handling procedures;
3. Personnel and physical security programs;
4. Configuration management tools/measures to maintain provenance; and
5. Any other programs, processes, or procedures associated with the production/distribution of supply chain elements.
The elements, processes, and actors must be defined IAW DoDI 5200.44.
DoD has determined the elements, processes, and actions are not appropriate to define at the Enterprise level. |
Supply Chain Protection | Penetration Testing / Analysis Of Elements, Processes, And Actors |
SA-12 (11) |
SA-12(11).2 |
This control enhancement addresses analysis and/or testing of the supply chain, not just delivered items. Supply chain elements are information technology products or product components that contain programmable logic and that are critically important to information system functions. Supply chain processes include, for example: (i) hardware, software, and firmware development processes; (ii) shipping/handling procedures; (iii) personnel and physical security programs; (iv) configuration management tools/measures to maintain provenance; or (v) any other programs, processes, or procedures associated with the production/distribution of supply chain elements. Supply chain actors are individuals with specific roles and responsibilities in the supply chain. The evidence generated during analyses and testing of supply chain elements, processes, and actors is documented and used to inform organizational risk management activities and decisions. Related control: RA-5. |
The organization employs [Selection (one or more): organizational analysis, independent third-party analysis, organizational penetration testing, independent third-party penetration testing] of [Assignment: organization-defined supply chain elements, processes, and actors] associated with the information system, system component, or information system service. |
| CCI-003216 |
The organization establishes inter-organizational agreements with entities involved in the supply chain for the information system, system component, or information system service. |
The organization conducting the inspection/assessment obtains and examines the documented inter-organizational agreements to ensure the organization being inspected/assessed establishes inter-organizational agreements with entities involved in the supply chain for the information system, system component, or information system service. |
The organization being inspected/assessed establishes and documents inter-organizational agreements with entities involved in the supply chain for the information system, system component, or information system service. |
Supply Chain Protection | Inter-Organizational Agreements |
SA-12 (12) |
SA-12(12).1 |
The establishment of inter-organizational agreements and procedures provides for notification of supply chain compromises. Early notification of supply chain compromises that can potentially adversely affect or have adversely affected organizational information systems, including critical system components, is essential for organizations to provide appropriate responses to such incidents. |
The organization establishes inter-organizational agreements and procedures with entities involved in the supply chain for the information system, system component, or information system service. |
| CCI-003217 |
The organization establishes inter-organizational procedures with entities involved in the supply chain for the information system, system component, or information system service. |
The organization conducting the inspection/assessment obtains and examines the documented inter-organizational procedures to ensure the organization being inspected/assessed establishes inter-organizational procedures with entities involved in the supply chain for the information system, system component, or information system service. |
The organization being inspected/assessed establishes and documents inter-organizational procedures with entities involved in the supply chain for the information system, system component, or information system service. |
Supply Chain Protection | Inter-Organizational Agreements |
SA-12 (12) |
SA-12(12).2 |
The establishment of inter-organizational agreements and procedures provides for notification of supply chain compromises. Early notification of supply chain compromises that can potentially adversely affect or have adversely affected organizational information systems, including critical system components, is essential for organizations to provide appropriate responses to such incidents. |
The organization establishes inter-organizational agreements and procedures with entities involved in the supply chain for the information system, system component, or information system service. |
| CCI-003218 |
The organization employs organization-defined security safeguards to ensure an adequate supply of organization-defined critical information system components. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed employs security safeguards defined by SA-12 (13), CCI 3219 to ensure an adequate supply of critical information system components defined in SA-12 (13), CCI 3220. |
The organization being inspected/assessed documents and implements a process to employ security safeguards defined in SA-12 (13), CCI 3219 to ensure an adequate supply of critical information system components defined in SA-12 (13), CCI 3220.
|
Supply Chain Protection | Critical Information System Components |
SA-12 (13) |
SA-12(13).1 |
Adversaries can attempt to impede organizational operations by disrupting the supply of critical information system components or corrupting supplier operations. Safeguards to ensure adequate supplies of critical information system components include, for example: (i) the use of multiple suppliers throughout the supply chain for the identified critical components; and (ii) stockpiling of spare components to ensure operation during mission-critical times. |
The organization employs [Assignment: organization-defined security safeguards] to ensure an adequate supply of [Assignment: organization-defined critical information system components]. |
| CCI-003219 |
The organization defines the security safeguards to be employed to ensure an adequate supply of organization-defined critical information system components. |
The organization conducting the inspection/assessment obtains and examines the documented security safeguards to ensure the organization being inspected/assessed defines the security safeguards to be employed to ensure an adequate supply of organization-defined critical information system components.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security safeguards to be employed to ensure an adequate supply of organization-defined critical information system components.
The organization should employ security safeguards for critical materials, production, assembly, testing, packaging, delivery, and sustainment objects and determine what will be needed and when, and how quickly, for system and system element replacements. Safeguards include:
1. Storing critical element spares near or with systems so that they can be rapidly replaced;
2. Stockpiling of spare components to ensure operation during mission-critical times;
3. Using multiple delivery paths and suppliers;
4. Having a variety of vetted delivery paths;
5. Using trusted and cleared contacts and shipping via a protected carrier (such as using cleared/official couriers, or a diplomatic pouch);
6. Proactively manage the life cycle of their products through Diminishing Manufacturing Sources and Material Shortages (DMSMS). This may involve advance purchase and inventory of spare parts while they are widely available and verifiable.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
Supply Chain Protection | Critical Information System Components |
SA-12 (13) |
SA-12(13).2 |
Adversaries can attempt to impede organizational operations by disrupting the supply of critical information system components or corrupting supplier operations. Safeguards to ensure adequate supplies of critical information system components include, for example: (i) the use of multiple suppliers throughout the supply chain for the identified critical components; and (ii) stockpiling of spare components to ensure operation during mission-critical times. |
The organization employs [Assignment: organization-defined security safeguards] to ensure an adequate supply of [Assignment: organization-defined critical information system components]. |
| CCI-003220 |
The organization defines the critical information system components for which organization-defined security safeguards are employed to ensure adequate supply. |
The organization conducting the inspection/assessment obtains and examines the documented critical information system components to ensure the organization being inspected/assessed defines the critical information system components for which organization-defined security safeguards are employed to ensure adequate supply.
DoD has determined the critical information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the critical information system components for which organization-defined security safeguards are employed to ensure adequate supply.
DoD has determined the critical information system components are not appropriate to define at the Enterprise level. |
Supply Chain Protection | Critical Information System Components |
SA-12 (13) |
SA-12(13).3 |
Adversaries can attempt to impede organizational operations by disrupting the supply of critical information system components or corrupting supplier operations. Safeguards to ensure adequate supplies of critical information system components include, for example: (i) the use of multiple suppliers throughout the supply chain for the identified critical components; and (ii) stockpiling of spare components to ensure operation during mission-critical times. |
The organization employs [Assignment: organization-defined security safeguards] to ensure an adequate supply of [Assignment: organization-defined critical information system components]. |
| CCI-003221 |
The organization establishes unique identification of organization-defined supply chain elements, processes, and actors for the information system, system component, or information system service. |
The organization conducting the inspection/assessment obtains and examines the documented unique identification of supply chain elements, processes, and actors to ensure the organization being inspected/assessed establishes unique identification of supply chain elements, processes, and actors defined in SA-12 (14), CCI 3223 for the information system, system component, or information system service. |
The organization being inspected/assessed establishes and documents unique identification of supply chain elements, processes, and actors defined in SA-12 (14), CCI 3223. |
Supply Chain Protection | Identity And Traceability |
SA-12 (14) |
SA-12(14).1 |
Knowing who and what is in the supply chains of organizations is critical to gaining visibility into what is happening within such supply chains, as well as monitoring and identifying high-risk events and activities. Without reasonable visibility and traceability into supply chains (i.e., elements, processes, and actors), it is very difficult for organizations to understand and therefore manage risk, and to reduce the likelihood of adverse events. Uniquely identifying acquirer and integrator roles, organizations, personnel, mission and element processes, testing and evaluation procedures, delivery mechanisms, support mechanisms, communications/delivery paths, and disposal/final disposition activities as well as the components and tools used, establishes a foundational identity structure for assessment of supply chain activities. For example, labeling (using serial numbers) and tagging (using radio-frequency identification [RFID] tags) individual supply chain elements including software packages, modules, and hardware devices, and processes associated with those elements can be used for this purpose. Identification methods are sufficient to support the provenance in the event of a supply chain issue or adverse supply chain event. |
The organization establishes and retains unique identification of [Assignment: organization-defined supply chain elements, processes, and actors] for the information system, system component, or information system service. |
| CCI-003222 |
The organization retains unique identification of organization-defined supply chain elements, processes, and actors for the information system, system component, or information system service. |
The organization conducting the inspection/assessment obtains and examines previous versions of the identification of supply chain elements, processes, and actors documented IAW SA-12 (14), CCI 3221 to ensure the organization being inspected/assessed retains unique identification of supply chain elements, processes, and actors. |
The organization being inspected/assessed retains previous versions of the unique identification of supply chain elements, processes, and actors documented IAW SA-12 (14), CCI 3221. |
Supply Chain Protection | Identity And Traceability |
SA-12 (14) |
SA-12(14).2 |
Knowing who and what is in the supply chains of organizations is critical to gaining visibility into what is happening within such supply chains, as well as monitoring and identifying high-risk events and activities. Without reasonable visibility and traceability into supply chains (i.e., elements, processes, and actors), it is very difficult for organizations to understand and therefore manage risk, and to reduce the likelihood of adverse events. Uniquely identifying acquirer and integrator roles, organizations, personnel, mission and element processes, testing and evaluation procedures, delivery mechanisms, support mechanisms, communications/delivery paths, and disposal/final disposition activities as well as the components and tools used, establishes a foundational identity structure for assessment of supply chain activities. For example, labeling (using serial numbers) and tagging (using radio-frequency identification [RFID] tags) individual supply chain elements including software packages, modules, and hardware devices, and processes associated with those elements can be used for this purpose. Identification methods are sufficient to support the provenance in the event of a supply chain issue or adverse supply chain event. |
The organization establishes and retains unique identification of [Assignment: organization-defined supply chain elements, processes, and actors] for the information system, system component, or information system service. |
| CCI-003223 |
The organization defines the supply chain elements, processes, and actors for the information system, system component, or information system service to establish and retain unique identification. |
The organization conducting the inspection/assessment obtains and examines the documented elements, processes, and actors to ensure the organization being inspected/assessed defines the supply chain elements, processes, and actors for the information system, system component, or information system service to establish and retain unique identification IAW DoDI 5200.44.
DoD has determined the elements, processes, and actors are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the supply chain elements, processes, and actors for the information system, system component, or information system service to establish and retain unique identification. The elements, processes, and actors must be defined IAW DoDI 5200.44.
The organization should consider employing:
1. Procedures for proposing, evaluating, and justifying relevant changes to system/component provenance for their impact on components, processes, systems, missions, and exposure to supply chain risks;
2. Procedures for allocating responsibilities for the creation, maintenance, and monitoring of provenance are documented;
3. Methods for tracking relevant purchasing, shipping, receiving, or transfer activities, including records of reviewer signatures for comparison;
4. Processes for transferring provenance responsibility for systems or components between organizations across physical and logical boundaries including any approvals required;
5. Procedures for tracking and documenting chain of custody of the system or component (Labeling (using serial numbers) and tagging (using radio-frequency identification [RFID] tags); and
6. Security reviews for evaluating and vetting key personnel employed by acquirers or suppliers in any capacity (full-time employee, part-time employee, consultant, contractor, subcontractor, vendor, agent, etc.)
DoD has determined the elements, processes, and actors are not appropriate to define at the Enterprise level. |
Supply Chain Protection | Identity And Traceability |
SA-12 (14) |
SA-12(14).3 |
Knowing who and what is in the supply chains of organizations is critical to gaining visibility into what is happening within such supply chains, as well as monitoring and identifying high-risk events and activities. Without reasonable visibility and traceability into supply chains (i.e., elements, processes, and actors), it is very difficult for organizations to understand and therefore manage risk, and to reduce the likelihood of adverse events. Uniquely identifying acquirer and integrator roles, organizations, personnel, mission and element processes, testing and evaluation procedures, delivery mechanisms, support mechanisms, communications/delivery paths, and disposal/final disposition activities as well as the components and tools used, establishes a foundational identity structure for assessment of supply chain activities. For example, labeling (using serial numbers) and tagging (using radio-frequency identification [RFID] tags) individual supply chain elements including software packages, modules, and hardware devices, and processes associated with those elements can be used for this purpose. Identification methods are sufficient to support the provenance in the event of a supply chain issue or adverse supply chain event. |
The organization establishes and retains unique identification of [Assignment: organization-defined supply chain elements, processes, and actors] for the information system, system component, or information system service. |
| CCI-003224 |
The organization establishes a process to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed establishes a process to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements. |
The organization being inspected/assessed documents and implements a process to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements.
The organization being inspected/assessed will perform follow-on actions to address the weaknesses and deficiencies identified during assessments of supply chain (SC) elements (e.g., penetration testing, audits, verification/validation activities). Follow on actions may include:
1. Performing failure or forensic analysis on elements and processes to determine the cause of failure. Isolate and diagnose the elements of the component that are not performing properly and assess the origin and mechanisms of the failure. Assess the impact of the failure, ways to detect failures, and mitigating actions (including ways to detect failures and preventing future occurrences);
2. Initiate a plan to remediate vulnerabilities immediately upon detection which include:
a. Identifying the weakness associated with the vulnerability;
b. Determining the root cause and context; and
c. Remediating the vulnerability, depending on the likelihood of its exploitation and the severity of its consequences.
3. Coordinating SC incident management activities with other organizations to ensure consistent and effective management of SC risk incidents; and
4. Following established procedures for reporting incidents. If no procedure has been established, determine what information should flow in and out, to who, and in what circumstances;
5. Establishing and maintain SC risk incident reporting connectivity to local, regional, and national incident management processes where established (e.g., IAVA, CERT/CC, US CERT, FBI, FISMA reporting), and possibly intelligence processes. |
Supply Chain Protection | Processes To Address Weaknesses Or Deficiencies |
SA-12 (15) |
SA-12(15).1 |
Evidence generated during independent or organizational assessments of supply chain elements (e.g., penetration testing, audits, verification/validation activities) is documented and used in follow-on processes implemented by organizations to respond to the risks related to the identified weaknesses and deficiencies. Supply chain elements include, for example, supplier development processes and supplier distribution systems. |
The organization establishes a process to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements. |
| CCI-003225 |
The organization describes the trustworthiness required in the organization-defined information system, information system component, or information system service supporting its critical missions/business functions. |
The organization conducting the inspection/assessment obtains and examines the security plan to ensure the organization being inspected/assessed documents within its security plan the trustworthiness required in the information system, information system component, or information system service defined in SA-13, CCI 3226 supporting its critical missions/business functions. |
The organization being inspected/assessed documents within its security plan the trustworthiness required in the information system, information system component, or information system service defined in SA-13, CCI 3226 supporting its critical missions/business functions. |
Trustworthiness |
SA-13 |
SA-13.1 |
This control helps organizations to make explicit trustworthiness decisions when designing, developing, and implementing information systems that are needed to conduct critical organizational missions/business functions. Trustworthiness is a characteristic/property of an information system that expresses the degree to which the system can be expected to preserve the confidentiality, integrity, and availability of the information it processes, stores, or transmits. Trustworthy information systems are systems that are capable of being trusted to operate within defined levels of risk despite the environmental disruptions, human errors, and purposeful attacks that are expected to occur in the specified environments of operation. Trustworthy systems are important to mission/business success. Two factors affecting the trustworthiness of information systems include: (i) security functionality (i.e., the security features, functions, and/or mechanisms employed within the system and its environment of operation); and (ii) security assurance (i.e., the grounds for confidence that the security functionality is effective in its application). Developers, implementers, operators, and maintainers of organizational information systems can increase the level of assurance (and trustworthiness), for example, by employing well-defined security policy models, structured and rigorous hardware, software, and firmware development techniques, sound system/security engineering principles, and secure configuration settings (defined by a set of assurance-related security controls in Appendix E).
Assurance is also based on the assessment of evidence produced during the system development life cycle. Critical missions/business functions are supported by high-impact systems and the associated assurance requirements for such systems. The additional assurance controls in Table E-4 in Appendix E (designated as optional) can be used to develop and implement high-assurance solutions for specific information systems and system components using the concept of overlays described in Appendix I. Organizations select assurance overlays that have been developed, validated, and approved for community adoption (e.g., cross-organization, governmentwide), limiting the development of such overlays on an organization-by-organization basis. Organizations can conduct criticality analyses as described in SA-14, to determine the information systems, system components, or information system services that require high-assurance solutions. Trustworthiness requirements and assurance overlays can be described in the security plans for organizational information systems. Related controls: RA-2, SA-4, SA-8, SA-14, SC-3. |
The organization:
a. Describes the trustworthiness required in the [Assignment: organization-defined information system, information system component, or information system service] supporting its critical missions/business functions; and
b. Implements [Assignment: organization-defined assurance overlay] to achieve such trustworthiness. |
| CCI-003226 |
The organization defines the information system, information system component, or information system service supporting its critical missions/business functions in which the trustworthiness must be described. |
The organization conducting the inspection/assessment obtains and examines the documented information system, information system component, or information system service to ensure the organization being inspected/assessed defines the information system, information system component, or information system service supporting its critical missions/business functions in which the trustworthiness must be described.
DoD has determined the information system, information system component, or information system service is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system, information system component, or information system service supporting its critical missions/business functions in which the trustworthiness must be described.
DoD has determined the information system, information system component, or information system service is not appropriate to define at the Enterprise level. |
Trustworthiness |
SA-13 |
SA-13.2 |
This control helps organizations to make explicit trustworthiness decisions when designing, developing, and implementing information systems that are needed to conduct critical organizational missions/business functions. Trustworthiness is a characteristic/property of an information system that expresses the degree to which the system can be expected to preserve the confidentiality, integrity, and availability of the information it processes, stores, or transmits. Trustworthy information systems are systems that are capable of being trusted to operate within defined levels of risk despite the environmental disruptions, human errors, and purposeful attacks that are expected to occur in the specified environments of operation. Trustworthy systems are important to mission/business success. Two factors affecting the trustworthiness of information systems include: (i) security functionality (i.e., the security features, functions, and/or mechanisms employed within the system and its environment of operation); and (ii) security assurance (i.e., the grounds for confidence that the security functionality is effective in its application). Developers, implementers, operators, and maintainers of organizational information systems can increase the level of assurance (and trustworthiness), for example, by employing well-defined security policy models, structured and rigorous hardware, software, and firmware development techniques, sound system/security engineering principles, and secure configuration settings (defined by a set of assurance-related security controls in Appendix E).
Assurance is also based on the assessment of evidence produced during the system development life cycle. Critical missions/business functions are supported by high-impact systems and the associated assurance requirements for such systems. The additional assurance controls in Table E-4 in Appendix E (designated as optional) can be used to develop and implement high-assurance solutions for specific information systems and system components using the concept of overlays described in Appendix I. Organizations select assurance overlays that have been developed, validated, and approved for community adoption (e.g., cross-organization, governmentwide), limiting the development of such overlays on an organization-by-organization basis. Organizations can conduct criticality analyses as described in SA-14, to determine the information systems, system components, or information system services that require high-assurance solutions. Trustworthiness requirements and assurance overlays can be described in the security plans for organizational information systems. Related controls: RA-2, SA-4, SA-8, SA-14, SC-3. |
The organization:
a. Describes the trustworthiness required in the [Assignment: organization-defined information system, information system component, or information system service] supporting its critical missions/business functions; and
b. Implements [Assignment: organization-defined assurance overlay] to achieve such trustworthiness. |
| CCI-003227 |
The organization implements an organization-defined assurance overlay to achieve trustworthiness required to support its critical missions/business functions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed implements an assurance overlay defined in SA-13, CCI 3228 to achieve trustworthiness required to support its critical missions/business functions. |
The organization being inspected/assessed implements an assurance overlay defined in SA-13, CCI 3228 to achieve trustworthiness required to support its critical missions/business functions. |
Trustworthiness |
SA-13 |
SA-13.3 |
This control helps organizations to make explicit trustworthiness decisions when designing, developing, and implementing information systems that are needed to conduct critical organizational missions/business functions. Trustworthiness is a characteristic/property of an information system that expresses the degree to which the system can be expected to preserve the confidentiality, integrity, and availability of the information it processes, stores, or transmits. Trustworthy information systems are systems that are capable of being trusted to operate within defined levels of risk despite the environmental disruptions, human errors, and purposeful attacks that are expected to occur in the specified environments of operation. Trustworthy systems are important to mission/business success. Two factors affecting the trustworthiness of information systems include: (i) security functionality (i.e., the security features, functions, and/or mechanisms employed within the system and its environment of operation); and (ii) security assurance (i.e., the grounds for confidence that the security functionality is effective in its application). Developers, implementers, operators, and maintainers of organizational information systems can increase the level of assurance (and trustworthiness), for example, by employing well-defined security policy models, structured and rigorous hardware, software, and firmware development techniques, sound system/security engineering principles, and secure configuration settings (defined by a set of assurance-related security controls in Appendix E).
Assurance is also based on the assessment of evidence produced during the system development life cycle. Critical missions/business functions are supported by high-impact systems and the associated assurance requirements for such systems. The additional assurance controls in Table E-4 in Appendix E (designated as optional) can be used to develop and implement high-assurance solutions for specific information systems and system components using the concept of overlays described in Appendix I. Organizations select assurance overlays that have been developed, validated, and approved for community adoption (e.g., cross-organization, governmentwide), limiting the development of such overlays on an organization-by-organization basis. Organizations can conduct criticality analyses as described in SA-14, to determine the information systems, system components, or information system services that require high-assurance solutions. Trustworthiness requirements and assurance overlays can be described in the security plans for organizational information systems. Related controls: RA-2, SA-4, SA-8, SA-14, SC-3. |
The organization:
a. Describes the trustworthiness required in the [Assignment: organization-defined information system, information system component, or information system service] supporting its critical missions/business functions; and
b. Implements [Assignment: organization-defined assurance overlay] to achieve such trustworthiness. |
| CCI-003228 |
The organization defines an assurance overlay to be implemented to achieve trustworthiness required to support its critical missions/business functions. |
The organization conducting the inspection/assessment obtains and examines the documented assurance overlay to ensure the organization being inspected/assessed defines an assurance overlay to be implemented to achieve trustworthiness required to support its critical missions/business functions.
DoD has determined the assurance overlay is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents an assurance overlay to be implemented to achieve trustworthiness required to support its critical missions/business functions.
DoD has determined the assurance overlay is not appropriate to define at the Enterprise level. |
Trustworthiness |
SA-13 |
SA-13.4 |
This control helps organizations to make explicit trustworthiness decisions when designing, developing, and implementing information systems that are needed to conduct critical organizational missions/business functions. Trustworthiness is a characteristic/property of an information system that expresses the degree to which the system can be expected to preserve the confidentiality, integrity, and availability of the information it processes, stores, or transmits. Trustworthy information systems are systems that are capable of being trusted to operate within defined levels of risk despite the environmental disruptions, human errors, and purposeful attacks that are expected to occur in the specified environments of operation. Trustworthy systems are important to mission/business success. Two factors affecting the trustworthiness of information systems include: (i) security functionality (i.e., the security features, functions, and/or mechanisms employed within the system and its environment of operation); and (ii) security assurance (i.e., the grounds for confidence that the security functionality is effective in its application). Developers, implementers, operators, and maintainers of organizational information systems can increase the level of assurance (and trustworthiness), for example, by employing well-defined security policy models, structured and rigorous hardware, software, and firmware development techniques, sound system/security engineering principles, and secure configuration settings (defined by a set of assurance-related security controls in Appendix E).
Assurance is also based on the assessment of evidence produced during the system development life cycle. Critical missions/business functions are supported by high-impact systems and the associated assurance requirements for such systems. The additional assurance controls in Table E-4 in Appendix E (designated as optional) can be used to develop and implement high-assurance solutions for specific information systems and system components using the concept of overlays described in Appendix I. Organizations select assurance overlays that have been developed, validated, and approved for community adoption (e.g., cross-organization, governmentwide), limiting the development of such overlays on an organization-by-organization basis. Organizations can conduct criticality analyses as described in SA-14, to determine the information systems, system components, or information system services that require high-assurance solutions. Trustworthiness requirements and assurance overlays can be described in the security plans for organizational information systems. Related controls: RA-2, SA-4, SA-8, SA-14, SC-3. |
The organization:
a. Describes the trustworthiness required in the [Assignment: organization-defined information system, information system component, or information system service] supporting its critical missions/business functions; and
b. Implements [Assignment: organization-defined assurance overlay] to achieve such trustworthiness. |
| CCI-003229 |
The organization identifies critical information system components by performing a criticality analysis for organization-defined information systems, information system components, or information system services at organization-defined decision points in the system development life cycle. |
The organization conducting the inspection/assessment obtains and examines the documented information system components to ensure the organization being inspected/assessed identifies critical information system components by performing a criticality analysis for information systems, information system components, or information system services IAW DoDI 5200.44. |
The organization being inspected/assessed identifies and documents critical information system components by performing a criticality analysis for information systems, information system components, or information system services IAW DoDI 5200.44. Information systems include all DoD Information Technology.
Criticality analysis is the primary method by which a program identifies mission-critical functions and associated components. Criticality analysis includes the following iterative steps:
1. Identify and group mission threads.
2. Decompose the mission threads into their mission-critical functions and assign them criticality levels.
3. Map the mission-critical functions to the system architecture and identify the defined system components (hardware, software, and firmware) that implement those functions (i.e., components that are critical to the mission effectiveness of the system or an interfaced network).
4. Allocate criticality levels to those components that have been defined.
Criticality levels are determined by assessing the relative impact on the system's ability to complete its mission if the function and associated component fails. Level I is total mission failure, Level II is significant/unacceptable degradation, Level III is partial/acceptable, and Level IV is negligible.
Once the program has identified critical components through the criticality analysis, the program systems engineers and SSEs can use the results along with the vulnerability assessment and threat assessment to determine the risk.
The organization should reference the Defense Acquisition Guidebook (DAG) Chapter 13 for more information. |
Criticality Analysis |
SA-14 |
SA-14.1 |
Criticality analysis is a key tenet of supply chain risk management and informs the prioritization of supply chain protection activities such as attack surface reduction, use of all-source intelligence, and tailored acquisition strategies. Information system engineers can conduct an end-to-end functional decomposition of an information system to identify mission-critical functions and components. The functional decomposition includes the identification of core organizational missions supported by the system, decomposition into the specific functions to perform those missions, and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and beyond the information system boundary. Information system components that allow for unmediated access to critical components or functions are considered critical due to the inherent vulnerabilities such components create. Criticality is assessed in terms of the impact of the function or component failure on the ability of the component to complete the organizational missions supported by the information system. A criticality analysis is performed whenever an architecture or design is being developed or modified, including upgrades. Related controls: CP-2, PL-2, PL-8, PM-1, SA-8, SA-12, SA-13, SA-15, SA-20. |
The organization identifies critical information system components and functions by performing a criticality analysis for [Assignment: organization-defined information systems, information system components, or information system services] at [Assignment: organization-defined decision points in the system development life cycle]. |
| CCI-003230 |
The organization identifies critical information system functions by performing a criticality analysis for organization-defined information systems, information system components, or information system services at organization-defined decision points in the system development life cycle. |
The organization conducting the inspection/assessment obtains and examines the documented information system functions to ensure the organization being inspected/assessed identifies critical information system functions by performing a criticality analysis for information systems, information system components, or information system services IAW DoDI 5200.44. |
The organization being inspected/assessed identifies and documents critical information system functions by performing a criticality analysis for information systems, information system components, or information system services IAW DoDI 5200.44.
Criticality analysis is the primary method by which a program identifies mission-critical functions and associated components. Criticality analysis includes the following iterative steps:
1. Identify and group mission threads.
2. Decompose the mission threads into their mission-critical functions and assign them criticality levels.
3. Map the mission-critical functions to the system architecture and identify the defined system components (hardware, software, and firmware) that implement those functions (i.e., components that are critical to the mission effectiveness of the system or an interfaced network).
4. Allocate criticality levels to those components that have been defined.
Criticality levels are determined by assessing the relative impact on the system's ability to complete its mission if the function and associated component fails. Level I is total mission failure, Level II is significant/unacceptable degradation, Level III is partial/acceptable, and Level IV is negligible.
Once the program has identified critical functions through the criticality analysis, the program systems engineers and SSEs can use the results along with the vulnerability assessment and threat assessment to determine the risk.
The organization should reference the Defense Acquisition Guidebook (DAG) Chapter 13 for more information.
|
Criticality Analysis |
SA-14 |
SA-14.2 |
Criticality analysis is a key tenet of supply chain risk management and informs the prioritization of supply chain protection activities such as attack surface reduction, use of all-source intelligence, and tailored acquisition strategies. Information system engineers can conduct an end-to-end functional decomposition of an information system to identify mission-critical functions and components. The functional decomposition includes the identification of core organizational missions supported by the system, decomposition into the specific functions to perform those missions, and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and beyond the information system boundary. Information system components that allow for unmediated access to critical components or functions are considered critical due to the inherent vulnerabilities such components create. Criticality is assessed in terms of the impact of the function or component failure on the ability of the component to complete the organizational missions supported by the information system. A criticality analysis is performed whenever an architecture or design is being developed or modified, including upgrades. Related controls: CP-2, PL-2, PL-8, PM-1, SA-8, SA-12, SA-13, SA-15, SA-20. |
The organization identifies critical information system components and functions by performing a criticality analysis for [Assignment: organization-defined information systems, information system components, or information system services] at [Assignment: organization-defined decision points in the system development life cycle]. |
| CCI-003231 |
The organization defines the information systems, information system components, or information system services for which the organization identifies critical information system components and functions for criticality analysis. |
The organization conducting the inspection/assessment obtains and examines the documented information systems, information system components, or information system services to ensure they have been defined IAW DoDI 5200.44.
DoD has determined the information systems, information system components, or information system services are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information systems, information system components, or information system services for which the organization identifies critical information system components and functions for criticality analysis IAW DoDI 5200.44.
The organization should perform Criticality Analysis to identify and prioritize mission-critical functions and critical components in accordance with the DoDI 5200.44. The criticality analysis allows a program to focus attention (and resources) on the system capabilities, mission-critical functions that matter most. Mission-critical functions are those functions of the system that, if corrupted or disabled, would likely lead to mission failure or degradation. Mission-critical components are primarily the elements of the system (hardware, software, and firmware) that implement critical functions; however, system components that perform defensive functions to protect inherently critical components and other components with unmediated access to inherently critical components, may themselves be mission critical.
DoD has determined the decision points are not appropriate to define at the Enterprise level.
|
Criticality Analysis |
SA-14 |
SA-14.3 |
Criticality analysis is a key tenet of supply chain risk management and informs the prioritization of supply chain protection activities such as attack surface reduction, use of all-source intelligence, and tailored acquisition strategies. Information system engineers can conduct an end-to-end functional decomposition of an information system to identify mission-critical functions and components. The functional decomposition includes the identification of core organizational missions supported by the system, decomposition into the specific functions to perform those missions, and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and beyond the information system boundary. Information system components that allow for unmediated access to critical components or functions are considered critical due to the inherent vulnerabilities such components create. Criticality is assessed in terms of the impact of the function or component failure on the ability of the component to complete the organizational missions supported by the information system. A criticality analysis is performed whenever an architecture or design is being developed or modified, including upgrades. Related controls: CP-2, PL-2, PL-8, PM-1, SA-8, SA-12, SA-13, SA-15, SA-20. |
The organization identifies critical information system components and functions by performing a criticality analysis for [Assignment: organization-defined information systems, information system components, or information system services] at [Assignment: organization-defined decision points in the system development life cycle]. |
| CCI-003232 |
The organization defines the decision points in the system development life cycle at which to perform a criticality analysis to identify critical information system components and functions for organization-defined information systems, information system components, or information system services. |
The organization conducting the inspection/assessment obtains and examines the documented decision points to ensure they have been defined IAW DoDI 5200.44 and DoDI 5000.2.
DoD has determined the decision points are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the decision points in the system development life cycle at which to perform a criticality analysis to identify critical information system components and functions for organization-defined information systems, information system components , or information system services IAW DoDI 5200.44 and DoDI 5000.2.
Criticality analysis is an iterative process that should be performed whenever an architecture or design is being developed or modified and executed across the acquisition lifecycle, building on growing maturity and updated information, in preparation for acquisition milestone reviews, and at other points in the acquisition lifecycle as defined by the DoDI 5000.2.
A DoD program needs to perform criticality analysis throughout the acquisition life cycle. As a minimum, DoD programs need to perform / update a criticality analysis, along with the threat assessment, vulnerability assessment, risk assessment, cost-benefit trade-off and countermeasure selection, before each technical review.
DoD has determined the decision points are not appropriate to define at the Enterprise level. |
Criticality Analysis |
SA-14 |
SA-14.4 |
Criticality analysis is a key tenet of supply chain risk management and informs the prioritization of supply chain protection activities such as attack surface reduction, use of all-source intelligence, and tailored acquisition strategies. Information system engineers can conduct an end-to-end functional decomposition of an information system to identify mission-critical functions and components. The functional decomposition includes the identification of core organizational missions supported by the system, decomposition into the specific functions to perform those missions, and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and beyond the information system boundary. Information system components that allow for unmediated access to critical components or functions are considered critical due to the inherent vulnerabilities such components create. Criticality is assessed in terms of the impact of the function or component failure on the ability of the component to complete the organizational missions supported by the information system. A criticality analysis is performed whenever an architecture or design is being developed or modified, including upgrades. Related controls: CP-2, PL-2, PL-8, PM-1, SA-8, SA-12, SA-13, SA-15, SA-20. |
The organization identifies critical information system components and functions by performing a criticality analysis for [Assignment: organization-defined information systems, information system components, or information system services] at [Assignment: organization-defined decision points in the system development life cycle]. |
| CCI-003233 |
The organization requires the developer of the information system, system component, or information system service to follow a documented development process. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service to follow a documented development process. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service to follow a documented development process. |
Development Process, Standards, And Tools |
SA-15 |
SA-15.1 |
Development tools include, for example, programming languages and computer-aided design (CAD) systems. Reviews of development processes can include, for example, the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes enables accurate supply chain risk assessment and mitigation, and requires robust configuration control throughout the life cycle (including design, development, transport, delivery, integration, and maintenance) to track authorized changes and prevent unauthorized changes. Related controls: SA-3, SA-8. |
The organization:
a. Requires the developer of the information system, system component, or information system service to follow a documented development process that:
1. Explicitly addresses security requirements;
2. Identifies the standards and tools used in the development process;
3. Documents the specific tool options and tool configurations used in the development process; and
4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
b. Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements]. |
| CCI-003234 |
The documented information system, system component, or information system service development process explicitly addresses security requirements. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service explicitly addresses security requirements. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service explicitly addresses security requirements. |
Development Process, Standards, And Tools |
SA-15 |
SA-15.2 |
Development tools include, for example, programming languages and computer-aided design (CAD) systems. Reviews of development processes can include, for example, the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes enables accurate supply chain risk assessment and mitigation, and requires robust configuration control throughout the life cycle (including design, development, transport, delivery, integration, and maintenance) to track authorized changes and prevent unauthorized changes. Related controls: SA-3, SA-8. |
The organization:
a. Requires the developer of the information system, system component, or information system service to follow a documented development process that:
1. Explicitly addresses security requirements;
2. Identifies the standards and tools used in the development process;
3. Documents the specific tool options and tool configurations used in the development process; and
4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
b. Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements]. |
| CCI-003235 |
The documented information system, system component, or information system service development process identifies the standards used in the development process. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service identifies the standards used in the development process. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service identifies the standards used in the development process, for example, programming languages and computer-aided design (CAD) systems. |
Development Process, Standards, And Tools |
SA-15 |
SA-15.3 |
Development tools include, for example, programming languages and computer-aided design (CAD) systems. Reviews of development processes can include, for example, the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes enables accurate supply chain risk assessment and mitigation, and requires robust configuration control throughout the life cycle (including design, development, transport, delivery, integration, and maintenance) to track authorized changes and prevent unauthorized changes. Related controls: SA-3, SA-8. |
The organization:
a. Requires the developer of the information system, system component, or information system service to follow a documented development process that:
1. Explicitly addresses security requirements;
2. Identifies the standards and tools used in the development process;
3. Documents the specific tool options and tool configurations used in the development process; and
4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
b. Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements]. |
| CCI-003236 |
The documented information system, system component, or information system service development process identifies the tools used in the development process. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service identifies the tools used in the development process. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service identifies the tools used in the development process, for example, programming languages and computer-aided design (CAD) systems. |
Development Process, Standards, And Tools |
SA-15 |
SA-15.4 |
Development tools include, for example, programming languages and computer-aided design (CAD) systems. Reviews of development processes can include, for example, the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes enables accurate supply chain risk assessment and mitigation, and requires robust configuration control throughout the life cycle (including design, development, transport, delivery, integration, and maintenance) to track authorized changes and prevent unauthorized changes. Related controls: SA-3, SA-8. |
The organization:
a. Requires the developer of the information system, system component, or information system service to follow a documented development process that:
1. Explicitly addresses security requirements;
2. Identifies the standards and tools used in the development process;
3. Documents the specific tool options and tool configurations used in the development process; and
4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
b. Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements]. |
| CCI-003237 |
The documented information system, system component, or information system service development process documents the specific tool options and tool configurations used in the development process. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service documents the specific tool options and tool configurations used in the development process. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service documents the specific tool options and tool configurations used in the development process. |
Development Process, Standards, And Tools |
SA-15 |
SA-15.5 |
Development tools include, for example, programming languages and computer-aided design (CAD) systems. Reviews of development processes can include, for example, the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes enables accurate supply chain risk assessment and mitigation, and requires robust configuration control throughout the life cycle (including design, development, transport, delivery, integration, and maintenance) to track authorized changes and prevent unauthorized changes. Related controls: SA-3, SA-8. |
The organization:
a. Requires the developer of the information system, system component, or information system service to follow a documented development process that:
1. Explicitly addresses security requirements;
2. Identifies the standards and tools used in the development process;
3. Documents the specific tool options and tool configurations used in the development process; and
4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
b. Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements]. |
| CCI-003238 |
The documented information system, system component, or information system service development process documents changes to the process and/or tools used in development. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service documents changes to the process and/or tools used in development. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service documents changes to the process and/or tools used in development. |
Development Process, Standards, And Tools |
SA-15 |
SA-15.6 |
Development tools include, for example, programming languages and computer-aided design (CAD) systems. Reviews of development processes can include, for example, the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes enables accurate supply chain risk assessment and mitigation, and requires robust configuration control throughout the life cycle (including design, development, transport, delivery, integration, and maintenance) to track authorized changes and prevent unauthorized changes. Related controls: SA-3, SA-8. |
The organization:
a. Requires the developer of the information system, system component, or information system service to follow a documented development process that:
1. Explicitly addresses security requirements;
2. Identifies the standards and tools used in the development process;
3. Documents the specific tool options and tool configurations used in the development process; and
4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
b. Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements]. |
| CCI-003239 |
The documented information system, system component, or information system service development process manages changes to the process and/or tools used in development. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service document a process to manage changes to the process and/or tools used in development. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service document a process to manage changes to the process and/or tools used in development. |
Development Process, Standards, And Tools |
SA-15 |
SA-15.7 |
Development tools include, for example, programming languages and computer-aided design (CAD) systems. Reviews of development processes can include, for example, the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes enables accurate supply chain risk assessment and mitigation, and requires robust configuration control throughout the life cycle (including design, development, transport, delivery, integration, and maintenance) to track authorized changes and prevent unauthorized changes. Related controls: SA-3, SA-8. |
The organization:
a. Requires the developer of the information system, system component, or information system service to follow a documented development process that:
1. Explicitly addresses security requirements;
2. Identifies the standards and tools used in the development process;
3. Documents the specific tool options and tool configurations used in the development process; and
4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
b. Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements]. |
| CCI-003240 |
The documented information system, system component, or information system service development process ensures the integrity of changes to the process and/or tools used in development. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service document the integrity of changes to the process and/or tools used in development. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service document the integrity of changes to the process and/or tools used in development. |
Development Process, Standards, And Tools |
SA-15 |
SA-15.8 |
Development tools include, for example, programming languages and computer-aided design (CAD) systems. Reviews of development processes can include, for example, the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes enables accurate supply chain risk assessment and mitigation, and requires robust configuration control throughout the life cycle (including design, development, transport, delivery, integration, and maintenance) to track authorized changes and prevent unauthorized changes. Related controls: SA-3, SA-8. |
The organization:
a. Requires the developer of the information system, system component, or information system service to follow a documented development process that:
1. Explicitly addresses security requirements;
2. Identifies the standards and tools used in the development process;
3. Documents the specific tool options and tool configurations used in the development process; and
4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
b. Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements]. |
| CCI-003241 |
The organization reviews the development process in accordance with organization-defined frequency to determine if the development process selected and employed can satisfy organization-defined security requirements. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of reviews to ensure the organization being inspected/assessed reviews the development process before first use and annually thereafter to determine if the development process selected and employed can satisfy the security requirements defined in SA-15, CCI 3246.
DoD has defined the frequency as before first use and annually thereafter. |
The organization being inspected/assessed documents and implements a process to review the development process before first use and annually thereafter to determine if the development process selected and employed can satisfy the security requirements defined in SA-15, CCI 3246. Reviews of development processes can include, for example, the use of capability maturity model integration (CMMI) to determine the potential effectiveness of such processes.
The organization must maintain a record of reviews.
DoD has defined the frequency as before first use and annually thereafter. |
Development Process, Standards, And Tools |
SA-15 |
SA-15.9 |
Development tools include, for example, programming languages and computer-aided design (CAD) systems. Reviews of development processes can include, for example, the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes enables accurate supply chain risk assessment and mitigation, and requires robust configuration control throughout the life cycle (including design, development, transport, delivery, integration, and maintenance) to track authorized changes and prevent unauthorized changes. Related controls: SA-3, SA-8. |
The organization:
a. Requires the developer of the information system, system component, or information system service to follow a documented development process that:
1. Explicitly addresses security requirements;
2. Identifies the standards and tools used in the development process;
3. Documents the specific tool options and tool configurations used in the development process; and
4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
b. Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements]. |
| CCI-003242 |
The organization reviews the development standards in accordance with organization-defined frequency to determine if the development standards selected and employed can satisfy organization-defined security requirements. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of reviews to ensure the organization being inspected/assessed reviews the development standards before first use and annually thereafter to determine if the development standards selected and employed can satisfy the security requirements defined in SA-15, CCI 3246.
DoD has defined the frequency as before first use and annually thereafter. |
The organization being inspected/assessed documents and implements a process to review the development standards before first use and annually thereafter to determine if the development standards selected and employed can satisfy the security requirements defined in SA-15, CCI 3246.
The organization must maintain a record of reviews.
DoD has defined the frequency as before first use and annually thereafter. |
Development Process, Standards, And Tools |
SA-15 |
SA-15.10 |
Development tools include, for example, programming languages and computer-aided design (CAD) systems. Reviews of development processes can include, for example, the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes enables accurate supply chain risk assessment and mitigation, and requires robust configuration control throughout the life cycle (including design, development, transport, delivery, integration, and maintenance) to track authorized changes and prevent unauthorized changes. Related controls: SA-3, SA-8. |
The organization:
a. Requires the developer of the information system, system component, or information system service to follow a documented development process that:
1. Explicitly addresses security requirements;
2. Identifies the standards and tools used in the development process;
3. Documents the specific tool options and tool configurations used in the development process; and
4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
b. Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements]. |
| CCI-003243 |
The organization reviews the development tools in accordance with organization-defined frequency to determine if the development tools selected and employed can satisfy organization-defined security requirements. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of reviews to ensure the organization being inspected/assessed reviews the development tools before first use and annually thereafter to determine if the development tools selected and employed can satisfy the security requirements defined in SA-15, CCI 3246.
DoD has defined the frequency as before first use and annually thereafter. |
The organization being inspected/assessed documents and implements a process to review the development tools before first use and annually thereafter to determine if the development tools selected and employed can satisfy the security requirements defined in SA-15, CCI 3246.
The organization must maintain a record of reviews.
DoD has defined the frequency as before first use and annually thereafter. |
Development Process, Standards, And Tools |
SA-15 |
SA-15.11 |
Development tools include, for example, programming languages and computer-aided design (CAD) systems. Reviews of development processes can include, for example, the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes enables accurate supply chain risk assessment and mitigation, and requires robust configuration control throughout the life cycle (including design, development, transport, delivery, integration, and maintenance) to track authorized changes and prevent unauthorized changes. Related controls: SA-3, SA-8. |
The organization:
a. Requires the developer of the information system, system component, or information system service to follow a documented development process that:
1. Explicitly addresses security requirements;
2. Identifies the standards and tools used in the development process;
3. Documents the specific tool options and tool configurations used in the development process; and
4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
b. Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements]. |
| CCI-003244 |
The organization reviews the development tool options/configurations in accordance with organization-defined frequency to determine if the development tool options/configurations selected and employed can satisfy organization-defined security requirements. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of reviews to ensure the organization being inspected/assessed reviews the development tool options/configurations before first use and annually thereafter to determine if the development tool options/configurations selected and employed can satisfy the security requirements defined in SA-15, CCI 3246.
DoD has defined the frequency as before first use and annually thereafter. |
The organization being inspected/assessed documents and implements a process to review the development tool options/configurations before first use and annually thereafter to determine if the development tool options/configurations selected and employed can satisfy the security requirements defined in SA-15, CCI 3246.
The organization must maintain a record of reviews.
DoD has defined the frequency as before first use and annually thereafter. |
Development Process, Standards, And Tools |
SA-15 |
SA-15.12 |
Development tools include, for example, programming languages and computer-aided design (CAD) systems. Reviews of development processes can include, for example, the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes enables accurate supply chain risk assessment and mitigation, and requires robust configuration control throughout the life cycle (including design, development, transport, delivery, integration, and maintenance) to track authorized changes and prevent unauthorized changes. Related controls: SA-3, SA-8. |
The organization:
a. Requires the developer of the information system, system component, or information system service to follow a documented development process that:
1. Explicitly addresses security requirements;
2. Identifies the standards and tools used in the development process;
3. Documents the specific tool options and tool configurations used in the development process; and
4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
b. Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements]. |
| CCI-003245 |
The organization defines the frequency on which to review the development process, standards, tools, and tool options/configurations to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy organization-defined security requirements. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as before first use and annually thereafter. |
DoD has defined the frequency as before first use and annually thereafter. |
Development Process, Standards, And Tools |
SA-15 |
SA-15.13 |
Development tools include, for example, programming languages and computer-aided design (CAD) systems. Reviews of development processes can include, for example, the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes enables accurate supply chain risk assessment and mitigation, and requires robust configuration control throughout the life cycle (including design, development, transport, delivery, integration, and maintenance) to track authorized changes and prevent unauthorized changes. Related controls: SA-3, SA-8. |
The organization:
a. Requires the developer of the information system, system component, or information system service to follow a documented development process that:
1. Explicitly addresses security requirements;
2. Identifies the standards and tools used in the development process;
3. Documents the specific tool options and tool configurations used in the development process; and
4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
b. Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements]. |
| CCI-003246 |
The organization defines the security requirements that must be satisfied by conducting a review of the development process, standards, tools, and tool options/configurations. |
The organization conducting the inspection/assessment obtains and examines the documented security requirements to ensure the organization being inspected/assessed defines the security requirements that must be satisfied by conducting a review of the development process, standards, tools, and tool options/configurations.
DoD has determined the security requirements are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security requirements that must be satisfied by conducting a review of the development process, standards, tools, and tool options/configurations.
DoD has determined the security requirements are not appropriate to define at the Enterprise level. |
Development Process, Standards, And Tools |
SA-15 |
SA-15.14 |
Development tools include, for example, programming languages and computer-aided design (CAD) systems. Reviews of development processes can include, for example, the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes enables accurate supply chain risk assessment and mitigation, and requires robust configuration control throughout the life cycle (including design, development, transport, delivery, integration, and maintenance) to track authorized changes and prevent unauthorized changes. Related controls: SA-3, SA-8. |
The organization:
a. Requires the developer of the information system, system component, or information system service to follow a documented development process that:
1. Explicitly addresses security requirements;
2. Identifies the standards and tools used in the development process;
3. Documents the specific tool options and tool configurations used in the development process; and
4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
b. Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements]. |
| CCI-003247 |
The organization requires the developer of the information system, system component, or information system service to define quality metrics at the beginning of the development process. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service define quality metrics at the beginning of the development process. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service define quality metrics at the beginning of the development process. |
Development Process, Standards, And Tools | Quality Metrics |
SA-15 (1) |
SA-15(1).1 |
Organizations use quality metrics to establish minimum acceptable levels of information system quality. Metrics may include quality gates which are collections of completion criteria or sufficiency standards representing the satisfactory execution of particular phases of the system development project. A quality gate, for example, may require the elimination of all compiler warnings or an explicit determination that the warnings have no impact on the effectiveness of required security capabilities. During the execution phases of development projects, quality gates provide clear, unambiguous indications of progress. Other metrics apply to the entire development project. These metrics can include defining the severity thresholds of vulnerabilities, for example, requiring no known vulnerabilities in the delivered information system with a Common Vulnerability Scoring System (CVSS) severity of Medium or High. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Define quality metrics at the beginning of the development process; and
(b) Provide evidence of meeting the quality metrics [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined program review milestones]; upon delivery]. |
| CCI-003248 |
The organization requires the developer of the information system, system component, or information system service to provide evidence of meeting the quality metrics in accordance with organization-defined frequency, organization-defined program review milestones and/or upon delivery. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service provide evidence of meeting the quality metrics in accordance with the frequency defined in SA-15 (1), CCI 3249, at a minimum, program review milestones IAW DoD Memorandum "Document Streamlining - Program Protection Plan (PPP)" and/or upon delivery.
DoD has defined the program review milestones as at a minimum, program review milestones IAW DoD Memorandum "Document Streamlining - Program Protection Plan (PPP)." |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service provide evidence of meeting the quality metrics in accordance with the frequency defined in SA-15 (1), CCI 3249, at a minimum, program review milestones IAW DoD Memorandum "Document Streamlining - Program Protection Plan (PPP)" and/or upon delivery.
DoD has defined the program review milestones as at a minimum, program review milestones IAW DoD Memorandum "Document Streamlining - Program Protection Plan (PPP)." |
Development Process, Standards, And Tools | Quality Metrics |
SA-15 (1) |
SA-15(1).2 |
Organizations use quality metrics to establish minimum acceptable levels of information system quality. Metrics may include quality gates which are collections of completion criteria or sufficiency standards representing the satisfactory execution of particular phases of the system development project. A quality gate, for example, may require the elimination of all compiler warnings or an explicit determination that the warnings have no impact on the effectiveness of required security capabilities. During the execution phases of development projects, quality gates provide clear, unambiguous indications of progress. Other metrics apply to the entire development project. These metrics can include defining the severity thresholds of vulnerabilities, for example, requiring no known vulnerabilities in the delivered information system with a Common Vulnerability Scoring System (CVSS) severity of Medium or High. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Define quality metrics at the beginning of the development process; and
(b) Provide evidence of meeting the quality metrics [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined program review milestones]; upon delivery]. |
| CCI-003249 |
The organization defines the frequency on which the developer of the information system, system component, or information system service is required to provide evidence of meeting the quality metrics. |
The organization conducting the inspection/assessment obtains and examines the documented frequency to ensure the organization being inspected/assessed defines the frequency that is required by the developer of the information system, system component, or information system service to provide evidence of meeting the quality metrics.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the frequency that is required by the developer of the information system, system component, or information system service to provide evidence of meeting the quality metrics.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
Development Process, Standards, And Tools | Quality Metrics |
SA-15 (1) |
SA-15(1).3 |
Organizations use quality metrics to establish minimum acceptable levels of information system quality. Metrics may include quality gates which are collections of completion criteria or sufficiency standards representing the satisfactory execution of particular phases of the system development project. A quality gate, for example, may require the elimination of all compiler warnings or an explicit determination that the warnings have no impact on the effectiveness of required security capabilities. During the execution phases of development projects, quality gates provide clear, unambiguous indications of progress. Other metrics apply to the entire development project. These metrics can include defining the severity thresholds of vulnerabilities, for example, requiring no known vulnerabilities in the delivered information system with a Common Vulnerability Scoring System (CVSS) severity of Medium or High. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Define quality metrics at the beginning of the development process; and
(b) Provide evidence of meeting the quality metrics [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined program review milestones]; upon delivery]. |
| CCI-003250 |
The organization defines the program review milestones at which the developer of the information system, system component, or information system service is required to provide evidence of meeting the quality metrics. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the program review milestones as at a minimum, program review milestones IAW DoD Memorandum "Document Streamlining - Program Protection Plan (PPP)." |
DoD has defined the program review milestones as at a minimum, program review milestones IAW DoD Memorandum "Document Streamlining - Program Protection Plan (PPP)." |
Development Process, Standards, And Tools | Quality Metrics |
SA-15 (1) |
SA-15(1).4 |
Organizations use quality metrics to establish minimum acceptable levels of information system quality. Metrics may include quality gates which are collections of completion criteria or sufficiency standards representing the satisfactory execution of particular phases of the system development project. A quality gate, for example, may require the elimination of all compiler warnings or an explicit determination that the warnings have no impact on the effectiveness of required security capabilities. During the execution phases of development projects, quality gates provide clear, unambiguous indications of progress. Other metrics apply to the entire development project. These metrics can include defining the severity thresholds of vulnerabilities, for example, requiring no known vulnerabilities in the delivered information system with a Common Vulnerability Scoring System (CVSS) severity of Medium or High. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Define quality metrics at the beginning of the development process; and
(b) Provide evidence of meeting the quality metrics [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined program review milestones]; upon delivery]. |
| CCI-003251 |
The organization requires the developer of the information system, system component, or information system service to select a security tracking tool for use during the development process. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service select a security tracking tool for use during the development process. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service select a security tracking tool for use during the development process. |
Development Process, Standards, And Tools | Security Tracking Tools |
SA-15 (2) |
SA-15(2).1 |
Information system development teams select and deploy security tracking tools, including, for example, vulnerability/work item tracking systems that facilitate assignment, sorting, filtering, and tracking of completed work items or tasks associated with system development processes. |
The organization requires the developer of the information system, system component, or information system service to select and employ a security tracking tool for use during the development process. |
| CCI-003252 |
The organization requires the developer of the information system, system component, or information system service to employ a security tracking tool for use during the development process. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service employ a security tracking tool for use during the development process. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service employ a security tracking tool for use during the development process. |
Development Process, Standards, And Tools | Security Tracking Tools |
SA-15 (2) |
SA-15(2).2 |
Information system development teams select and deploy security tracking tools, including, for example, vulnerability/work item tracking systems that facilitate assignment, sorting, filtering, and tracking of completed work items or tasks associated with system development processes. |
The organization requires the developer of the information system, system component, or information system service to select and employ a security tracking tool for use during the development process. |
| CCI-003253 |
The organization requires the developer of the information system, system component, or information system service to perform a criticality analysis at an organization-defined breadth/depth and at organization-defined decision points in the system development life cycle. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service perform a criticality analysis at the breadth/depth IAW DoDI 5200.44. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service perform a criticality analysis at the breadth/depth IAW DoDI 5200.44.
The organization should develop Request for Proposals (RFPs) and other contract language that require contractors to perform Criticality Analyses (CAs) periodically. Developer input into criticality analysis provides detailed design documentation for information system components (e.g., functional specifications, high-level designs, low-level designs, and source code/hardware schematics). Criticality Analysis should be conducted in accordance with the DoDI 5200.44 and the DoDI 5000.2.
Once the program has identified critical functions through the criticality analysis, the program systems engineers and SSEs can use the results along with the vulnerability assessment and threat assessment to determine the risk.
The organization should reference the Defense Acquisition Guidebook (DAG) Chapter 13 for more information. |
Development Process, Standards, And Tools | Criticality Analysis |
SA-15 (3) |
SA-15(3).1 |
This control enhancement provides developer input to the criticality analysis performed by organizations in SA-14. Developer input is essential to such analysis because organizations may not have access to detailed design documentation for information system components that are developed as commercial off-the-shelf (COTS) information technology products (e.g., functional specifications, high-level designs, low-level designs, and source code/hardware schematics). Related controls: SA-4, SA-14. |
The organization requires the developer of the information system, system component, or information system service to perform a criticality analysis at [Assignment: organization-defined breadth/depth] and at [Assignment: organization-defined decision points in the system development life cycle].
|
| CCI-003254 |
The organization defines the breadth/depth at which the developer of the information system, system component, or information system service is required to perform a criticality analysis. |
The organization conducting the inspection/assessment obtains and examines the documented breadth/depth to ensure the organization being inspected/assessed defines the breadth/depth the developer of the information system, system component, or information system service is required to perform a criticality analysis IAW DoDI 5200.44.
DoD has determined the breadth/depth are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the breadth/depth the developer of the information system, system component, or information system service is required to perform a criticality analysis IAW DoDI 5200.44.
The criticality analysis allows a program to focus attention (and resources) on the system capabilities, mission-critical functions that matter most. Mission-critical functions are those functions of the system that, if corrupted or disabled, would likely lead to mission failure or degradation. Mission-critical components are primarily the elements of the system (hardware, software, and firmware) that implement critical functions; however, system components that perform defensive functions to protect inherently critical components and other components with unmediated access to inherently critical components, may themselves be mission critical.
Criticality analysis is the primary method by which a program identifies mission-critical functions and associated components. Criticality analysis includes the following iterative steps:
1. Identify and group mission threads.
2. Decompose the mission threads into their mission-critical functions and assign them criticality levels.
3. Map the mission-critical functions to the system architecture and identify the defined system components (hardware, software, and firmware) that implement those functions (i.e., components that are critical to the mission effectiveness of the system or an interfaced network).
4. Allocate criticality levels to those components that have been defined.
Criticality levels are determined by assessing the relative impact on the system's ability to complete its mission if the function and associated component fails. Level I is total mission failure, Level II is significant/unacceptable degradation, Level III is partial/acceptable, and Level IV is negligible.
The organization should reference the Defense Acquisition Guidebook (DAG) Chapter 13 for more information.
DoD has determined the breadth/depth are not appropriate to define at the Enterprise level. |
Development Process, Standards, And Tools | Criticality Analysis |
SA-15 (3) |
SA-15(3).2 |
This control enhancement provides developer input to the criticality analysis performed by organizations in SA-14. Developer input is essential to such analysis because organizations may not have access to detailed design documentation for information system components that are developed as commercial off-the-shelf (COTS) information technology products (e.g., functional specifications, high-level designs, low-level designs, and source code/hardware schematics). Related controls: SA-4, SA-14. |
The organization requires the developer of the information system, system component, or information system service to perform a criticality analysis at [Assignment: organization-defined breadth/depth] and at [Assignment: organization-defined decision points in the system development life cycle].
|
| CCI-003255 |
The organization defines decision points in the system development life cycle at which the developer of the information system, system component, or information system service is required to perform a criticality analysis. |
The organization conducting the inspection/assessment obtains and examines the documented decision points to ensure the organization being inspected/assessed defines decision points in the system development life cycle the developer of the information system, system component, or information system service is required to perform a criticality analysis IAW DoDI 5200.44 and DoDI 5000.2.
DoD has determined the decision points are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents decision points in the system development life cycle the developer of the information system, system component, or information system service is required to perform a criticality analysis IAW DoDI 5200.44 and DoDI 5000.2.
Criticality analysis is an iterative process that should be performed whenever an architecture or design is being developed or modified and executed across the acquisition lifecycle, building on growing maturity and updated information.
Criticality analysis is performed throughout the acquisition life cycle. As a minimum, the developer should support the performing and update a criticality analysis, along with the threat assessment, vulnerability assessment, risk assessment, cost-benefit trade-off and countermeasure selection, before each technical review. |
Development Process, Standards, And Tools | Criticality Analysis |
SA-15 (3) |
SA-15(3).3 |
This control enhancement provides developer input to the criticality analysis performed by organizations in SA-14. Developer input is essential to such analysis because organizations may not have access to detailed design documentation for information system components that are developed as commercial off-the-shelf (COTS) information technology products (e.g., functional specifications, high-level designs, low-level designs, and source code/hardware schematics). Related controls: SA-4, SA-14. |
The organization requires the developer of the information system, system component, or information system service to perform a criticality analysis at [Assignment: organization-defined breadth/depth] and at [Assignment: organization-defined decision points in the system development life cycle].
|
| CCI-003256 |
The organization requires that developers perform threat modeling for the information system at an organization-defined breadth/depth. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developers perform threat modeling for the information system at the breadth/depth defined in SA-15 (4), CCI 3258. |
The organization being inspected/assessed requires within contracts/agreements that the developers perform threat modeling for the information system at the breadth/depth defined in SA-15 (4), CCI 3258. |
Development Process, Standards, And Tools | Threat Modeling / Vulnerability Analysis |
SA-15 (4) |
SA-15(4).1 |
Related control: SA-4. |
The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at [Assignment: organization-defined breadth/depth] that:
(a) Uses [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels];
(b) Employs [Assignment: organization-defined tools and methods]; and
(c) Produces evidence that meets [Assignment: organization-defined acceptance criteria]. |
| CCI-003257 |
The organization requires that developers perform a vulnerability analysis for the information system at an organization-defined breadth/depth. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developers perform a vulnerability analysis for the information system at the breadth/depth defined in SA-15 (4), CCI 3259. |
The organization being inspected/assessed requires within contracts/agreements that the developers perform a vulnerability analysis for the information system at the breadth/depth defined in SA-15 (4), CCI 3259 to inform design or implementation changes and resulting vulnerabilities are accounted for during development. Vulnerability analysis should consider a review of system design and may include static analyses, dynamic analyses, simulations, and penetration testing. The developer should document the type of vulnerability analysis that was performed, the results (including defects) and any follow on actions. |
Development Process, Standards, And Tools | Threat Modeling / Vulnerability Analysis |
SA-15 (4) |
SA-15(4).2 |
Related control: SA-4. |
The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at [Assignment: organization-defined breadth/depth] that:
(a) Uses [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels];
(b) Employs [Assignment: organization-defined tools and methods]; and
(c) Produces evidence that meets [Assignment: organization-defined acceptance criteria]. |
| CCI-003258 |
The organization defines the breadth/depth at which threat modeling for the information system must be performed by developers. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developers perform threat modeling for the information system at the breadth/depth defined in SA-15 (4), CCI 3258. |
The organization being inspected/assessed requires within contracts/agreements that the developers perform threat modeling for the information system at the breadth/depth defined in SA-15 (4), CCI 3258. |
Development Process, Standards, And Tools | Threat Modeling / Vulnerability Analysis |
SA-15 (4) |
SA-15(4).3 |
Related control: SA-4. |
The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at [Assignment: organization-defined breadth/depth] that:
(a) Uses [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels];
(b) Employs [Assignment: organization-defined tools and methods]; and
(c) Produces evidence that meets [Assignment: organization-defined acceptance criteria]. |
| CCI-003259 |
The organization defines the breadth/depth at which vulnerability analysis for the information system must be performed by developers. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developers perform a vulnerability analysis for the information system at the breadth/depth defined in SA-15 (4), CCI 3259. |
The organization being inspected/assessed requires within contracts/agreements that the developers perform a vulnerability analysis for the information system at the breadth/depth defined in SA-15 (4), CCI 3259 to inform design or implementation changes and resulting vulnerabilities are accounted for during development. Vulnerability analysis should consider a review of system design and may include static analyses, dynamic analyses, simulations, and penetration testing. The developer should document the type of vulnerability analysis that was performed, the results (including defects) and any follow on actions. |
Development Process, Standards, And Tools | Threat Modeling / Vulnerability Analysis |
SA-15 (4) |
SA-15(4).4 |
Related control: SA-4. |
The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at [Assignment: organization-defined breadth/depth] that:
(a) Uses [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels];
(b) Employs [Assignment: organization-defined tools and methods]; and
(c) Produces evidence that meets [Assignment: organization-defined acceptance criteria]. |
| CCI-003260 |
Threat modeling performed by the developer for the information system uses organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed documents within their contracts/agreements, their requirement that the developer's threat modeling include the use of information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels defined in SA-15 (4), CCI 3262. |
The organization being inspected/assessed requires within contracts/agreements that the developer's threat modeling include the use of information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels defined in SA-15 (4), CCI 3262. |
Development Process, Standards, And Tools | Threat Modeling / Vulnerability Analysis |
SA-15 (4) |
SA-15(4).5 |
Related control: SA-4. |
The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at [Assignment: organization-defined breadth/depth] that:
(a) Uses [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels];
(b) Employs [Assignment: organization-defined tools and methods]; and
(c) Produces evidence that meets [Assignment: organization-defined acceptance criteria]. |
| CCI-003261 |
Vulnerability analysis performed by the developer for the information system uses organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed documents within their contracts/agreements, their requirement that the developer's vulnerability analysis include the use of information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels defined in SA-15 (4), CCI 3263. |
The organization being inspected/assessed requires within contracts/agreements that the developer's vulnerability analysis include the use of information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels defined in SA-15 (4), CCI 3263. Vulnerability analysis should consider a review of system design and may include static analyses, dynamic analyses, simulations, and penetration testing. The developer should document the type of vulnerability analysis that was performed, the results (including defects) and any follow on actions. |
Development Process, Standards, And Tools | Threat Modeling / Vulnerability Analysis |
SA-15 (4) |
SA-15(4).6 |
Related control: SA-4. |
The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at [Assignment: organization-defined breadth/depth] that:
(a) Uses [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels];
(b) Employs [Assignment: organization-defined tools and methods]; and
(c) Produces evidence that meets [Assignment: organization-defined acceptance criteria]. |
| CCI-003262 |
The organization defines information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used to perform threat modeling for the information system by the developer. |
The organization conducting the inspection/assessment obtains and examines the documented information to ensure the organization being inspected/assessed defines information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used to perform threat modeling for the information system by the developer.
DoD has determined the information is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used to perform threat modeling for the information system by the developer.
DoD has determined the information is not appropriate to define at the Enterprise level. |
Development Process, Standards, And Tools | Threat Modeling / Vulnerability Analysis |
SA-15 (4) |
SA-15(4).7 |
Related control: SA-4. |
The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at [Assignment: organization-defined breadth/depth] that:
(a) Uses [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels];
(b) Employs [Assignment: organization-defined tools and methods]; and
(c) Produces evidence that meets [Assignment: organization-defined acceptance criteria]. |
| CCI-003263 |
The organization defines information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used to perform a vulnerability analysis for the information system by the developer. |
The organization conducting the inspection/assessment obtains and examines the documented information to ensure the organization being inspected/assessed defines information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used to perform a vulnerability analysis for the information system by the developer.
DoD has determined the information is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used to perform a vulnerability analysis for the information system by the developer.
DoD has determined the information is not appropriate to define at the Enterprise level. |
Development Process, Standards, And Tools | Threat Modeling / Vulnerability Analysis |
SA-15 (4) |
SA-15(4).8 |
Related control: SA-4. |
The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at [Assignment: organization-defined breadth/depth] that:
(a) Uses [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels];
(b) Employs [Assignment: organization-defined tools and methods]; and
(c) Produces evidence that meets [Assignment: organization-defined acceptance criteria]. |
| CCI-003264 |
The organization requires the threat modeling performed by the developers employ organization-defined tools and methods. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the threat modeling performed by the developers employ the tools and methods defined in SA-15 (4), CCI 3266. |
The organization being inspected/assessed requires within contracts/agreements that the threat modeling performed by the developers employ the tools and methods defined in SA-15 (4), CCI 3266. |
Development Process, Standards, And Tools | Threat Modeling / Vulnerability Analysis |
SA-15 (4) |
SA-15(4).9 |
Related control: SA-4. |
The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at [Assignment: organization-defined breadth/depth] that:
(a) Uses [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels];
(b) Employs [Assignment: organization-defined tools and methods]; and
(c) Produces evidence that meets [Assignment: organization-defined acceptance criteria]. |
| CCI-003265 |
The organization requires the vulnerability analysis performed by the developers employ organization-defined tools and methods. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the vulnerability analysis performed by the developers employ the tools and methods defined in SA-15 (4), CCI 3267. |
The organization being inspected/assessed requires within contracts/agreements that the vulnerability analysis performed by the developers employ the tools and methods defined in SA-15 (4), CCI 3267. |
Development Process, Standards, And Tools | Threat Modeling / Vulnerability Analysis |
SA-15 (4) |
SA-15(4).10 |
Related control: SA-4. |
The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at [Assignment: organization-defined breadth/depth] that:
(a) Uses [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels];
(b) Employs [Assignment: organization-defined tools and methods]; and
(c) Produces evidence that meets [Assignment: organization-defined acceptance criteria]. |
| CCI-003266 |
The organization defines tools and methods to be employed to perform threat modeling for the information system by the developer. |
The organization conducting the inspection/assessment obtains and examines the documented tools and methods to ensure the organization being inspected/assessed defines tools and methods to be employed to perform threat modeling for the information system by the developer.
DoD has determined the tools and methods are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents tools and methods to be employed to perform threat modeling for the information system by the developer.
DoD has determined the tools and methods are not appropriate to define at the Enterprise level. |
Development Process, Standards, And Tools | Threat Modeling / Vulnerability Analysis |
SA-15 (4) |
SA-15(4).11 |
Related control: SA-4. |
The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at [Assignment: organization-defined breadth/depth] that:
(a) Uses [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels];
(b) Employs [Assignment: organization-defined tools and methods]; and
(c) Produces evidence that meets [Assignment: organization-defined acceptance criteria]. |
| CCI-003267 |
The organization defines tools and methods to be employed to perform a vulnerability analysis for the information system by the developer. |
The organization conducting the inspection/assessment obtains and examines the documented tools and methods to ensure the organization being inspected/assessed defines tools and methods to be employed to perform a vulnerability analysis for the information system by the developer.
DoD has determined the tools and methods are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents tools and methods to be employed to perform a vulnerability analysis for the information system by the developer.
DoD has determined the tools and methods are not appropriate to define at the Enterprise level. |
Development Process, Standards, And Tools | Threat Modeling / Vulnerability Analysis |
SA-15 (4) |
SA-15(4).12 |
Related control: SA-4. |
The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at [Assignment: organization-defined breadth/depth] that:
(a) Uses [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels];
(b) Employs [Assignment: organization-defined tools and methods]; and
(c) Produces evidence that meets [Assignment: organization-defined acceptance criteria]. |
| CCI-003268 |
The organization requires that developers performing threat modeling for the information system produce evidence that meets organization-defined acceptance criteria. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developers performing threat modeling for the information system produces evidence that meet the acceptance criteria defined in SA-15 (4), CCI 3270. |
The organization being inspected/assessed requires within contracts/agreements that the developers performing threat modeling for the information system produces evidence that meet the acceptance criteria defined in SA-15 (4), CCI 3270. |
Development Process, Standards, And Tools | Threat Modeling / Vulnerability Analysis |
SA-15 (4) |
SA-15(4).13 |
Related control: SA-4. |
The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at [Assignment: organization-defined breadth/depth] that:
(a) Uses [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels];
(b) Employs [Assignment: organization-defined tools and methods]; and
(c) Produces evidence that meets [Assignment: organization-defined acceptance criteria]. |
| CCI-003269 |
The organization requires that developers performing vulnerability analysis for the information system produce evidence that meets organization-defined acceptance criteria. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the vulnerability analysis performed by the developers performing vulnerability analysis for the information system produces evidence that meet the acceptance criteria defined in SA-15 (4), CCI 3271. |
The organization being inspected/assessed requires within contracts/agreements that the developers performing vulnerability analysis for the information system produces evidence that meet the acceptance criteria defined in SA-15 (4), CCI 3271. |
Development Process, Standards, And Tools | Threat Modeling / Vulnerability Analysis |
SA-15 (4) |
SA-15(4).14 |
Related control: SA-4. |
The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at [Assignment: organization-defined breadth/depth] that:
(a) Uses [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels];
(b) Employs [Assignment: organization-defined tools and methods]; and
(c) Produces evidence that meets [Assignment: organization-defined acceptance criteria]. |
| CCI-003270 |
The organization defines the acceptance criteria that must be met when threat modeling of the information system is performed by the developer. |
The organization conducting the inspection/assessment obtains and examines the documented acceptance criteria to ensure the organization being inspected/assessed defines the acceptance criteria that must be met when threat modeling of the information system is performed by the developer.
DoD has determined the acceptance criteria is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the acceptance criteria that must be met when threat modeling of the information system is performed by the developer.
DoD has determined the acceptance criteria is not appropriate to define at the Enterprise level. |
Development Process, Standards, And Tools | Threat Modeling / Vulnerability Analysis |
SA-15 (4) |
SA-15(4).15 |
Related control: SA-4. |
The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at [Assignment: organization-defined breadth/depth] that:
(a) Uses [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels];
(b) Employs [Assignment: organization-defined tools and methods]; and
(c) Produces evidence that meets [Assignment: organization-defined acceptance criteria]. |
| CCI-003271 |
The organization defines the acceptance criteria that must be met when vulnerability analysis of the information system is performed by the developer. |
The organization conducting the inspection/assessment obtains and examines the documented acceptance criteria to ensure the organization being inspected/assessed defines the acceptance criteria that must be met when vulnerability analysis of the information system is performed by the developer.
DoD has determined the acceptance criteria is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the acceptance criteria that must be met when vulnerability analysis of the information system is performed by the developer.
DoD has determined the acceptance criteria is not appropriate to define at the Enterprise level. |
Development Process, Standards, And Tools | Threat Modeling / Vulnerability Analysis |
SA-15 (4) |
SA-15(4).16 |
Related control: SA-4. |
The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at [Assignment: organization-defined breadth/depth] that:
(a) Uses [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels];
(b) Employs [Assignment: organization-defined tools and methods]; and
(c) Produces evidence that meets [Assignment: organization-defined acceptance criteria]. |
| CCI-003272 |
The organization requires the developer of the information system, system component, or information system service to reduce attack surfaces to organization-defined thresholds. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service reduce attack surfaces to thresholds defined in SA-15 (5), CCI 3273. |
The organization being inspected/assessed requires the developer to perform attack surface reduction activities to reduce risk to organizations by giving attackers less opportunity to exploit weaknesses or vulnerabilities.
Attack surface reduction may include:
1. Testing and delivering the system with debug options off, or making the debug capabilities inaccessible to unauthorized users;
2. Applying the principle of least privilege;
3. Applying the principle of least functionality (i.e., restricting ports, protocols, functions, and services), deprecating unsafe functions, and eliminating application programming interfaces (APIs) that are vulnerable to cyber attacks; and
4. Employing layered defenses.
5. Using trusted physical delivery mechanisms that do not permit access to the element during delivery (ship via a protected carrier, use cleared/official couriers, or a diplomatic pouch);
6. Using trusted logical delivery of products and services (require downloading from approved, verification-enhanced sites);
7. Avoiding the purchase of custom configurations;
8. Using procurement carve outs (i.e., exclusions to commitments or obligations);
9. Using defensive design approaches;
10. Minimizing the time between purchase decisions and required delivery;
11. Employing a diverse set of suppliers;
12. Employing approved vendor lists with standing reputations in industry;
13. Diversifying and disperse how the product is acquired (e.g. Spot Markets); and
14. Employing inventory management policies and processes. |
Development Process, Standards, And Tools | Attack Surface Reduction |
SA-15 (5) |
SA-15(5).1 |
Attack surface reduction is closely aligned with developer threat and vulnerability analyses and information system architecture and design. Attack surface reduction is a means of reducing risk to organizations by giving attackers less opportunity to exploit weaknesses or deficiencies (i.e., potential vulnerabilities) within information systems, information system components, and information system services. Attack surface reduction includes, for example, applying the principle of least privilege, employing layered defenses, applying the principle of least functionality (i.e., restricting ports, protocols, functions, and services), deprecating unsafe functions, and eliminating application programming interfaces (APIs) that are vulnerable to cyber attacks. Related control: CM-7. |
The organization requires the developer of the information system, system component, or information system service to reduce attack surfaces to [Assignment: organization-defined thresholds]. |
| CCI-003273 |
The organization defines the thresholds to which the developer of the information system, system component, or information system service is required to reduce attack surfaces. |
The organization conducting the inspection/assessment obtains and examines the documented thresholds to ensure the organization being inspected/assessed defines the thresholds that the developer of the information system, system component, or information system service is required to reduce attack surfaces.
DoD has determined the thresholds are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the thresholds that the developer of the information system, system component, or information system service is required to reduce attack surfaces.
DoD has determined the thresholds are not appropriate to define at the Enterprise level. |
Development Process, Standards, And Tools | Attack Surface Reduction |
SA-15 (5) |
SA-15(5).2 |
Attack surface reduction is closely aligned with developer threat and vulnerability analyses and information system architecture and design. Attack surface reduction is a means of reducing risk to organizations by giving attackers less opportunity to exploit weaknesses or deficiencies (i.e., potential vulnerabilities) within information systems, information system components, and information system services. Attack surface reduction includes, for example, applying the principle of least privilege, employing layered defenses, applying the principle of least functionality (i.e., restricting ports, protocols, functions, and services), deprecating unsafe functions, and eliminating application programming interfaces (APIs) that are vulnerable to cyber attacks. Related control: CM-7. |
The organization requires the developer of the information system, system component, or information system service to reduce attack surfaces to [Assignment: organization-defined thresholds]. |
| CCI-003274 |
The organization requires the developer of the information system, system component, or information system service to implement an explicit process to continuously improve the development process. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service implement an explicit process to continuously improve the development process. |
The organization being inspected/assessed documents within contracts/agreements, the requirement that the developer of the information system, system component, or information system service implement an explicit process to continuously improve the development process. |
Development Process, Standards, And Tools | Continuous Improvement |
SA-15 (6) |
SA-15(6).1 |
Developers of information systems, information system components, and information system services consider the effectiveness/efficiency of current development processes for meeting quality objectives and addressing security capabilities in current threat environments. |
The organization requires the developer of the information system, system component, or information system service to implement an explicit process to continuously improve the development process. |
| CCI-003275 |
The organization requires the developer of the information system, system component, or information system services to perform an automated vulnerability analysis using organization-defined tools. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service perform an automated vulnerability analysis using the tools defined in SA-15 (7), CCI 3276. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service perform an automated vulnerability analysis using the tools defined in SA-15 (7), CCI 3276.
The organization should require the developer to perform automated vulnerability analysis which may include dynamic analyses, static analyses, and regression testing tools. Automated testing should be performed in conjunction with manual testing to provide greater levels of analysis. |
Development Process, Standards, And Tools | Automated Vulnerability Analysis |
SA-15 (7) |
SA-15(7).1 |
Related control: RA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Perform an automated vulnerability analysis using [Assignment: organization-defined tools];
(b) Determine the exploitation potential for discovered vulnerabilities;
(c) Determine potential risk mitigations for delivered vulnerabilities; and
(d) Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles]. |
| CCI-003276 |
The organization defines the tools the developer of the information system, system component, or information system services uses to perform an automated vulnerability analysis. |
The organization conducting the inspection/assessment obtains and examines the documented tools to ensure the organization being inspected/assessed defines the tools the developer of the information system, system component, or information system services uses to perform an automated vulnerability analysis.
DoD has determined the tools are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the tools the developer of the information system, system component, or information system services uses to perform an automated vulnerability analysis.
DoD has determined the tools are not appropriate to define at the Enterprise level. |
Development Process, Standards, And Tools | Automated Vulnerability Analysis |
SA-15 (7) |
SA-15(7).2 |
Related control: RA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Perform an automated vulnerability analysis using [Assignment: organization-defined tools];
(b) Determine the exploitation potential for discovered vulnerabilities;
(c) Determine potential risk mitigations for delivered vulnerabilities; and
(d) Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles]. |
| CCI-003277 |
The organization requires the developer of the information system, system component, or information system services to determine the exploitation potential for discovered vulnerabilities. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service determine the exploitation potential for discovered vulnerabilities. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service determine the exploitation potential for discovered vulnerabilities. |
Development Process, Standards, And Tools | Automated Vulnerability Analysis |
SA-15 (7) |
SA-15(7).3 |
Related control: RA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Perform an automated vulnerability analysis using [Assignment: organization-defined tools];
(b) Determine the exploitation potential for discovered vulnerabilities;
(c) Determine potential risk mitigations for delivered vulnerabilities; and
(d) Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles]. |
| CCI-003278 |
The organization requires the developer of the information system, system component, or information system services to determine potential risk mitigations for delivered vulnerabilities. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service determine potential risk mitigations for delivered vulnerabilities. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service determine potential risk mitigations for delivered vulnerabilities. |
Development Process, Standards, And Tools | Automated Vulnerability Analysis |
SA-15 (7) |
SA-15(7).4 |
Related control: RA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Perform an automated vulnerability analysis using [Assignment: organization-defined tools];
(b) Determine the exploitation potential for discovered vulnerabilities;
(c) Determine potential risk mitigations for delivered vulnerabilities; and
(d) Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles]. |
| CCI-003279 |
The organization requires the developer of the information system, system component, or information system services to deliver the outputs of the tools and results of the vulnerability analysis to organization-defined personnel or roles. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service deliver the outputs of the tools and results of the vulnerability analysis to the ISSO, ISSM, and PM.
DoD has defined the personnel or roles as the ISSO, ISSM, and PM. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service deliver the outputs of the tools and results of the vulnerability analysis to the ISSO, ISSM, and PM.
DoD has defined the personnel or roles as the ISSO, ISSM, and PM. |
Development Process, Standards, And Tools | Automated Vulnerability Analysis |
SA-15 (7) |
SA-15(7).5 |
Related control: RA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Perform an automated vulnerability analysis using [Assignment: organization-defined tools];
(b) Determine the exploitation potential for discovered vulnerabilities;
(c) Determine potential risk mitigations for delivered vulnerabilities; and
(d) Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles]. |
| CCI-003280 |
The organization defines the personnel or roles to whom the outputs of the tools and results of the vulnerability analysis are delivered. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as the ISSO, ISSM, and PM. |
DoD has defined the personnel or roles as the ISSO, ISSM, and PM. |
Development Process, Standards, And Tools | Automated Vulnerability Analysis |
SA-15 (7) |
SA-15(7).6 |
Related control: RA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Perform an automated vulnerability analysis using [Assignment: organization-defined tools];
(b) Determine the exploitation potential for discovered vulnerabilities;
(c) Determine potential risk mitigations for delivered vulnerabilities; and
(d) Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles]. |
| CCI-003281 |
The organization requires the developer of the information system, system component, or information system service to use threat modeling from similar systems, components, or services to inform the current development process. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service use threat modeling from similar systems, components, or services to inform the current development process. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service use threat modeling from similar systems, components, or services to inform the current development process. |
Development Process, Standards, And Tools | Reuse Of Threat / Vulnerability Information |
SA-15 (8) |
SA-15(8).1 |
Analysis of vulnerabilities found in similar software applications can inform potential design or implementation issues for information systems under development. Similar information systems or system components may exist within developer organizations. Authoritative vulnerability information is available from a variety of public and private sector sources including, for example, the National Vulnerability Database. |
The organization requires the developer of the information system, system component, or information system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process. |
| CCI-003282 |
The organization requires the developer of the information system, system component, or information system service to use vulnerability analysis from similar systems, components, or services to inform the current development process. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service use vulnerability analysis from similar systems, components, or services to inform the current development process. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service use vulnerability analysis from similar systems, components, or services to inform the current development process and potential design or implementation issues. Authoritative vulnerability information is available from a variety of public and private sector sources including, for example, the National Vulnerability Database and the Government/Industry Data Exchange Program (GIDEP). |
Development Process, Standards, And Tools | Reuse Of Threat / Vulnerability Information |
SA-15 (8) |
SA-15(8).2 |
Analysis of vulnerabilities found in similar software applications can inform potential design or implementation issues for information systems under development. Similar information systems or system components may exist within developer organizations. Authoritative vulnerability information is available from a variety of public and private sector sources including, for example, the National Vulnerability Database. |
The organization requires the developer of the information system, system component, or information system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process. |
| CCI-003283 |
The organization approves the use of live data in development environments for the information system, system component, or information system service. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of approvals to ensure the organization being inspected/assessed approves the use of live data in development environments for the information system, system component, or information system service. |
The organization being inspected/assessed documents and implements a process to approve the use of live data in development environments for the information system, system component, or information system service.
The organization must maintain a record of approvals. |
Development Process, Standards, And Tools | Use Of Live Data |
SA-15 (9) |
SA-15(9).1 |
The use of live data in preproduction environments can result in significant risk to organizations. Organizations can minimize such risk by using test or dummy data during the development and testing of information systems, information system components, and information system services. |
The organization approves, documents, and controls the use of live data in development and test environments for the information system, system component, or information system service. |
| CCI-003284 |
The organization approves the use of live data in test environments for the information system, system component, or information system service. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of approvals to ensure the organization being inspected/assessed approves the use of live data in test environments for the information system, system component, or information system service. |
The organization being inspected/assessed documents and implements a process to approve the use of live data in test environments for the information system, system component, or information system service.
The organization must maintain a record of approvals. |
Development Process, Standards, And Tools | Use Of Live Data |
SA-15 (9) |
SA-15(9).2 |
The use of live data in preproduction environments can result in significant risk to organizations. Organizations can minimize such risk by using test or dummy data during the development and testing of information systems, information system components, and information system services. |
The organization approves, documents, and controls the use of live data in development and test environments for the information system, system component, or information system service. |
| CCI-003285 |
The organization documents the use of live data in development environments for the information system, system component, or information system service. |
The organization conducting the inspection/assessment obtains and examines the documented use of live data in test environments to ensure the organization being inspected/assessed documents the use of live data in development environments for the information system, system component, or information system service. |
The organization being inspected/assessed documents the use of live data in development environments for the information system, system component, or information system service. |
Development Process, Standards, And Tools | Use Of Live Data |
SA-15 (9) |
SA-15(9).3 |
The use of live data in preproduction environments can result in significant risk to organizations. Organizations can minimize such risk by using test or dummy data during the development and testing of information systems, information system components, and information system services. |
The organization approves, documents, and controls the use of live data in development and test environments for the information system, system component, or information system service. |
| CCI-003286 |
The organization documents the use of live data in test environments for the information system, system component, or information system service. |
The organization conducting the inspection/assessment obtains and examines the documented use of live data in test environments to ensure the organization being inspected/assessed documents the use of live data in test environments for the information system, system component, or information system service. |
The organization being inspected/assessed documents the use of live data in test environments for the information system, system component, or information system service. |
Development Process, Standards, And Tools | Use Of Live Data |
SA-15 (9) |
SA-15(9).4 |
The use of live data in preproduction environments can result in significant risk to organizations. Organizations can minimize such risk by using test or dummy data during the development and testing of information systems, information system components, and information system services. |
The organization approves, documents, and controls the use of live data in development and test environments for the information system, system component, or information system service. |
| CCI-003287 |
The organization controls the use of live data in development environments for the information system, system component, or information system service. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed controls the use of live data in development environments for the information system, system component, or information system service. |
The organization being inspected/assessed documents and implements a process to control the use of live data in development environments for the information system, system component, or information system service.
The Enclave Test and Development STIG identifies requirements for test and development environments. |
Development Process, Standards, And Tools | Use Of Live Data |
SA-15 (9) |
SA-15(9).5 |
The use of live data in preproduction environments can result in significant risk to organizations. Organizations can minimize such risk by using test or dummy data during the development and testing of information systems, information system components, and information system services. |
The organization approves, documents, and controls the use of live data in development and test environments for the information system, system component, or information system service. |
| CCI-003288 |
The organization controls the use of live data in test environments for the information system, system component, or information system service. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed controls the use of live data in test environments for the information system, system component, or information system service. |
The organization being inspected/assessed documents and implements a process to control the use of live data in test environments for the information system, system component, or information system service.
The Enclave Test and Development STIG identifies requirements for test and development environments. |
Development Process, Standards, And Tools | Use Of Live Data |
SA-15 (9) |
SA-15(9).6 |
The use of live data in preproduction environments can result in significant risk to organizations. Organizations can minimize such risk by using test or dummy data during the development and testing of information systems, information system components, and information system services. |
The organization approves, documents, and controls the use of live data in development and test environments for the information system, system component, or information system service. |
| CCI-003289 |
The organization requires the developer of the information system, system component, or information system service to provide an incident response plan. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service provide an incident response plan. |
The organization being inspected/assessed documents within contracts/agreements, the requirement that the developer of the information system, system component, or information system service provide an incident response plan. |
Development Process, Standards, And Tools | Incident Response Plan |
SA-15 (10) |
SA-15(10).1 |
The incident response plan for developers of information systems, system components, and information system services is incorporated into organizational incident response plans to provide the type of incident response information not readily available to organizations. Such information may be extremely helpful, for example, when organizations respond to vulnerabilities in commercial off-the-shelf (COTS) information technology products. Related control: IR-8. |
The organization requires the developer of the information system, system component, or information system service to provide an incident response plan. |
| CCI-003290 |
The organization requires the developer of the information system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security review. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service be released or delivered together with the corresponding evidence supporting the final security review. |
The organization being inspected/assessed documents within contracts/agreements, the requirement that the developer of the information system, system component, or information system service be released or delivered together with the corresponding evidence supporting the final security review. |
Development Process, Standards, And Tools | Archive Information System / Component |
SA-15 (11) |
SA-15(11).1 |
|
The organization requires the developer of the information system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security review. |
| CCI-003291 |
The organization requires the developer of the information system, system component, or information system service to provide organization-defined training on the correct use and operation of the implemented security functions, controls, and/or mechanisms. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service provide training defined in SA-16, CCI 3292 on the correct use and operation of the implemented security functions, controls, and/or mechanisms. |
The organization being inspected/assessed documents within contracts/agreements, the requirement that the developer of the information system, system component, or information system service provide training defined in SA-16, CCI 3292 on the correct use and operation of the implemented security functions, controls, and/or mechanisms. |
Developer-Provided Trainin |
SA-16 |
SA-16.1 |
This control applies to external and internal (in-house) developers. Training of personnel is an essential element to ensure the effectiveness of security controls implemented within organizational information systems. Training options include, for example, classroom-style training, web-based/computer-based training, and hands-on training. Organizations can also request sufficient training materials from developers to conduct in-house training or offer self-training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security functions, controls, or mechanisms. Related controls: AT-2, AT-3, SA-5. |
The organization requires the developer of the information system, system component, or information system service to provide [Assignment: organization-defined training] on the correct use and operation of the implemented security functions, controls, and/or mechanisms. |
| CCI-003292 |
The organization defines the training the developer of the information system, system component, or information system service is required to provide on the correct use and operation of the implemented security functions, controls, and/or mechanisms. |
The organization conducting the inspection/assessment obtains and examines the documented training to ensure the organization being inspected/assessed defines the training the developer of the information system, system component, or information system service is required to provide on the correct use and operation of the implemented security functions, controls, and/or mechanisms.
DoD has determined the training is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the training the developer of the information system, system component, or information system service is required to provide on the correct use and operation of the implemented security functions, controls, and/or mechanisms.
DoD has determined the training is not appropriate to define at the Enterprise level. |
Developer-Provided Trainin |
SA-16 |
SA-16.2 |
This control applies to external and internal (in-house) developers. Training of personnel is an essential element to ensure the effectiveness of security controls implemented within organizational information systems. Training options include, for example, classroom-style training, web-based/computer-based training, and hands-on training. Organizations can also request sufficient training materials from developers to conduct in-house training or offer self-training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security functions, controls, or mechanisms. Related controls: AT-2, AT-3, SA-5. |
The organization requires the developer of the information system, system component, or information system service to provide [Assignment: organization-defined training] on the correct use and operation of the implemented security functions, controls, and/or mechanisms. |
| CCI-003293 |
The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service produce a design specification and security architecture. |
The organization being inspected/assessed documents within contracts/agreements, the requirement that the developer of the information system, system component, or information system service produce a design specification and security architecture. |
Developer Security Architecture And Design |
SA-17 |
SA-17.1 |
This control is primarily directed at external developers, although it could also be used for internal (in-house) development. In contrast, PL-8 is primarily directed at internal developers to help ensure that organizations develop an information security architecture and such security architecture is integrated or tightly coupled to the enterprise architecture. This distinction is important if/when organizations outsource the development of information systems, information system components, or information system services to external entities, and there is a requirement to demonstrate consistency with the organization's enterprise architecture and information security architecture. Related controls: PL-8, PM-7, SA-3, SA-8. |
The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that:
a. Is consistent with and supportive of the organization's security architecture which is established within and is an integrated part of the organization's enterprise architecture;
b. Accurately and completely describes the required security functionality, and the allocation of security controls among physical and logical components; and
c. Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection. |
| CCI-003294 |
The design specification and security architecture is consistent with and supportive of the organization^s security architecture which is established within and is an integrated part of the organization^s enterprise architecture. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer produce a design specification and security architecture that is consistent with and supportive of the organization's security architecture which is established within and is interrogated part of the organization's enterprise architecture. |
The organization being inspected/assessed documents within contracts/agreements, the requirement that the developer produce a design specification and security architecture that is consistent with and supportive of the organization's security architecture which is established within and is interrogated part of the organization's enterprise architecture. |
Developer Security Architecture And Design |
SA-17 |
SA-17.2 |
This control is primarily directed at external developers, although it could also be used for internal (in-house) development. In contrast, PL-8 is primarily directed at internal developers to help ensure that organizations develop an information security architecture and such security architecture is integrated or tightly coupled to the enterprise architecture. This distinction is important if/when organizations outsource the development of information systems, information system components, or information system services to external entities, and there is a requirement to demonstrate consistency with the organization's enterprise architecture and information security architecture. Related controls: PL-8, PM-7, SA-3, SA-8. |
The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that:
a. Is consistent with and supportive of the organization's security architecture which is established within and is an integrated part of the organization's enterprise architecture;
b. Accurately and completely describes the required security functionality, and the allocation of security controls among physical and logical components; and
c. Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection. |
| CCI-003295 |
The design specification and security architecture accurately and completely describes the required security functionality. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer produce a design specification and security architecture that accurately and completely describes the required security functionality. |
The organization being inspected/assessed documents within contracts/agreements, the requirement that the developer produce a design specification and security architecture that accurately and completely describes the required security functionality. |
Developer Security Architecture And Design |
SA-17 |
SA-17.3 |
This control is primarily directed at external developers, although it could also be used for internal (in-house) development. In contrast, PL-8 is primarily directed at internal developers to help ensure that organizations develop an information security architecture and such security architecture is integrated or tightly coupled to the enterprise architecture. This distinction is important if/when organizations outsource the development of information systems, information system components, or information system services to external entities, and there is a requirement to demonstrate consistency with the organization's enterprise architecture and information security architecture. Related controls: PL-8, PM-7, SA-3, SA-8. |
The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that:
a. Is consistent with and supportive of the organization's security architecture which is established within and is an integrated part of the organization's enterprise architecture;
b. Accurately and completely describes the required security functionality, and the allocation of security controls among physical and logical components; and
c. Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection. |
| CCI-003296 |
The design specification and security architecture accurately and completely describes the allocation of security controls among physical and logical components. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer produce a design specification and security architecture that accurately and completely describes the allocation of security controls among physical and logical components. |
The organization being inspected/assessed documents within contracts/agreements, the requirement that the developer produce a design specification and security architecture that accurately and completely describes the allocation of security controls among physical and logical components. |
Developer Security Architecture And Design |
SA-17 |
SA-17.4 |
This control is primarily directed at external developers, although it could also be used for internal (in-house) development. In contrast, PL-8 is primarily directed at internal developers to help ensure that organizations develop an information security architecture and such security architecture is integrated or tightly coupled to the enterprise architecture. This distinction is important if/when organizations outsource the development of information systems, information system components, or information system services to external entities, and there is a requirement to demonstrate consistency with the organization's enterprise architecture and information security architecture. Related controls: PL-8, PM-7, SA-3, SA-8. |
The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that:
a. Is consistent with and supportive of the organization's security architecture which is established within and is an integrated part of the organization's enterprise architecture;
b. Accurately and completely describes the required security functionality, and the allocation of security controls among physical and logical components; and
c. Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection. |
| CCI-003297 |
The design specification and security architecture expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer produce a design specification and security architecture that expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection. |
The organization being inspected/assessed documents within contracts/agreements, the requirement that the developer produce a design specification and security architecture that expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection. |
Developer Security Architecture And Design |
SA-17 |
SA-17.5 |
This control is primarily directed at external developers, although it could also be used for internal (in-house) development. In contrast, PL-8 is primarily directed at internal developers to help ensure that organizations develop an information security architecture and such security architecture is integrated or tightly coupled to the enterprise architecture. This distinction is important if/when organizations outsource the development of information systems, information system components, or information system services to external entities, and there is a requirement to demonstrate consistency with the organization's enterprise architecture and information security architecture. Related controls: PL-8, PM-7, SA-3, SA-8. |
The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that:
a. Is consistent with and supportive of the organization's security architecture which is established within and is an integrated part of the organization's enterprise architecture;
b. Accurately and completely describes the required security functionality, and the allocation of security controls among physical and logical components; and
c. Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection. |
| CCI-003298 |
The organization requires the developer of the information system, system component, or information system to produce, as an integral part of the development process, a formal policy model describing the organization-defined elements of organizational security policy to be enforced. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service produce, as an integral part of the development process, a formal policy model describing the elements of organizational security policy defined in SA-17 (1), CCI 3299 to be enforced. |
The organization being inspected/assessed documents within contracts/agreements,, the requirement that the developer of the information system, system component, or information system service produce, as an integral part of the development process, a formal policy model describing the elements of organizational security policy defined in SA-17 (1), CCI 3299 to be enforced. |
Developer Security Architecture And Design | Formal Policy Model |
SA-17 (1) |
SA-17(1).1 |
Formal models describe specific behaviors or security policies using formal languages, thus enabling the correctness of those behaviors/policies to be formally proven. Not all components of information systems can be modeled, and generally, formal specifications are scoped to specific behaviors or policies of interest (e.g., nondiscretionary access control policies). Organizations choose the particular formal modeling language and approach based on the nature of the behaviors/policies to be described and the available tools. Formal modeling tools include, for example, Gypsy and Zed. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Produce, as an integral part of the development process, a formal policy model describing the [Assignment: organization-defined elements of organizational security policy] to be enforced; and
(b) Prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented. |
| CCI-003299 |
The organization defines the elements of organization security policy to be described in the formal policy model for enforcement on the information system, system component, or information system service. |
The organization conducting the inspection/assessment obtains and examines the documented elements to ensure the organization being inspected/assessed defines the elements of organization security policy to be described in the formal policy model for enforcement on the information system, system component, or information system service.
DoD has determined the elements are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the elements of organization security policy to be described in the formal policy model for enforcement on the information system, system component, or information system service.
DoD has determined the elements are not appropriate to define at the Enterprise level. |
Developer Security Architecture And Design | Formal Policy Model |
SA-17 (1) |
SA-17(1).2 |
Formal models describe specific behaviors or security policies using formal languages, thus enabling the correctness of those behaviors/policies to be formally proven. Not all components of information systems can be modeled, and generally, formal specifications are scoped to specific behaviors or policies of interest (e.g., nondiscretionary access control policies). Organizations choose the particular formal modeling language and approach based on the nature of the behaviors/policies to be described and the available tools. Formal modeling tools include, for example, Gypsy and Zed. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Produce, as an integral part of the development process, a formal policy model describing the [Assignment: organization-defined elements of organizational security policy] to be enforced; and
(b) Prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented. |
| CCI-003300 |
The organization requires the developer of the information system, system component, or information system service to prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements o ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented. |
The organization being inspected/assessed documents within contracts/agreements, the requirement that the developer of the information system, system component, or information system service prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented. |
Developer Security Architecture And Design | Formal Policy Model |
SA-17 (1) |
SA-17(1).3 |
Formal models describe specific behaviors or security policies using formal languages, thus enabling the correctness of those behaviors/policies to be formally proven. Not all components of information systems can be modeled, and generally, formal specifications are scoped to specific behaviors or policies of interest (e.g., nondiscretionary access control policies). Organizations choose the particular formal modeling language and approach based on the nature of the behaviors/policies to be described and the available tools. Formal modeling tools include, for example, Gypsy and Zed. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Produce, as an integral part of the development process, a formal policy model describing the [Assignment: organization-defined elements of organizational security policy] to be enforced; and
(b) Prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented. |
| CCI-003301 |
The organization requires the developer of the information system, system component, or information system service to define security-relevant hardware. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service define security-relevant software. |
The organization being inspected/assessed documents within contracts/agreements, the requirement that the developer of the information system, system component, or information system service define security-relevant software. |
Developer Security Architecture And Design | Security-Relevant Components |
SA-17 (2) |
SA-17(2).1 |
Security-relevant hardware, software, and firmware represent the portion of the information system, component, or service that must be trusted to perform correctly in order to maintain required security properties. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Define security-relevant hardware, software, and firmware; and
(b) Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete. |
| CCI-003302 |
The organization requires the developer of the information system, system component, or information system service to define security-relevant hardware. |
|
|
|
|
|
|
|
| CCI-003303 |
The organization requires the developer of the information system, system component, or information system service to define security-relevant software. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service define security-relevant software. |
The organization being inspected/assessed documents within contracts/agreements, the requirement that the developer of the information system, system component, or information system service define security-relevant software. |
Developer Security Architecture And Design | Security-Relevant Components |
SA-17 (2) |
SA-17(2).2 |
Security-relevant hardware, software, and firmware represent the portion of the information system, component, or service that must be trusted to perform correctly in order to maintain required security properties. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Define security-relevant hardware, software, and firmware; and
(b) Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete. |
| CCI-003304 |
The organization requires the developer of the information system, system component, or information system service to define security-relevant firmware. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service define security-relevant firmware. |
The organization being inspected/assessed documents within contracts/agreements, the requirement that the developer of the information system, system component, or information system service define security-relevant firmware. |
Developer Security Architecture And Design | Security-Relevant Components |
SA-17 (2) |
SA-17(2).3 |
Security-relevant hardware, software, and firmware represent the portion of the information system, component, or service that must be trusted to perform correctly in order to maintain required security properties. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Define security-relevant hardware, software, and firmware; and
(b) Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete. |
| CCI-003305 |
The organization requires the developer of the information system, system component, or information system service to provide a rationale that the definition for security-relevant hardware is complete. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service provide a rationale that the definition for security-relevant hardware is complete. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service provide a rationale that the definition for security-relevant hardware is complete. |
Developer Security Architecture And Design | Security-Relevant Components |
SA-17 (2) |
SA-17(2).4 |
Security-relevant hardware, software, and firmware represent the portion of the information system, component, or service that must be trusted to perform correctly in order to maintain required security properties. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Define security-relevant hardware, software, and firmware; and
(b) Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete. |
| CCI-003306 |
The organization requires the developer of the information system, system component, or information system service to provide a rationale that the definition for security-relevant software is complete. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service provide a rationale that the definition for security-relevant software is complete. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service provide a rationale that the definition for security-relevant software is complete. |
Developer Security Architecture And Design | Security-Relevant Components |
SA-17 (2) |
SA-17(2).5 |
Security-relevant hardware, software, and firmware represent the portion of the information system, component, or service that must be trusted to perform correctly in order to maintain required security properties. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Define security-relevant hardware, software, and firmware; and
(b) Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete. |
| CCI-003307 |
The organization requires the developer of the information system, system component, or information system service to provide a rationale that the definition for security-relevant firmware is complete. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service provide a rationale that the definition for security-relevant firmware is complete. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service provide a rationale that the definition for security-relevant firmware is complete. |
Developer Security Architecture And Design | Security-Relevant Components |
SA-17 (2) |
SA-17(2).6 |
Security-relevant hardware, software, and firmware represent the portion of the information system, component, or service that must be trusted to perform correctly in order to maintain required security properties. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Define security-relevant hardware, software, and firmware; and
(b) Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete. |
| CCI-003308 |
The organization requires the developer of the information system, system component, or information system service to produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware in terms of exceptions, error messages, and effects. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware in terms of exceptions, error messages, and effects. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware in terms of exceptions, error messages, and effects. |
Developer Security Architecture And Design | Formal Corresponden |
SA-17 (3) |
SA-17(3).1 |
Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details present have no impact on the behaviors or policies being modeled. Formal methods can be used to show that the high-level security properties are satisfied by the formal information system description, and that the formal system description is correctly implemented by a description of some lower level, for example a hardware description. Consistency between the formal top-level specification and the formal policy models is generally not amenable to being fully proven. Therefore, a combination of formal/informal methods may be needed to show such consistency. Consistency between the formal top-level specification and the implementation may require the use of an informal demonstration due to limitations in the applicability of formal methods to prove that the specification accurately reflects the implementation. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include, for example, mapping registers and direct memory input/output. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
(b) Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model;
(c) Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
(d) Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and
(e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware. |
| CCI-003309 |
The organization requires the developer of the information system, system component, or information system service to produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant software in terms of exceptions, error messages, and effects. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant software in terms of exceptions, error messages, and effects. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant software in terms of exceptions, error messages, and effects. |
Developer Security Architecture And Design | Formal Corresponden |
SA-17 (3) |
SA-17(3).2 |
Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details present have no impact on the behaviors or policies being modeled. Formal methods can be used to show that the high-level security properties are satisfied by the formal information system description, and that the formal system description is correctly implemented by a description of some lower level, for example a hardware description. Consistency between the formal top-level specification and the formal policy models is generally not amenable to being fully proven. Therefore, a combination of formal/informal methods may be needed to show such consistency. Consistency between the formal top-level specification and the implementation may require the use of an informal demonstration due to limitations in the applicability of formal methods to prove that the specification accurately reflects the implementation. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include, for example, mapping registers and direct memory input/output. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
(b) Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model;
(c) Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
(d) Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and
(e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware. |
| CCI-003310 |
The organization requires the developer of the information system, system component, or information system service to produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant firmware in terms of exceptions, error messages, and effects. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant firmware in terms of exceptions, error messages, and effects. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant firmware in terms of exceptions, error messages, and effects. |
Developer Security Architecture And Design | Formal Corresponden |
SA-17 (3) |
SA-17(3).3 |
Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details present have no impact on the behaviors or policies being modeled. Formal methods can be used to show that the high-level security properties are satisfied by the formal information system description, and that the formal system description is correctly implemented by a description of some lower level, for example a hardware description. Consistency between the formal top-level specification and the formal policy models is generally not amenable to being fully proven. Therefore, a combination of formal/informal methods may be needed to show such consistency. Consistency between the formal top-level specification and the implementation may require the use of an informal demonstration due to limitations in the applicability of formal methods to prove that the specification accurately reflects the implementation. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include, for example, mapping registers and direct memory input/output. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
(b) Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model;
(c) Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
(d) Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and
(e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware. |
| CCI-003311 |
The organization requires the developer of the information system, system component, or information system service to show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model. |
Developer Security Architecture And Design | Formal Corresponden |
SA-17 (3) |
SA-17(3).4 |
Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details present have no impact on the behaviors or policies being modeled. Formal methods can be used to show that the high-level security properties are satisfied by the formal information system description, and that the formal system description is correctly implemented by a description of some lower level, for example a hardware description. Consistency between the formal top-level specification and the formal policy models is generally not amenable to being fully proven. Therefore, a combination of formal/informal methods may be needed to show such consistency. Consistency between the formal top-level specification and the implementation may require the use of an informal demonstration due to limitations in the applicability of formal methods to prove that the specification accurately reflects the implementation. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include, for example, mapping registers and direct memory input/output. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
(b) Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model;
(c) Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
(d) Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and
(e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware. |
| CCI-003312 |
The organization requires the developer of the information system, system component, or information system service to show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware. |
Developer Security Architecture And Design | Formal Corresponden |
SA-17 (3) |
SA-17(3).5 |
Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details present have no impact on the behaviors or policies being modeled. Formal methods can be used to show that the high-level security properties are satisfied by the formal information system description, and that the formal system description is correctly implemented by a description of some lower level, for example a hardware description. Consistency between the formal top-level specification and the formal policy models is generally not amenable to being fully proven. Therefore, a combination of formal/informal methods may be needed to show such consistency. Consistency between the formal top-level specification and the implementation may require the use of an informal demonstration due to limitations in the applicability of formal methods to prove that the specification accurately reflects the implementation. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include, for example, mapping registers and direct memory input/output. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
(b) Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model;
(c) Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
(d) Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and
(e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware. |
| CCI-003313 |
The organization requires the developer of the information system, system component, or information system service to show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant software. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant software. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant software. |
Developer Security Architecture And Design | Formal Corresponden |
SA-17 (3) |
SA-17(3).6 |
Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details present have no impact on the behaviors or policies being modeled. Formal methods can be used to show that the high-level security properties are satisfied by the formal information system description, and that the formal system description is correctly implemented by a description of some lower level, for example a hardware description. Consistency between the formal top-level specification and the formal policy models is generally not amenable to being fully proven. Therefore, a combination of formal/informal methods may be needed to show such consistency. Consistency between the formal top-level specification and the implementation may require the use of an informal demonstration due to limitations in the applicability of formal methods to prove that the specification accurately reflects the implementation. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include, for example, mapping registers and direct memory input/output. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
(b) Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model;
(c) Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
(d) Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and
(e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware. |
| CCI-003314 |
The organization requires the developer of the information system, system component, or information system service to show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant firmware. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant firmware. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant firmware. |
Developer Security Architecture And Design | Formal Corresponden |
SA-17 (3) |
SA-17(3).7 |
Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details present have no impact on the behaviors or policies being modeled. Formal methods can be used to show that the high-level security properties are satisfied by the formal information system description, and that the formal system description is correctly implemented by a description of some lower level, for example a hardware description. Consistency between the formal top-level specification and the formal policy models is generally not amenable to being fully proven. Therefore, a combination of formal/informal methods may be needed to show such consistency. Consistency between the formal top-level specification and the implementation may require the use of an informal demonstration due to limitations in the applicability of formal methods to prove that the specification accurately reflects the implementation. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include, for example, mapping registers and direct memory input/output. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
(b) Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model;
(c) Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
(d) Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and
(e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware. |
| CCI-003315 |
The organization requires the developer of the information system, system component, or information system service to show that the formal top-level specification is an accurate description of the implemented security-relevant hardware. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service show that the formal top-level specification is an accurate description of the implemented security-relevant hardware. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service show that the formal top-level specification is an accurate description of the implemented security-relevant hardware. |
Developer Security Architecture And Design | Formal Corresponden |
SA-17 (3) |
SA-17(3).8 |
Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details present have no impact on the behaviors or policies being modeled. Formal methods can be used to show that the high-level security properties are satisfied by the formal information system description, and that the formal system description is correctly implemented by a description of some lower level, for example a hardware description. Consistency between the formal top-level specification and the formal policy models is generally not amenable to being fully proven. Therefore, a combination of formal/informal methods may be needed to show such consistency. Consistency between the formal top-level specification and the implementation may require the use of an informal demonstration due to limitations in the applicability of formal methods to prove that the specification accurately reflects the implementation. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include, for example, mapping registers and direct memory input/output. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
(b) Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model;
(c) Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
(d) Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and
(e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware. |
| CCI-003316 |
The organization requires the developer of the information system, system component, or information system service to show that the formal top-level specification is an accurate description of the implemented security-relevant software. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service show that the formal top-level specification is an accurate description of the implemented security-relevant software. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service show that the formal top-level specification is an accurate description of the implemented security-relevant software. |
Developer Security Architecture And Design | Formal Corresponden |
SA-17 (3) |
SA-17(3).9 |
Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details present have no impact on the behaviors or policies being modeled. Formal methods can be used to show that the high-level security properties are satisfied by the formal information system description, and that the formal system description is correctly implemented by a description of some lower level, for example a hardware description. Consistency between the formal top-level specification and the formal policy models is generally not amenable to being fully proven. Therefore, a combination of formal/informal methods may be needed to show such consistency. Consistency between the formal top-level specification and the implementation may require the use of an informal demonstration due to limitations in the applicability of formal methods to prove that the specification accurately reflects the implementation. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include, for example, mapping registers and direct memory input/output. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
(b) Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model;
(c) Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
(d) Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and
(e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware. |
| CCI-003317 |
The organization requires the developer of the information system, system component, or information system service to show that the formal top-level specification is an accurate description of the implemented security-relevant firmware. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service show that the formal top-level specification is an accurate description of the implemented security-relevant firmware. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service show that the formal top-level specification is an accurate description of the implemented security-relevant firmware. |
Developer Security Architecture And Design | Formal Corresponden |
SA-17 (3) |
SA-17(3).10 |
Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details present have no impact on the behaviors or policies being modeled. Formal methods can be used to show that the high-level security properties are satisfied by the formal information system description, and that the formal system description is correctly implemented by a description of some lower level, for example a hardware description. Consistency between the formal top-level specification and the formal policy models is generally not amenable to being fully proven. Therefore, a combination of formal/informal methods may be needed to show such consistency. Consistency between the formal top-level specification and the implementation may require the use of an informal demonstration due to limitations in the applicability of formal methods to prove that the specification accurately reflects the implementation. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include, for example, mapping registers and direct memory input/output. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
(b) Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model;
(c) Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
(d) Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and
(e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware. |
| CCI-003318 |
The organization requires the developer of the information system, system component, or information system service to describe the security-relevant hardware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service describe the security-relevant firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service describe the security-relevant firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware. |
Developer Security Architecture And Design | Formal Corresponden |
SA-17 (3) |
SA-17(3).11 |
Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details present have no impact on the behaviors or policies being modeled. Formal methods can be used to show that the high-level security properties are satisfied by the formal information system description, and that the formal system description is correctly implemented by a description of some lower level, for example a hardware description. Consistency between the formal top-level specification and the formal policy models is generally not amenable to being fully proven. Therefore, a combination of formal/informal methods may be needed to show such consistency. Consistency between the formal top-level specification and the implementation may require the use of an informal demonstration due to limitations in the applicability of formal methods to prove that the specification accurately reflects the implementation. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include, for example, mapping registers and direct memory input/output. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
(b) Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model;
(c) Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
(d) Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and
(e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware. |
| CCI-003319 |
The organization requires the developer of the information system, system component, or information system service to describe the security-relevant software mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant software. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service describe the security-relevant software mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant software. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service describe the security-relevant software mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant software. |
Developer Security Architecture And Design | Formal Corresponden |
SA-17 (3) |
SA-17(3).12 |
Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details present have no impact on the behaviors or policies being modeled. Formal methods can be used to show that the high-level security properties are satisfied by the formal information system description, and that the formal system description is correctly implemented by a description of some lower level, for example a hardware description. Consistency between the formal top-level specification and the formal policy models is generally not amenable to being fully proven. Therefore, a combination of formal/informal methods may be needed to show such consistency. Consistency between the formal top-level specification and the implementation may require the use of an informal demonstration due to limitations in the applicability of formal methods to prove that the specification accurately reflects the implementation. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include, for example, mapping registers and direct memory input/output. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
(b) Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model;
(c) Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
(d) Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and
(e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware. |
| CCI-003320 |
The organization requires the developer of the information system, system component, or information system service to describe the security-relevant firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant firmware. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service describe the security-relevant firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant firmware. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service describe the security-relevant firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant firmware. |
Developer Security Architecture And Design | Formal Corresponden |
SA-17 (3) |
SA-17(3).13 |
Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details present have no impact on the behaviors or policies being modeled. Formal methods can be used to show that the high-level security properties are satisfied by the formal information system description, and that the formal system description is correctly implemented by a description of some lower level, for example a hardware description. Consistency between the formal top-level specification and the formal policy models is generally not amenable to being fully proven. Therefore, a combination of formal/informal methods may be needed to show such consistency. Consistency between the formal top-level specification and the implementation may require the use of an informal demonstration due to limitations in the applicability of formal methods to prove that the specification accurately reflects the implementation. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include, for example, mapping registers and direct memory input/output. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
(b) Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model;
(c) Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
(d) Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and
(e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware. |
| CCI-003321 |
The organization requires the developer of the information system, system component, or information system service to produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware in terms of exceptions, error messages, and effects. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware in terms of exceptions, error messages, and effects. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware in terms of exceptions, error messages, and effects. |
Developer Security Architecture And Design | Informal Correspondence |
SA-17 (4) |
SA-17(4).1 |
Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details present has no impact on the behaviors or policies being modeled. Consistency between the descriptive top-level specification (i.e., high-level/low-level design) and the formal policy model is generally not amenable to being fully proven. Therefore, a combination of formal/informal methods may be needed to show such consistency. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include, for example, mapping registers and direct memory input/output. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
(b) Show via [Selection: informal demonstration, convincing argument with formal methods as feasible] that the descriptive top-level specification is consistent with the formal policy model;
(c) Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
(d) Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and
(e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware. |
| CCI-003322 |
The organization requires the developer of the information system, system component, or information system service to produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant software in terms of exceptions, error messages, and effects. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant firmware in terms of exceptions, error messages, and effects. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant firmware in terms of exceptions, error messages, and effects. |
Developer Security Architecture And Design | Informal Correspondence |
SA-17 (4) |
SA-17(4).2 |
Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details present has no impact on the behaviors or policies being modeled. Consistency between the descriptive top-level specification (i.e., high-level/low-level design) and the formal policy model is generally not amenable to being fully proven. Therefore, a combination of formal/informal methods may be needed to show such consistency. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include, for example, mapping registers and direct memory input/output. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
(b) Show via [Selection: informal demonstration, convincing argument with formal methods as feasible] that the descriptive top-level specification is consistent with the formal policy model;
(c) Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
(d) Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and
(e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware. |
| CCI-003323 |
The organization requires the developer of the information system, system component, or information system service to produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant firmware in terms of exceptions, error messages, and effects. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant firmware in terms of exceptions, error messages, and effects. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant firmware in terms of exceptions, error messages, and effects. |
Developer Security Architecture And Design | Informal Correspondence |
SA-17 (4) |
SA-17(4).3 |
Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details present has no impact on the behaviors or policies being modeled. Consistency between the descriptive top-level specification (i.e., high-level/low-level design) and the formal policy model is generally not amenable to being fully proven. Therefore, a combination of formal/informal methods may be needed to show such consistency. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include, for example, mapping registers and direct memory input/output. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
(b) Show via [Selection: informal demonstration, convincing argument with formal methods as feasible] that the descriptive top-level specification is consistent with the formal policy model;
(c) Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
(d) Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and
(e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware. |
| CCI-003324 |
The organization requires the developer of the information system, system component, or information system service to show via informal demonstration or convincing argument with formal methods as feasible that the descriptive top-level specification is consistent with the formal policy model. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service show via informal demonstration or convincing argument with formal methods as feasible that the descriptive top-level specification is consistent with the formal policy model. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service show via informal demonstration or convincing argument with formal methods as feasible that the descriptive top-level specification is consistent with the formal policy model. |
Developer Security Architecture And Design | Informal Correspondence |
SA-17 (4) |
SA-17(4).4 |
Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details present has no impact on the behaviors or policies being modeled. Consistency between the descriptive top-level specification (i.e., high-level/low-level design) and the formal policy model is generally not amenable to being fully proven. Therefore, a combination of formal/informal methods may be needed to show such consistency. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include, for example, mapping registers and direct memory input/output. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
(b) Show via [Selection: informal demonstration, convincing argument with formal methods as feasible] that the descriptive top-level specification is consistent with the formal policy model;
(c) Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
(d) Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and
(e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware. |
| CCI-003325 |
The organization requires the developer of the information system, system component, or information system service to show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware. |
Developer Security Architecture And Design | Informal Correspondence |
SA-17 (4) |
SA-17(4).5 |
Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details present has no impact on the behaviors or policies being modeled. Consistency between the descriptive top-level specification (i.e., high-level/low-level design) and the formal policy model is generally not amenable to being fully proven. Therefore, a combination of formal/informal methods may be needed to show such consistency. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include, for example, mapping registers and direct memory input/output. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
(b) Show via [Selection: informal demonstration, convincing argument with formal methods as feasible] that the descriptive top-level specification is consistent with the formal policy model;
(c) Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
(d) Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and
(e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware. |
| CCI-003326 |
The organization requires the developer of the information system, system component, or information system service to show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant software. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant software. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant software. |
Developer Security Architecture And Design | Informal Correspondence |
SA-17 (4) |
SA-17(4).6 |
Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details present has no impact on the behaviors or policies being modeled. Consistency between the descriptive top-level specification (i.e., high-level/low-level design) and the formal policy model is generally not amenable to being fully proven. Therefore, a combination of formal/informal methods may be needed to show such consistency. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include, for example, mapping registers and direct memory input/output. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
(b) Show via [Selection: informal demonstration, convincing argument with formal methods as feasible] that the descriptive top-level specification is consistent with the formal policy model;
(c) Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
(d) Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and
(e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware. |
| CCI-003327 |
The organization requires the developer of the information system, system component, or information system service to show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant firmware. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant firmware. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant firmware. |
Developer Security Architecture And Design | Informal Correspondence |
SA-17 (4) |
SA-17(4).7 |
Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details present has no impact on the behaviors or policies being modeled. Consistency between the descriptive top-level specification (i.e., high-level/low-level design) and the formal policy model is generally not amenable to being fully proven. Therefore, a combination of formal/informal methods may be needed to show such consistency. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include, for example, mapping registers and direct memory input/output. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
(b) Show via [Selection: informal demonstration, convincing argument with formal methods as feasible] that the descriptive top-level specification is consistent with the formal policy model;
(c) Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
(d) Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and
(e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware. |
| CCI-003328 |
The organization requires the developer of the information system, system component, or information system service to show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware. |
Developer Security Architecture And Design | Informal Correspondence |
SA-17 (4) |
SA-17(4).8 |
Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details present has no impact on the behaviors or policies being modeled. Consistency between the descriptive top-level specification (i.e., high-level/low-level design) and the formal policy model is generally not amenable to being fully proven. Therefore, a combination of formal/informal methods may be needed to show such consistency. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include, for example, mapping registers and direct memory input/output. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
(b) Show via [Selection: informal demonstration, convincing argument with formal methods as feasible] that the descriptive top-level specification is consistent with the formal policy model;
(c) Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
(d) Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and
(e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware. |
| CCI-003329 |
The organization requires the developer of the information system, system component, or information system service to show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant software. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant software. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant software. |
Developer Security Architecture And Design | Informal Correspondence |
SA-17 (4) |
SA-17(4).9 |
Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details present has no impact on the behaviors or policies being modeled. Consistency between the descriptive top-level specification (i.e., high-level/low-level design) and the formal policy model is generally not amenable to being fully proven. Therefore, a combination of formal/informal methods may be needed to show such consistency. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include, for example, mapping registers and direct memory input/output. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
(b) Show via [Selection: informal demonstration, convincing argument with formal methods as feasible] that the descriptive top-level specification is consistent with the formal policy model;
(c) Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
(d) Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and
(e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware. |
| CCI-003330 |
The organization requires the developer of the information system, system component, or information system service to show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant firmware. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant firmware. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant firmware. |
Developer Security Architecture And Design | Informal Correspondence |
SA-17 (4) |
SA-17(4).10 |
Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details present has no impact on the behaviors or policies being modeled. Consistency between the descriptive top-level specification (i.e., high-level/low-level design) and the formal policy model is generally not amenable to being fully proven. Therefore, a combination of formal/informal methods may be needed to show such consistency. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include, for example, mapping registers and direct memory input/output. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
(b) Show via [Selection: informal demonstration, convincing argument with formal methods as feasible] that the descriptive top-level specification is consistent with the formal policy model;
(c) Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
(d) Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and
(e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware. |
| CCI-003331 |
The organization requires the developer of the information system, system component, or information system service to describe the security-relevant hardware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service describe the security-relevant hardware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service describe the security-relevant hardware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware. |
Developer Security Architecture And Design | Informal Correspondence |
SA-17 (4) |
SA-17(4).11 |
Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details present has no impact on the behaviors or policies being modeled. Consistency between the descriptive top-level specification (i.e., high-level/low-level design) and the formal policy model is generally not amenable to being fully proven. Therefore, a combination of formal/informal methods may be needed to show such consistency. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include, for example, mapping registers and direct memory input/output. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
(b) Show via [Selection: informal demonstration, convincing argument with formal methods as feasible] that the descriptive top-level specification is consistent with the formal policy model;
(c) Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
(d) Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and
(e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware. |
| CCI-003332 |
The organization requires the developer of the information system, system component, or information system service to describe the security-relevant software mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant software. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service describe the security-relevant software mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant software. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service describe the security-relevant software mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant software. |
Developer Security Architecture And Design | Informal Correspondence |
SA-17 (4) |
SA-17(4).12 |
Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details present has no impact on the behaviors or policies being modeled. Consistency between the descriptive top-level specification (i.e., high-level/low-level design) and the formal policy model is generally not amenable to being fully proven. Therefore, a combination of formal/informal methods may be needed to show such consistency. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include, for example, mapping registers and direct memory input/output. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
(b) Show via [Selection: informal demonstration, convincing argument with formal methods as feasible] that the descriptive top-level specification is consistent with the formal policy model;
(c) Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
(d) Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and
(e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware. |
| CCI-003333 |
The organization requires the developer of the information system, system component, or information system service to describe the security-relevant firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant firmware. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service describe the security-relevant firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant firmware. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service describe the security-relevant firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant firmware. |
Developer Security Architecture And Design | Informal Correspondence |
SA-17 (4) |
SA-17(4).13 |
Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details present has no impact on the behaviors or policies being modeled. Consistency between the descriptive top-level specification (i.e., high-level/low-level design) and the formal policy model is generally not amenable to being fully proven. Therefore, a combination of formal/informal methods may be needed to show such consistency. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include, for example, mapping registers and direct memory input/output. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
(b) Show via [Selection: informal demonstration, convincing argument with formal methods as feasible] that the descriptive top-level specification is consistent with the formal policy model;
(c) Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
(d) Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and
(e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware. |
| CCI-003334 |
The organization requires the developer of the information system, system component, or information system service to design and structure the security-relevant hardware to use a complete, conceptually simple protection mechanism with precisely defined semantics. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service design and structure the security-relevant hardware to use a complete, conceptually simple protection mechanism with precisely defined semantics. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service design and structure the security-relevant hardware to use a complete, conceptually simple protection mechanism with precisely defined semantics. |
Developer Security Architecture And Design | Conceptually Simple Design |
SA-17 (5) |
SA-17(5).1 |
Related control: SC-3. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics; and
(b) Internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism. |
| CCI-003335 |
The organization requires the developer of the information system, system component, or information system service to design and structure the security-relevant software to use a complete, conceptually simple protection mechanism with precisely defined semantics. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service design and structure the security-relevant software to use a complete, conceptually simple protection mechanism with precisely defined semantics. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service design and structure the security-relevant software to use a complete, conceptually simple protection mechanism with precisely defined semantics. |
Developer Security Architecture And Design | Conceptually Simple Design |
SA-17 (5) |
SA-17(5).2 |
Related control: SC-3. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics; and
(b) Internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism. |
| CCI-003336 |
The organization requires the developer of the information system, system component, or information system service to design and structure the security-relevant firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service design and structure the security-relevant firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service design and structure the security-relevant firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics. |
Developer Security Architecture And Design | Conceptually Simple Design |
SA-17 (5) |
SA-17(5).3 |
Related control: SC-3. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics; and
(b) Internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism. |
| CCI-003337 |
The organization requires the developer of the information system, system component, or information system service to internally structure the security-relevant hardware with specific regard for the complete, conceptually simple protection mechanism with precisely defined semantics. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service internally structure the security-relevant hardware with specific regard for the complete, conceptually simple protection mechanism with precisely defined semantics. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service internally structure the security-relevant hardware with specific regard for the complete, conceptually simple protection mechanism with precisely defined semantics. |
Developer Security Architecture And Design | Conceptually Simple Design |
SA-17 (5) |
SA-17(5).4 |
Related control: SC-3. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics; and
(b) Internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism. |
| CCI-003338 |
The organization requires the developer of the information system, system component, or information system service to internally structure the security-relevant software with specific regard for the complete, conceptually simple protection mechanism with precisely defined semantics. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service internally structure the security-relevant software with specific regard for the complete, conceptually simple protection mechanism with precisely defined semantics. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service internally structure the security-relevant software with specific regard for the complete, conceptually simple protection mechanism with precisely defined semantics. |
Developer Security Architecture And Design | Conceptually Simple Design |
SA-17 (5) |
SA-17(5).5 |
Related control: SC-3. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics; and
(b) Internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism. |
| CCI-003339 |
The organization requires the developer of the information system, system component, or information system service to internally structure the security-relevant firmware with specific regard for the complete, conceptually simple protection mechanism with precisely defined semantics. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service internally structure the security-relevant firmware with specific regard for the complete, conceptually simple protection mechanism with precisely defined semantics. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service internally structure the security-relevant firmware with specific regard for the complete, conceptually simple protection mechanism with precisely defined semantics. |
Developer Security Architecture And Design | Conceptually Simple Design |
SA-17 (5) |
SA-17(5).6 |
Related control: SC-3. |
The organization requires the developer of the information system, system component, or information system service to:
(a) Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics; and
(b) Internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism. |
| CCI-003340 |
The organization requires the developer of the information system, component, or information system service to structure security-relevant hardware to facilitate testing. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service structure security-relevant hardware to facilitate testing. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service structure security-relevant hardware to facilitate testing. |
Developer Security Architecture And Design | Structure For Testing |
SA-17 (6) |
SA-17(6).1 |
Related control: SA-11. |
The organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate testing. |
| CCI-003341 |
The organization requires the developer of the information system, component, or information system service to structure security-relevant software to facilitate testing. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service structure security-relevant software to facilitate testing. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service structure security-relevant software to facilitate testing. |
Developer Security Architecture And Design | Structure For Testing |
SA-17 (6) |
SA-17(6).2 |
Related control: SA-11. |
The organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate testing. |
| CCI-003342 |
The organization requires the developer of the information system, component, or information system service to structure security-relevant firmware to facilitate testing. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service structure security-relevant firmware to facilitate testing. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service structure security-relevant firmware to facilitate testing. |
Developer Security Architecture And Design | Structure For Testing |
SA-17 (6) |
SA-17(6).3 |
Related control: SA-11. |
The organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate testing. |
| CCI-003343 |
The organization requires the developer of the information system, component, or information system service to structure security-relevant hardware to facilitate controlling access with least privilege. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service structure security-relevant hardware to facilitate controlling access with least privilege. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service structure security-relevant hardware to facilitate controlling access with least privilege. |
Developer Security Architecture And Design | Structure For Least Privilege |
SA-17 (7) |
SA-17(7).1 |
Related controls: AC-5, AC-6. |
The organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege |
| CCI-003344 |
The organization requires the developer of the information system, component, or information system service to structure security-relevant software to facilitate controlling access with least privilege. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service structure security-relevant software to facilitate controlling access with least privilege. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service structure security-relevant software to facilitate controlling access with least privilege. |
Developer Security Architecture And Design | Structure For Least Privilege |
SA-17 (7) |
SA-17(7).2 |
Related controls: AC-5, AC-6. |
The organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege |
| CCI-003345 |
The organization requires the developer of the information system, component, or information system service to structure security-relevant firmware to facilitate controlling access with least privilege. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service structure security-relevant firmware to facilitate controlling access with least privilege. |
The organization being inspected/assessed documents within the contracts/agreements, the requirement that the developer of the information system, system component, or information system service structure security-relevant firmware to facilitate controlling access with least privilege. |
Developer Security Architecture And Design | Structure For Least Privilege |
SA-17 (7) |
SA-17(7).3 |
Related controls: AC-5, AC-6. |
The organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege |
| CCI-003346 |
The organization implements a tamper protection program for the information system, system component, or information system service. |
The organization conducting the inspection/assessment obtains and examines the documented tamper protection program to ensure the organization being inspected/assessed implements a tamper protection program for the information system, system component, or information system service. |
The organization being inspected/assessed documents and implements a tamper protection program for the information system, system component, or information system service. |
Tamper Resistance And Detection |
SA-18 |
SA-18.1 |
Anti-tamper technologies and techniques provide a level of protection for critical information systems, system components, and information technology products against a number of related threats including modification, reverse engineering, and substitution. Strong identification combined with tamper resistance and/or tamper detection is essential to protecting information systems, components, and products during distribution and when in use. Related controls: PE-3, SA-12, SI-7. |
The organization implements a tamper protection program for the information system, system component, or information system service. |
| CCI-003347 |
The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including design. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including design. |
The organization being inspected/assessed documents and implements a process to employ anti-tamper technologies and techniques during multiple phases in the system development life cycle including design. |
Tamper Resistance And Detection | Multiple Phases Of SDLC |
SA-18 (1) |
SA-18(1).1 |
Organizations use a combination of hardware and software techniques for tamper resistance and detection. Organizations employ obfuscation and self-checking, for example, to make reverse engineering and modifications more difficult, time-consuming, and expensive for adversaries. Customization of information systems and system components can make substitutions easier to detect and therefore limit damage. Related control: SA-3. |
The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including design, development, integration, operations, and maintenance. |
| CCI-003348 |
The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including development. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including development. |
The organization being inspected/assessed documents and implements a process to employ anti-tamper technologies and techniques during multiple phases in the system development life cycle including development. |
Tamper Resistance And Detection | Multiple Phases Of SDLC |
SA-18 (1) |
SA-18(1).2 |
Organizations use a combination of hardware and software techniques for tamper resistance and detection. Organizations employ obfuscation and self-checking, for example, to make reverse engineering and modifications more difficult, time-consuming, and expensive for adversaries. Customization of information systems and system components can make substitutions easier to detect and therefore limit damage. Related control: SA-3. |
The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including design, development, integration, operations, and maintenance. |
| CCI-003349 |
The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including integration. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including integration. |
The organization being inspected/assessed documents and implements a process to employ anti-tamper technologies and techniques during multiple phases in the system development life cycle including integration. |
Tamper Resistance And Detection | Multiple Phases Of SDLC |
SA-18 (1) |
SA-18(1).3 |
Organizations use a combination of hardware and software techniques for tamper resistance and detection. Organizations employ obfuscation and self-checking, for example, to make reverse engineering and modifications more difficult, time-consuming, and expensive for adversaries. Customization of information systems and system components can make substitutions easier to detect and therefore limit damage. Related control: SA-3. |
The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including design, development, integration, operations, and maintenance. |
| CCI-003350 |
The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including operations. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including operations. |
The organization being inspected/assessed documents and implements a process to employ anti-tamper technologies and techniques during multiple phases in the system development life cycle including operations. |
Tamper Resistance And Detection | Multiple Phases Of SDLC |
SA-18 (1) |
SA-18(1).4 |
Organizations use a combination of hardware and software techniques for tamper resistance and detection. Organizations employ obfuscation and self-checking, for example, to make reverse engineering and modifications more difficult, time-consuming, and expensive for adversaries. Customization of information systems and system components can make substitutions easier to detect and therefore limit damage. Related control: SA-3. |
The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including design, development, integration, operations, and maintenance. |
| CCI-003351 |
The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including maintenance. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including maintenance. |
The organization being inspected/assessed documents and implements a process to employ anti-tamper technologies and techniques during multiple phases in the system development life cycle including maintenance. |
Tamper Resistance And Detection | Multiple Phases Of SDLC |
SA-18 (1) |
SA-18(1).5 |
Organizations use a combination of hardware and software techniques for tamper resistance and detection. Organizations employ obfuscation and self-checking, for example, to make reverse engineering and modifications more difficult, time-consuming, and expensive for adversaries. Customization of information systems and system components can make substitutions easier to detect and therefore limit damage. Related control: SA-3. |
The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including design, development, integration, operations, and maintenance. |
| CCI-003352 |
The organization inspects organization-defined information systems, system components, or devices at random, at an organization-defined frequency, and/or upon organization-defined indications of need for inspection to detect tampering. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of inspections to ensure the organization being inspected/assessed inspects information systems, system components, or devices defined in SA-18 (2), CCI 3353 at random, at a frequency defined in SA-18 (2), CCI 3354, and/or upon indications of need for inspection defined in SA-18 (2), CCI 3355 to detect tampering. |
The organization being inspected/assessed documents and implements a process to inspect information systems, system components, or devices defined in SA-18 (2), CCI 3353 at random, at a frequency defined in SA-18 (2), CCI 3354, and/or upon indications of need for inspection defined in SA-18 (2), CCI 3355 to detect tampering.
The organization must maintain a record of inspections. |
Tamper Resistance And Detection | Inspection Of Information Systems, Components, Or Devices |
SA-18 (2) |
SA-18(2).1 |
This control enhancement addresses both physical and logical tampering and is typically applied to mobile devices, notebook computers, or other system components taken out of organization-controlled areas. Indications of need for inspection include, for example, when individuals return from travel to high-risk locations. Related control: SI-4. |
The organization inspects [Assignment: organization-defined information systems, system components, or devices] [Selection (one or more): at random; at [Assignment: organization-defined frequency], upon [Assignment: organization-defined indications of need for inspection]] to detect tampering. |
| CCI-003353 |
The organization defines the information systems, system components, or devices to inspect at random, at an organization-defined frequency, and/or upon organization-defined indications of need for inspection to detect tampering. |
The organization conducting the inspection/assessment obtains and examines the documented information systems, system components, or devices to ensure the organization being inspected/assessed defines the information systems, system components, or devices to inspect at random, at organization-defined frequency, and/or upon organization-defined indications of need for inspection to detect tampering.
DoD has determined the information systems, system components, or devices are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information systems, system components, or devices to inspect at random, at organization-defined frequency, and/or upon organization-defined indications of need for inspection to detect tampering.
DoD has determined the information systems, system components, or devices are not appropriate to define at the Enterprise level. |
Tamper Resistance And Detection | Inspection Of Information Systems, Components, Or Devices |
SA-18 (2) |
SA-18(2).2 |
This control enhancement addresses both physical and logical tampering and is typically applied to mobile devices, notebook computers, or other system components taken out of organization-controlled areas. Indications of need for inspection include, for example, when individuals return from travel to high-risk locations. Related control: SI-4. |
The organization inspects [Assignment: organization-defined information systems, system components, or devices] [Selection (one or more): at random; at [Assignment: organization-defined frequency], upon [Assignment: organization-defined indications of need for inspection]] to detect tampering. |
| CCI-003354 |
The organization defines the frequency on which to inspect organization-defined information systems, system components, or devices to detect tampering. |
The organization conducting the inspection/assessment obtains and examines the documented frequency to ensure the organization being inspected/assessed defines the frequency to inspect organization-defined information systems, system, components, or devices to detect tampering.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the frequency to inspect organization-defined information systems, system, components, or devices to detect tampering.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
Tamper Resistance And Detection | Inspection Of Information Systems, Components, Or Devices |
SA-18 (2) |
SA-18(2).3 |
This control enhancement addresses both physical and logical tampering and is typically applied to mobile devices, notebook computers, or other system components taken out of organization-controlled areas. Indications of need for inspection include, for example, when individuals return from travel to high-risk locations. Related control: SI-4. |
The organization inspects [Assignment: organization-defined information systems, system components, or devices] [Selection (one or more): at random; at [Assignment: organization-defined frequency], upon [Assignment: organization-defined indications of need for inspection]] to detect tampering. |
| CCI-003355 |
The organization defines indications of need for inspection to detect tampering during inspections of organization-defined information systems, system components, or devices. |
The organization conducting the inspection/assessment obtains and examines the documented indications to ensure the organization being inspected/assessed defines indications of need for inspection to detect tampering during inspections of organization-defined information systems, system components, or devices.
DoD has determined the indications are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents indications of need for inspection to detect tampering during inspections of organization-defined information systems, system components, or devices.
DoD has determined the indications are not appropriate to define at the Enterprise level. |
Tamper Resistance And Detection | Inspection Of Information Systems, Components, Or Devices |
SA-18 (2) |
SA-18(2).4 |
This control enhancement addresses both physical and logical tampering and is typically applied to mobile devices, notebook computers, or other system components taken out of organization-controlled areas. Indications of need for inspection include, for example, when individuals return from travel to high-risk locations. Related control: SI-4. |
The organization inspects [Assignment: organization-defined information systems, system components, or devices] [Selection (one or more): at random; at [Assignment: organization-defined frequency], upon [Assignment: organization-defined indications of need for inspection]] to detect tampering. |
| CCI-003356 |
The organization develops an anti-counterfeit policy that includes the means to detect counterfeit components from entering the information system. |
The organization conducting the inspection/assessment obtains and examines the documented anti-counterfeit policy to ensure the organization being inspected/assessed develops an anti-counterfeit policy that include the means to detect counterfeit components from entering the information system. |
The organization being inspected/assessed develops and documents an anti-counterfeit policy that include the means to detect counterfeit components from entering the information system. |
Component Authenticity |
SA-19 |
SA-19.1 |
Sources of counterfeit components include, for example, manufacturers, developers, vendors, and contractors. Anti-counterfeiting policy and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include, for example, US-CERT. Related controls: PE-3, SA-12, SI-7. |
The organization:
a. Develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the information system; and
b. Reports counterfeit information system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]]. |
| CCI-003357 |
The organization develops an anti-counterfeit policy that includes the means to prevent counterfeit components from entering the information system. |
The organization conducting the inspection/assessment obtains and examines the documented anti-counterfeit policy to ensure the organization being inspected/assessed develops an anti-counterfeit policy that include the means to prevent counterfeit components from entering the information system. |
The organization being inspected/assessed develops and documents an anti-counterfeit policy that include the means to prevent counterfeit components from entering the information system. |
Component Authenticity |
SA-19 |
SA-19.2 |
Sources of counterfeit components include, for example, manufacturers, developers, vendors, and contractors. Anti-counterfeiting policy and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include, for example, US-CERT. Related controls: PE-3, SA-12, SI-7. |
The organization:
a. Develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the information system; and
b. Reports counterfeit information system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]]. |
| CCI-003358 |
The organization develops anti-counterfeit procedures that include the means to detect counterfeit components from entering the information system. |
The organization conducting the inspection/assessment obtains and examines the documented anti-counterfeit procedures to ensure the organization being inspected/assessed develops anti-counterfeit procedures that include the means to detect counterfeit components from entering the information system. |
The organization being inspected/assessed develops and documents anti-counterfeit procedures that include the means to detect counterfeit components from entering the information system. |
Component Authenticity |
SA-19 |
SA-19.3 |
Sources of counterfeit components include, for example, manufacturers, developers, vendors, and contractors. Anti-counterfeiting policy and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include, for example, US-CERT. Related controls: PE-3, SA-12, SI-7. |
The organization:
a. Develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the information system; and
b. Reports counterfeit information system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]]. |
| CCI-003359 |
The organization develops anti-counterfeit procedures that include the means to prevent counterfeit components from entering the information system. |
The organization conducting the inspection/assessment obtains and examines the documented anti-counterfeit procedures to ensure the organization being inspected/assessed develops anti-counterfeit procedures that include the means to prevent counterfeit components from entering the information system. |
The organization being inspected/assessed develops and documents anti-counterfeit procedures that include the means to prevent counterfeit components from entering the information system. |
Component Authenticity |
SA-19 |
SA-19.4 |
Sources of counterfeit components include, for example, manufacturers, developers, vendors, and contractors. Anti-counterfeiting policy and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include, for example, US-CERT. Related controls: PE-3, SA-12, SI-7. |
The organization:
a. Develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the information system; and
b. Reports counterfeit information system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]]. |
| CCI-003360 |
The organization implements an anti-counterfeit policy that includes the means to detect counterfeit components from entering the information system. |
The organization conducting the inspection/assessment obtains and examines the policy defined in SA-19, CCIs 3356 and any artifacts applicable to counterfeit components to ensure the organization being inspected/assessed implements the policy defined in SA-19, CCIs 3356 that include the means to detect counterfeit components from entering the information system. |
The organization being inspected/assessed implements the policy defined in SA-19, CCIs 3356 that include the means to detect counterfeit components from entering the information system. |
Component Authenticity |
SA-19 |
SA-19.5 |
Sources of counterfeit components include, for example, manufacturers, developers, vendors, and contractors. Anti-counterfeiting policy and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include, for example, US-CERT. Related controls: PE-3, SA-12, SI-7. |
The organization:
a. Develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the information system; and
b. Reports counterfeit information system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]]. |
| CCI-003361 |
The organization implements an anti-counterfeit policy that includes the means to prevent counterfeit components from entering the information system. |
The organization conducting the inspection/assessment obtains and examines the policy defined in SA-19, CCIs 3357 and any artifacts applicable to counterfeit components to ensure the organization being inspected/assessed implements the policy defined in SA-19, CCIs 3357 that include the means to detect counterfeit components from entering the information system. |
The organization being inspected/assessed implements the policy defined in SA-19, CCIs 3357 that include the means to prevent counterfeit components from entering the information system. |
Component Authenticity |
SA-19 |
SA-19.6 |
Sources of counterfeit components include, for example, manufacturers, developers, vendors, and contractors. Anti-counterfeiting policy and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include, for example, US-CERT. Related controls: PE-3, SA-12, SI-7. |
The organization:
a. Develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the information system; and
b. Reports counterfeit information system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]]. |
| CCI-003362 |
The organization implements anti-counterfeit procedures that include the means to detect counterfeit components from entering the information system. |
The organization conducting the inspection/assessment obtains and examines the procedures defined in SA-19, CCIs 3358 and any artifacts applicable to counterfeit components to ensure the organization being inspected/assessed implements the procedures defined in SA-19, CCIs 3358 that include the means to detect counterfeit components from entering the information system. |
The organization being inspected/assessed implements the procedures defined in SA-19, CCIs 3358 that include the means to detect counterfeit components from entering the information system. |
Component Authenticity |
SA-19 |
SA-19.7 |
Sources of counterfeit components include, for example, manufacturers, developers, vendors, and contractors. Anti-counterfeiting policy and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include, for example, US-CERT. Related controls: PE-3, SA-12, SI-7. |
The organization:
a. Develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the information system; and
b. Reports counterfeit information system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]]. |
| CCI-003363 |
The organization implements anti-counterfeit procedures that include the means to prevent counterfeit components from entering the information system. |
The organization conducting the inspection/assessment obtains and examines the procedures defined in SA-19, CCIs 3359 and any artifacts applicable to counterfeit components to ensure the organization being inspected/assessed implements the procedures defined in SA-19, CCIs 3359 that include the means to prevent counterfeit components from entering the information system. |
The organization being inspected/assessed implements the procedures defined in SA-19, CCIs 3359 that include the means to prevent counterfeit components from entering the information system. |
Component Authenticity |
SA-19 |
SA-19.8 |
Sources of counterfeit components include, for example, manufacturers, developers, vendors, and contractors. Anti-counterfeiting policy and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include, for example, US-CERT. Related controls: PE-3, SA-12, SI-7. |
The organization:
a. Develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the information system; and
b. Reports counterfeit information system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]]. |
| CCI-003364 |
The organization reports counterfeit information system components to the source of the counterfeit component, organization-defined external reporting organizations, and/or organization-defined personnel or roles. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of reporting to ensure the organization being inspected/assessed reports counterfeit information system components to source of counterfeit component, at a minimum, USCYBERCOM. And/or at a minimum, the ISSO, ISSM, and PM. |
The organization being inspected/assessed documents and implements a process to report counterfeit information system components to source of counterfeit component, at a minimum, USCYBERCOM. And/or at a minimum, the ISSO, ISSM, and PM.
The organization must maintain a record of reporting.
DoD has defined the personnel or roles as at a minimum, the ISSO, ISSM, and PM.
DoD has defined the external reporting organizations as at a minimum, USCYBERCOM. |
Component Authenticity |
SA-19 |
SA-19.9 |
Sources of counterfeit components include, for example, manufacturers, developers, vendors, and contractors. Anti-counterfeiting policy and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include, for example, US-CERT. Related controls: PE-3, SA-12, SI-7. |
The organization:
a. Develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the information system; and
b. Reports counterfeit information system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]]. |
| CCI-003365 |
The organization defines the external reporting organizations to which counterfeit information system components are to be reported. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the external reporting organizations as at a minimum, USCYBERCOM |
DoD has defined the external reporting organizations as at a minimum, USCYBERCOM. |
Component Authenticity |
SA-19 |
SA-19.10 |
Sources of counterfeit components include, for example, manufacturers, developers, vendors, and contractors. Anti-counterfeiting policy and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include, for example, US-CERT. Related controls: PE-3, SA-12, SI-7. |
The organization:
a. Develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the information system; and
b. Reports counterfeit information system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]]. |
| CCI-003366 |
The organization defines the personnel or roles to whom counterfeit information system components are to be reported. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as at a minimum, the ISSO, ISSM, and PM. |
DoD has defined the personnel or roles as at a minimum, the ISSO, ISSM, and PM. |
Component Authenticity |
SA-19 |
SA-19.11 |
Sources of counterfeit components include, for example, manufacturers, developers, vendors, and contractors. Anti-counterfeiting policy and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include, for example, US-CERT. Related controls: PE-3, SA-12, SI-7. |
The organization:
a. Develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the information system; and
b. Reports counterfeit information system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]]. |
| CCI-003367 |
The organization trains organization-defined personnel or roles to detect counterfeit information system components (including hardware, software, and firmware). |
The organization conducting the inspection/assessment obtains and examines the documented process, the list of personnel responsible for detecting counterfeit information system components, as well as the record of training to ensure the organization being inspected/assessed trains personnel or roles defined in SA-19 (1), CCI 3368 to detect counterfeit information system components (including hardware, software, and firmware). |
The organization being inspected/assessed documents and implements a process to train personnel or roles defined in SA-19 (1), CCI 3368 to detect counterfeit information system components (including hardware, software, and firmware).
The organization must maintain a record of training. |
Component Authenticity | Anti-Counterfeit Training |
SA-19 (1) |
SA-19(1).1 |
|
The organization trains [Assignment: organization-defined personnel or roles] to detect counterfeit information system components (including hardware, software, and firmware). |
| CCI-003368 |
The organization defines the personnel or roles to be trained to detect counterfeit information system components (including hardware, software, and firmware). |
The organization conducting the inspection/assessment obtains and examines the documented personnel or roles to ensure the organization being inspected/assessed defines the personnel or roles to be trained to detect counterfeit information system components (including hardware, software, and firmware).
DoD has determined the personnel or roles are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the personnel or roles to be trained to detect counterfeit information system components (including hardware, software, and firmware).
DoD has determined the personnel or roles are not appropriate to define at the Enterprise level. |
Component Authenticity | Anti-Counterfeit Training |
SA-19 (1) |
SA-19(1).2 |
|
The organization trains [Assignment: organization-defined personnel or roles] to detect counterfeit information system components (including hardware, software, and firmware). |
| CCI-003369 |
The organization maintains configuration control over organization-defined information system components awaiting service/repair. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed maintains configuration control l over information system components defined in SA-19 (2), CCI 3370 awaiting service/repair. |
The organization being inspected/assessed documents and implements a process to maintain configuration control over information system components defined in SA-19 (2), CCI 3370 awaiting service/repair. |
Component Authenticity | Configuration Control For Component Service / Repair |
SA-19 (2) |
SA-19(2).1 |
|
The organization maintains configuration control over [Assignment: organization-defined information system components] awaiting service/repair and serviced/repaired components awaiting return to service. |
| CCI-003370 |
The organization defines the information system components awaiting service/repair over which configuration control must be maintained. |
The organization conducting the inspection/assessment obtains and examines the documented information system components to ensure the organization being inspected/assessed defines the information system components awaiting service/repair in which configuration control must be maintained.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system components awaiting service/repair in which configuration control must be maintained.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
Component Authenticity | Configuration Control For Component Service / Repair |
SA-19 (2) |
SA-19(2).2 |
|
The organization maintains configuration control over [Assignment: organization-defined information system components] awaiting service/repair and serviced/repaired components awaiting return to service. |
| CCI-003371 |
The organization maintains configuration control over serviced/repaired components awaiting return to service. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed maintains configuration control over serviced/repaired components awaiting return to service. |
The organization being inspected/assessed documents and implements a process to maintain configuration control over serviced/repaired components awaiting return to service. |
Component Authenticity | Configuration Control For Component Service / Repair |
SA-19 (2) |
SA-19(2).3 |
|
The organization maintains configuration control over [Assignment: organization-defined information system components] awaiting service/repair and serviced/repaired components awaiting return to service. |
| CCI-003388 |
The organization defines the frequency on which to scan for counterfeit information system components. |
The organization conducting the inspection/assessment obtains and examines the documented frequency to ensure the organization being inspected/assessed defines the frequency to scan for counterfeit information system components.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the frequency to scan for counterfeit information system components.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
Component Authenticity | Anti-Counterfeit Scanning |
SA-19 (4) |
SA-19(4).1 |
|
The organization scans for counterfeit information system components [Assignment: organization-defined frequency]. |
| CCI-003389 |
The organization scans for counterfeit information system components in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of scans to ensure the organization being inspected/assessed scans for counterfeit information system components in accordance with the frequency defined in SA-19 (4), CCI 3388. |
The organization being inspected/assessed documents and implements a process to scan for counterfeit information system components in accordance with the frequency defined in SA-19 (4), CCI 3388.
The organization must maintain a record of scans. |
Component Authenticity | Anti-Counterfeit Scanning |
SA-19 (4) |
SA-19(4).2 |
|
The organization scans for counterfeit information system components [Assignment: organization-defined frequency]. |
| CCI-003390 |
The organization defines the techniques and methods used to dispose of information system components. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the techniques and methods as defined IAW DoD Manual 5200.01. |
DoD has defined the techniques and methods as defined IAW DoD Manual 5200.01. |
Component Authenticity | Component Disposal |
SA-19 (3) |
SA-19(3).1 |
Proper disposal of information system components helps to prevent such components from entering the gray market. |
The organization disposes of information system components using [Assignment: organization-defined techniques and methods]. |
| CCI-003391 |
The organization disposes of information system components using organization-defined techniques and methods. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of disposal to ensure the organization being inspected/assessed disposes of information system components using techniques and methods defined IAW DoD Manual 5200.01.
DoD has defined the techniques and methods as defined IAW DoD Manual 5200.01. |
The organization being inspected/assessed documents and implements a process to dispose of information system components using techniques and methods defined IAW DoD Manual 5200.01.
The organization must maintain a record of disposal.
DoD has defined the techniques and methods as defined IAW DoD Manual 5200.01. |
Component Authenticity | Component Disposal |
SA-19 (3) |
SA-19(3).2 |
Proper disposal of information system components helps to prevent such components from entering the gray market. |
The organization disposes of information system components using [Assignment: organization-defined techniques and methods]. |
| CCI-003386 |
The organization defines the critical information system components to re-implement or custom develop. |
The organization conducting the inspection/assessment obtains and examines the documented critical information system components to ensure the organization being inspected/assessed defines the critical information system components to re-implement or custom develop.
DoD has determined the critical information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the critical information system components to re-implement or custom develop.
DoD has determined the critical information system components are not appropriate to define at the Enterprise level. |
Customized Development Of Critical Components |
SA-20 |
SA-20.1 |
Organizations determine that certain information system components likely cannot be trusted due to specific threats to and vulnerabilities in those components, and for which there are no viable security controls to adequately mitigate the resulting risk. Re-implementation or custom development of such components helps to satisfy requirements for higher assurance. This is accomplished by initiating changes to system components (including hardware, software, and firmware) such that the standard attacks by adversaries are less likely to succeed. In situations where no alternative sourcing is available and organizations choose not to re-implement or custom develop critical information system components, additional safeguards can be employed (e.g., enhanced auditing, restrictions on source code and system utility access, and protection from deletion of system and application files. Related controls: CP-2, SA-8, SA-14. |
The organization re-implements or custom develops [Assignment: organization-defined critical information system components]. |
| CCI-003387 |
The organization re-implements or custom develops organization-defined critical information system components. |
The organization conducting the inspection/assessment obtains and examines hardware and software lists to ensure that no commercial off-the-shelf components are used as critical information system components defined in SA-20, CCI 3386. |
The organization being inspected/assessed re-implements or custom develops critical information system components defined in SA-20, CCI 3386. |
Customized Development Of Critical Components |
SA-20 |
SA-20.2 |
Organizations determine that certain information system components likely cannot be trusted due to specific threats to and vulnerabilities in those components, and for which there are no viable security controls to adequately mitigate the resulting risk. Re-implementation or custom development of such components helps to satisfy requirements for higher assurance. This is accomplished by initiating changes to system components (including hardware, software, and firmware) such that the standard attacks by adversaries are less likely to succeed. In situations where no alternative sourcing is available and organizations choose not to re-implement or custom develop critical information system components, additional safeguards can be employed (e.g., enhanced auditing, restrictions on source code and system utility access, and protection from deletion of system and application files. Related controls: CP-2, SA-8, SA-14. |
The organization re-implements or custom develops [Assignment: organization-defined critical information system components]. |
| CCI-003377 |
The organization defines the actions the developer of the information system, system component, or information system service must take to ensure the required screening criteria are satisfied. |
The organization conducting the inspection/assessment obtains and examines the documented actions to ensure the organization being inspected/assessed defines the actions the developer of the information system, system component, or information system service must take to ensure the required screening criteria are satisfied.
DoD has determined the actions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the actions the developer of the information system, system component, or information system service must take to ensure the required screening criteria are satisfied.
DoD has determined the actions are not appropriate to define at the Enterprise level. |
Developer Screening | Validation Of Screening |
SA-21 (1) |
SA-21(1).1 |
Satisfying required access authorizations and personnel screening criteria includes, for example, providing a listing of all the individuals authorized to perform development activities on the selected information system, system component, or information system service so that organizations can validate that the developer has satisfied the necessary authorization and screening requirements. |
The organization requires the developer of the information system, system component, or information system service take [Assignment: organization-defined actions] to ensure that the required access authorizations and screening criteria are satisfied. |
| CCI-003378 |
The organization defines the actions the developer of the information system, system component, or information system service must take to ensure the required access authorizations are satisfied. |
The organization conducting the inspection/assessment obtains and examines the documented actions to ensure the organization being inspected/assessed defines the actions the developer of the information system, system component, or information system service must take to ensure the required access authorizations are satisfied.
DoD has determined the actions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the actions the developer of the information system, system component, or information system service must take to ensure the required access authorizations are satisfied.
DoD has determined the actions are not appropriate to define at the Enterprise level. |
Developer Screening | Validation Of Screening |
SA-21 (1) |
SA-21(1).2 |
Satisfying required access authorizations and personnel screening criteria includes, for example, providing a listing of all the individuals authorized to perform development activities on the selected information system, system component, or information system service so that organizations can validate that the developer has satisfied the necessary authorization and screening requirements. |
The organization requires the developer of the information system, system component, or information system service take [Assignment: organization-defined actions] to ensure that the required access authorizations and screening criteria are satisfied. |
| CCI-003379 |
The organization requires the developer of the information system, system component, or information system service take organization-defined actions to ensure the required screening criteria are satisfied. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of information system, system component, or information system service take actions defined in SA-21 (1), CCI 3377 to ensure the required screening criteria are satisfied. |
The organization being inspected/assessed documents within the contracts/agreements the requirement that the developer of information system, system component, or information system service take actions defined in SA-21 (1), CCI 3377 to ensure the required screening criteria are satisfied. |
Developer Screening | Validation Of Screening |
SA-21 (1) |
SA-21(1).3 |
Satisfying required access authorizations and personnel screening criteria includes, for example, providing a listing of all the individuals authorized to perform development activities on the selected information system, system component, or information system service so that organizations can validate that the developer has satisfied the necessary authorization and screening requirements. |
The organization requires the developer of the information system, system component, or information system service take [Assignment: organization-defined actions] to ensure that the required access authorizations and screening criteria are satisfied. |
| CCI-003380 |
The organization requires the developer of the information system, system component, or information system service take organization-defined actions to ensure the required access authorizations are satisfied. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of information system, system component, or information system service take actions defined in SA-21 (1), CCI 3378 to ensure the required access authorizations are satisfied. |
The organization being inspected/assessed documents within the contracts/agreements the requirement that the developer of information system, system component, or information system service take actions defined in SA-21 (1), CCI 3378 to ensure the required access authorizations are satisfied. |
Developer Screening | Validation Of Screening |
SA-21 (1) |
SA-21(1).4 |
Satisfying required access authorizations and personnel screening criteria includes, for example, providing a listing of all the individuals authorized to perform development activities on the selected information system, system component, or information system service so that organizations can validate that the developer has satisfied the necessary authorization and screening requirements. |
The organization requires the developer of the information system, system component, or information system service take [Assignment: organization-defined actions] to ensure that the required access authorizations and screening criteria are satisfied. |
| CCI-003381 |
The organization defines additional personnel screening criteria that must be satisfied by the developer of an organization-defined information system, system component, or information system service. |
The organization conducting the inspection/assessment obtains and examines the documented additional personnel screening criteria to ensure the organization being inspected/assessed defines additional personnel screening criteria that must be satisfied by the developer of organization-defined information system, system component, or information system service.
DoD has determined the additional personnel screening criteria is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents additional personnel screening criteria that must be satisfied by the developer of organization-defined information system, system component, or information system service.
DoD has determined the additional personnel screening criteria is not appropriate to define at the Enterprise level.
The organization should ensure that the developer is trustworthy by performing a review of the developer that may include:
1. Organization and process certifications;
2. Security policies, procedures, and activities across the lifecycle;
3. Supply chain and how suppliers select/manage their suppliers/service providers;
4. Financials to determine if the supplier is financially stable;
5. Foreign Ownership, Control, and Influence;
6. Past performance and vulnerabilities;
7. Business relationships;
8. Maturity of business processes; and
9. Developer screening practices that may include::
a. Evaluating and vetting key personnel through security reviews (including clearance, satisfactory background checks, citizenship, and nationality) by acquirers or suppliers in any capacity (full-time employee, part-time employee, consultant, contractor, subcontractor, vendor, agent, etc.);
b. Reevaluating personnel through security reviews and assessments on a periodic basis or upon occurrence of specific significant events. |
Developer Screening |
SA-21 |
SA-21.4 |
Because the information system, system component, or information system service may be employed in critical activities essential to the national and/or economic security interests of the United States, organizations have a strong interest in ensuring that the developer is trustworthy. The degree of trust required of the developer may need to be consistent with that of the individuals accessing the information system/component/service once deployed. Examples of authorization and personnel screening criteria include clearance, satisfactory background checks, citizenship, and nationality. Trustworthiness of developers may also include a review and analysis of company ownership and any relationships the company has with entities potentially affecting the quality/reliability of the systems, components, or services being developed. Related controls: PS-3, PS-7. |
The organization requires that the developer of [Assignment: organization-defined information system, system component, or information system service]:
a. Have appropriate access authorizations as determined by assigned [Assignment: organization-defined official government duties]; and
b. Satisfy [Assignment: organization-defined additional personnel screening criteria]. |
| CCI-003382 |
The organization requires that the developer of an organization-defined information system, system component, or information system service satisfy organization-defined additional personnel screening criteria. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of information system, system component, or information system service defined in SA-21, CCI 3384 satisfy additional personnel screening criteria defined in SA-21, CCI 3381. |
The organization being inspected/assessed requires within contracts that the developer of information system, system component, or information system service defined in SA-21, CCI 3384 satisfy additional personnel screening criteria defined in SA-21, CCI 3381. |
Developer Screening |
SA-21 |
SA-21.5 |
Because the information system, system component, or information system service may be employed in critical activities essential to the national and/or economic security interests of the United States, organizations have a strong interest in ensuring that the developer is trustworthy. The degree of trust required of the developer may need to be consistent with that of the individuals accessing the information system/component/service once deployed. Examples of authorization and personnel screening criteria include clearance, satisfactory background checks, citizenship, and nationality. Trustworthiness of developers may also include a review and analysis of company ownership and any relationships the company has with entities potentially affecting the quality/reliability of the systems, components, or services being developed. Related controls: PS-3, PS-7. |
The organization requires that the developer of [Assignment: organization-defined information system, system component, or information system service]:
a. Have appropriate access authorizations as determined by assigned [Assignment: organization-defined official government duties]; and
b. Satisfy [Assignment: organization-defined additional personnel screening criteria]. |
| CCI-003383 |
The organization defines the official government duties to be assigned to the developer of an organization-defined information system, system component, or information system service. |
The organization conducting the inspection/assessment obtains and examines the documented official government duties to ensure the organization being inspected/assessed defines the official government duties to be assigned to the developer of organization-defined information system, system component, or information system service.
DoD has determined the official government duties are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the official government duties to be assigned to the developer of organization-defined information system, system component, or information system service.
DoD has determined the official government duties are not appropriate to define at the Enterprise level. |
Developer Screening |
SA-21 |
SA-21.2 |
Because the information system, system component, or information system service may be employed in critical activities essential to the national and/or economic security interests of the United States, organizations have a strong interest in ensuring that the developer is trustworthy. The degree of trust required of the developer may need to be consistent with that of the individuals accessing the information system/component/service once deployed. Examples of authorization and personnel screening criteria include clearance, satisfactory background checks, citizenship, and nationality. Trustworthiness of developers may also include a review and analysis of company ownership and any relationships the company has with entities potentially affecting the quality/reliability of the systems, components, or services being developed. Related controls: PS-3, PS-7. |
The organization requires that the developer of [Assignment: organization-defined information system, system component, or information system service]:
a. Have appropriate access authorizations as determined by assigned [Assignment: organization-defined official government duties]; and
b. Satisfy [Assignment: organization-defined additional personnel screening criteria]. |
| CCI-003384 |
The organization defines the information system, system component, or information system service which requires the information system developer to have appropriate access authorizations and satisfy additional personnel screening criteria. |
The organization conducting the inspection/assessment obtains and examines the documented information system, system component, or information system service to ensure the organization being inspected/assessed defines the information system, system component, or information system service which require the information system developer to have appropriate access authorizations and satisfy additional personnel screening criteria.
DoD has determined the information system, system component, or information system service is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system, system component, or information system service which require the information system developer to have appropriate access authorizations and satisfy additional personnel screening criteria.
DoD has determined the information system, system component, or information system service is not appropriate to define at the Enterprise level. |
Developer Screening |
SA-21 |
SA-21.1 |
Because the information system, system component, or information system service may be employed in critical activities essential to the national and/or economic security interests of the United States, organizations have a strong interest in ensuring that the developer is trustworthy. The degree of trust required of the developer may need to be consistent with that of the individuals accessing the information system/component/service once deployed. Examples of authorization and personnel screening criteria include clearance, satisfactory background checks, citizenship, and nationality. Trustworthiness of developers may also include a review and analysis of company ownership and any relationships the company has with entities potentially affecting the quality/reliability of the systems, components, or services being developed. Related controls: PS-3, PS-7. |
The organization requires that the developer of [Assignment: organization-defined information system, system component, or information system service]:
a. Have appropriate access authorizations as determined by assigned [Assignment: organization-defined official government duties]; and
b. Satisfy [Assignment: organization-defined additional personnel screening criteria]. |
| CCI-003385 |
The organization requires that the developer of an organization-defined information system, system component, or information system service have appropriate access authorizations as determined by assigned organization-defined official government duties. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of information system, system component, or information system service defined in SA-21, CCI 3384 have appropriate access authorizations as determined by assigned official government duties defined in SA-21, CCI 3383. |
The organization being inspected/assessed requires within contracts that the developer of information system, system component, or information system service defined in SA-21, CCI 3384 have appropriate access authorizations as determined by assigned official government duties defined in SA-21, CCI 3383. |
Developer Screening |
SA-21 |
SA-21.3 |
Because the information system, system component, or information system service may be employed in critical activities essential to the national and/or economic security interests of the United States, organizations have a strong interest in ensuring that the developer is trustworthy. The degree of trust required of the developer may need to be consistent with that of the individuals accessing the information system/component/service once deployed. Examples of authorization and personnel screening criteria include clearance, satisfactory background checks, citizenship, and nationality. Trustworthiness of developers may also include a review and analysis of company ownership and any relationships the company has with entities potentially affecting the quality/reliability of the systems, components, or services being developed. Related controls: PS-3, PS-7. |
The organization requires that the developer of [Assignment: organization-defined information system, system component, or information system service]:
a. Have appropriate access authorizations as determined by assigned [Assignment: organization-defined official government duties]; and
b. Satisfy [Assignment: organization-defined additional personnel screening criteria]. |
| CCI-002377 |
The organization documents the system and communications protection policy. |
|
|
|
|
|
|
|
| CCI-002378 |
The organization defines the personnel or roles to be recipients of the system and communications protection policy. |
The organization conducting the inspection/assessment obtains and examines the documented personnel or roles to ensure the organization being inspected/assessed defines the personnel or roles to be recipients of the system and communications protection policy. The personnel or roles must include at a minimum, the ISSM/ISSO.
DoD has defined the personnel or roles as at a minimum, the ISSO/ISSM. |
The organization being inspected/assessed defines and documents personnel or roles to be recipients of the system and communications protection policy. The personnel or roles must include at a minimum, the ISSM/ISSO.
DoD has defined the personnel or roles as at a minimum, the ISSO/ISSM. |
System And Communications Protection Policy And Procedures |
SC-1 |
SC-1.1 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and
b. Reviews and updates the current:
1. System and communications protection policy [Assignment: organization-defined frequency]; and
2. System and communications protection procedures [Assignment: organization-defined frequency]. |
| CCI-002379 |
The organization documents procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls. |
|
|
|
|
|
|
|
| CCI-002380 |
The organization defines the personnel or roles to be recipients of the procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls. |
The organization conducting the inspection/assessment obtains and examines the documented personnel or roles to ensure the organization being inspected/assessed defines the personnel or roles to be recipients of the procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls. The personnel or roles must include at a minimum, the ISSM/ISSO.
DoD has defined the personnel or roles as at a minimum, the ISSO/ISSM. |
The organization being inspected/assessed defines and documents personnel or roles to be recipients of the procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls. The personnel or roles must include at a minimum, the ISSM/ISSO.
DoD has defined the personnel or roles as at a minimum, the ISSO/ISSM. |
System And Communications Protection Policy And Procedures |
SC-1 |
SC-1.2 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and
b. Reviews and updates the current:
1. System and communications protection policy [Assignment: organization-defined frequency]; and
2. System and communications protection procedures [Assignment: organization-defined frequency]. |
| CCI-002381 |
The organization minimizes the number of nonsecurity functions included within the isolation boundary containing security functions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to minimize the number of nonsecurity functions included within the isolation boundary containing security functions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2381. |
The organization being inspected/assessed configures the information system to minimize the number of nonsecurity functions included within the isolation boundary containing security functions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2381. |
Security Function Isolation | Minimize Nonsecurity Functionality |
SC-3 (3) |
SC-3(3).1 |
In those instances where it is not feasible to achieve strict isolation of nonsecurity functions from security functions, it is necessary to take actions to minimize the nonsecurity-relevant functions within the security function boundary. Nonsecurity functions contained within the isolation boundary are considered security-relevant because errors or maliciousness in such software, by virtue of being within the boundary, can impact the security functions of organizational information systems. The design objective is that the specific portions of information systems providing information security are of minimal size/complexity. Minimizing the number of nonsecurity functions in the security-relevant components of information systems allows designers and implementers to focus only on those functions which are necessary to provide the desired security capability (typically access enforcement). By minimizing nonsecurity functions within the isolation boundaries, the amount of code that must be trusted to enforce security policies is reduced, thus contributing to understandability. |
The organization minimizes the number of nonsecurity functions included within the isolation boundary containing security functions. |
| CCI-002382 |
The organization implements security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2382. |
The organization being inspected/assessed configures the information system to implement security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2382. |
Security Function Isolation | Module Coupling And Cohesiveness |
SC-3 (4) |
SC-3(4).1 |
The reduction in inter-module interactions helps to constrain security functions and to manage complexity. The concepts of coupling and cohesion are important with respect to modularity in software design. Coupling refers to the dependencies that one module has on other modules. Cohesion refers to the relationship between the different functions within a particular module. Good software engineering practices rely on modular decomposition, layering, and minimization to reduce and manage complexity, thus producing software modules that are highly cohesive and loosely coupled. |
The organization implements security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules. |
| CCI-002383 |
The organization defines the procedures to be employed to prevent unauthorized information transfer via shared resources when system processing explicitly switches between different information classification levels or security categories. |
The organization conducting the inspection/assessment obtains and examines the documented procedures to ensure the organization being inspected/assessed defines the procedures to be employed to prevent the unauthorized information transfer via shared resources when system processing explicitly switches between different information classification levels or security categories.
DoD has determined the procedures are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the procedures to be employed to prevent the unauthorized information transfer via shared resources when system processing explicitly switches between different information classification levels or security categories.
DoD has determined the procedures are not appropriate to define at the Enterprise level. |
Information In Shared Resources | Periods Processing |
SC-4 (2) |
SC-4(2).1 |
This control enhancement applies when there are explicit changes in information processing levels during information system operations, for example, during multilevel processing and periods processing with information at different classification levels or security categories. Organization-defined procedures may include, for example, approved sanitization processes for electronically stored information. |
The information system prevents unauthorized information transfer via shared resources in accordance with [Assignment: organization-defined procedures] when system processing explicitly switches between different information classification levels or security categories. |
| CCI-002384 |
The information system prevents unauthorized information transfer via shared resources in accordance with organization-defined procedures when system processing explicitly switches between different information classification levels or security categories. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prevent unauthorized information transfer via shared resources in accordance with procedures defined in SC-4 (2), CCI 2383 when system processing explicitly switches between different information classification levels or security categories.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2384. |
The organization being inspected/assessed configures the information system to prevent unauthorized information transfer via shared resources in accordance with procedures defined in SC-4 (2), CCI 2383 when system processing explicitly switches between different information classification levels or security categories.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2384. |
Information In Shared Resources | Periods Processing |
SC-4 (2) |
SC-4(2).2 |
This control enhancement applies when there are explicit changes in information processing levels during information system operations, for example, during multilevel processing and periods processing with information at different classification levels or security categories. Organization-defined procedures may include, for example, approved sanitization processes for electronically stored information. |
The information system prevents unauthorized information transfer via shared resources in accordance with [Assignment: organization-defined procedures] when system processing explicitly switches between different information classification levels or security categories. |
| CCI-002385 |
The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to protect against or limits the effects of types of denial of service attacks defined in SC-5, CCI 1093 by employing security safeguards defined in SC-5, CCI 2386.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2385. |
The organization being inspected/assessed configures the information system to protect against or limits the effects of types of denial of service attacks defined in SC-5, CCI 1093 by employing security safeguards defined in SC-5, CCI 2386.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2385. |
Denial Of Service Protection |
SC-5 |
SC-5.2 |
A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks. Related controls: SC-6, SC-7. |
The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards]. |
| CCI-002386 |
The organization defines the security safeguards to be employed to protect the information system against, or limit the effects of, denial of service attacks. |
The organization conducting the inspection/assessment obtains and examines the documented security safeguards to ensure the organization being inspected/assessed defines the security safeguards to be employed to protect the information system against, or limit the effects of, denial of service attacks.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security safeguards to be employed to protect the information system against, or limit the effects of, denial of service attacks.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
Denial Of Service Protection |
SC-5 |
SC-5.3 |
A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks. Related controls: SC-6, SC-7. |
The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards]. |
| CCI-002387 |
The organization defines the denial of service attacks against other information systems that the information system is to restrict the ability of individuals to launch. |
The organization conducting the inspection/assessment obtains and examines the documented denial of service attacks to ensure the organization being inspected/assessed defines the denial of service attacks against other information systems the information system is to restrict the ability of individuals to launch.
DoD has determined the denial of service attacks as not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the denial of service attacks against other information systems the information system is to restrict the ability of individuals to launch.
DoD has determined the denial of service attacks as not appropriate to define at the Enterprise level. |
Denial Of Service Protection | Restrict Internal Users |
SC-5 (1) |
SC-5(1).2 |
Restricting the ability of individuals to launch denial of service attacks requires that the mechanisms used for such attacks are unavailable. Individuals of concern can include, for example, hostile insiders or external adversaries that have successfully breached the information system and are using the system as a platform to launch cyber attacks on third parties. Organizations can restrict the ability of individuals to connect and transmit arbitrary information on the transport medium (i.e., network, wireless spectrum). Organizations can also limit the ability of individuals to use excessive information system resources. Protection against individuals having the ability to launch denial of service attacks may be implemented on specific information systems or on boundary devices prohibiting egress to potential target systems. |
The information system restricts the ability of individuals to launch [Assignment: organization-defined denial of service attacks] against other information systems. |
| CCI-002388 |
The organization defines a list of monitoring tools to be employed to detect indicators of denial of service attacks against the information system. |
The organization conducting the inspection/assessment obtains and examines the documented monitoring tools to ensure the organization being inspected/assessed defines a list of monitoring tools to be employed to detect indicators of denial of service attacks against the information system.
DoD has determined the monitoring tools are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents a list of monitoring tools to be employed to detect indicators of denial of service attacks against the information system.
DoD has determined the monitoring tools are not appropriate to define at the Enterprise level. |
Denial Of Service Protection | Detection / Monitoring |
SC-5 (3) |
SC-5(3).1 |
Organizations consider utilization and capacity of information system resources when managing risk from denial of service due to malicious attacks. Denial of service attacks can originate from external or internal sources. Information system resources sensitive to denial of service include, for example, physical disk storage, memory, and CPU cycles. Common safeguards to prevent denial of service attacks related to storage utilization and capacity include, for example, instituting disk quotas, configuring information systems to automatically alert administrators when specific storage capacity thresholds are reached, using file compression technologies to maximize available storage space, and imposing separate partitions for system and user data. Related controls: CA-7, SI-4. |
The organization:
(a) Employs [Assignment: organization-defined monitoring tools] to detect indicators of denial of service attacks against the information system; and
(b) Monitors [Assignment: organization-defined information system resources] to determine if sufficient resources exist to prevent effective denial of service attacks. |
| CCI-002389 |
The organization employs an organization-defined list of monitoring tools to detect indicators of denial of service attacks against the information system. |
The organization conducting the inspection/assessment obtains and examines the list of monitoring tools as defined in SC-5 (3), CCI 2388 and a sampling of monitoring results to ensure the organization being inspected/assessed employs organization-defined list of monitoring tools to detect indicators of denial of service attacks against the information system. |
The organization being inspected/assessed implements the monitoring tools defined in SC-5 (3), CCI 2388 to detect indicators of denial of service attacks against the information system. |
Denial Of Service Protection | Detection / Monitoring |
SC-5 (3) |
SC-5(3).2 |
Organizations consider utilization and capacity of information system resources when managing risk from denial of service due to malicious attacks. Denial of service attacks can originate from external or internal sources. Information system resources sensitive to denial of service include, for example, physical disk storage, memory, and CPU cycles. Common safeguards to prevent denial of service attacks related to storage utilization and capacity include, for example, instituting disk quotas, configuring information systems to automatically alert administrators when specific storage capacity thresholds are reached, using file compression technologies to maximize available storage space, and imposing separate partitions for system and user data. Related controls: CA-7, SI-4. |
The organization:
(a) Employs [Assignment: organization-defined monitoring tools] to detect indicators of denial of service attacks against the information system; and
(b) Monitors [Assignment: organization-defined information system resources] to determine if sufficient resources exist to prevent effective denial of service attacks. |
| CCI-002390 |
The organization defines the information system resources to be monitored to determine if sufficient resources exist to prevent effective denial of service attacks. |
The organization conducting the inspection/assessment obtains and examines the documented information system resources to ensure the organization being inspected/assessed defines the information system resources to be monitored to determine if sufficient resources exist to prevent effective denial of service attacks.
DoD has determined the information system resources are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system resources to be monitored to determine if sufficient resources exist to prevent effective denial of service attacks.
DoD has determined the information system resources are not appropriate to define at the Enterprise level. |
Denial Of Service Protection | Detection / Monitoring |
SC-5 (3) |
SC-5(3).3 |
Organizations consider utilization and capacity of information system resources when managing risk from denial of service due to malicious attacks. Denial of service attacks can originate from external or internal sources. Information system resources sensitive to denial of service include, for example, physical disk storage, memory, and CPU cycles. Common safeguards to prevent denial of service attacks related to storage utilization and capacity include, for example, instituting disk quotas, configuring information systems to automatically alert administrators when specific storage capacity thresholds are reached, using file compression technologies to maximize available storage space, and imposing separate partitions for system and user data. Related controls: CA-7, SI-4. |
The organization:
(a) Employs [Assignment: organization-defined monitoring tools] to detect indicators of denial of service attacks against the information system; and
(b) Monitors [Assignment: organization-defined information system resources] to determine if sufficient resources exist to prevent effective denial of service attacks. |
| CCI-002391 |
The organization monitors organization-defined information system resources to determine if sufficient resources exist to prevent effective denial of service attacks. |
The organization conducting the inspection/assessment obtains and examines the documented monitoring procedures and any available artifacts from the monitoring process to ensure the organization being inspected/assessed monitors information system resources defined in SC-5 (3), CCI 2390 to determine if sufficient resources exist to prevent effective denial of service attacks. |
The organization being inspected/assessed monitors information system resources defined in SC-5 (3), CCI 2390 to determine if sufficient resources exist to prevent effective denial of service attacks. |
Denial Of Service Protection | Detection / Monitoring |
SC-5 (3) |
SC-5(3).4 |
Organizations consider utilization and capacity of information system resources when managing risk from denial of service due to malicious attacks. Denial of service attacks can originate from external or internal sources. Information system resources sensitive to denial of service include, for example, physical disk storage, memory, and CPU cycles. Common safeguards to prevent denial of service attacks related to storage utilization and capacity include, for example, instituting disk quotas, configuring information systems to automatically alert administrators when specific storage capacity thresholds are reached, using file compression technologies to maximize available storage space, and imposing separate partitions for system and user data. Related controls: CA-7, SI-4. |
The organization:
(a) Employs [Assignment: organization-defined monitoring tools] to detect indicators of denial of service attacks against the information system; and
(b) Monitors [Assignment: organization-defined information system resources] to determine if sufficient resources exist to prevent effective denial of service attacks. |
| CCI-002392 |
The organization defines the resources to be allocated to protect the availability of information system resources. |
The organization conducting the inspection/assessment obtains and examines the documented resources to ensure the organization being inspected/assessed defines the resources to be allocated to protect the availability of information system resources.
DoD has determined the resources are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the resources to be allocated to protect the availability of information system resources.
DoD has determined the resources are not appropriate to define at the Enterprise level. |
Resource Availability |
SC-6 |
SC-6.1 |
Priority protection helps prevent lower-priority processes from delaying or interfering with the information system servicing any higher-priority processes. Quotas prevent users or processes from obtaining more than predetermined amounts of resources. This control does not apply to information system components for which there are only single users/roles. |
The information system protects the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more); priority; quota; [Assignment: organization-defined security safeguards]]. |
| CCI-002393 |
The organization defines the security safeguards to be employed to protect the availability of information system resources. |
The organization conducting the inspection/assessment obtains and examines the documented security safeguards to ensure the organization being inspected/assessed defines the security safeguards to be employed to protect the availability of information system resources.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents security safeguards to be employed to protect the availability of information system resources.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
Resource Availability |
SC-6 |
SC-6.2 |
Priority protection helps prevent lower-priority processes from delaying or interfering with the information system servicing any higher-priority processes. Quotas prevent users or processes from obtaining more than predetermined amounts of resources. This control does not apply to information system components for which there are only single users/roles. |
The information system protects the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more); priority; quota; [Assignment: organization-defined security safeguards]]. |
| CCI-002394 |
The information system protects the availability of resources by allocating organization-defined resources based on priority, quota, and/or organization-defined security safeguards. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to protect the availability of resources by allocating resources defined in SC-6, CCI 2392 based on priority, quota, and/or security safeguards defined in SC-6, CCI 2393.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2394. |
The organization being inspected/assessed configures the information system to protect the availability of resources by allocating resources defined in SC-6, CCI 2392 based on priority, quota, and/or security safeguards defined in SC-6, CCI 2393.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2394. |
Resource Availability |
SC-6 |
SC-6.3 |
Priority protection helps prevent lower-priority processes from delaying or interfering with the information system servicing any higher-priority processes. Quotas prevent users or processes from obtaining more than predetermined amounts of resources. This control does not apply to information system components for which there are only single users/roles. |
The information system protects the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more); priority; quota; [Assignment: organization-defined security safeguards]]. |
| CCI-002395 |
The information system implements subnetworks for publicly accessible system components that are physically and/or logically separated from internal organizational networks. |
The organization conducting the inspection/assessment obtains and examines network topology diagrams, architecture documentation, or any other documentation identifying component partitioning to ensure the organization being inspected/assessed implements subnetworks for publicly accessible system components that are physically and/or logically separated from internal organizational networks. |
The organization being inspected/assessed designs the information system to leverage subnetworks so that publicly accessible system components are physically and/or logically separated from internal organizational networks. |
Boundary Protection |
SC-7 |
SC-7.2 |
Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. Related controls: AC-4, AC-17, CA-3, CM-7, CP-8, IR-4, RA-3, SC-5, SC-13. |
The information system:
a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;
b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and
c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. |
| CCI-002396 |
The organization protects the confidentiality and integrity of the information being transmitted across each interface for each external telecommunication service. |
The organization conducting the inspection/assessment obtains and examines the documented mechanisms to ensure the organization being inspected/assessed protects the confidentiality and integrity of the information being transmitted across each interface for each external telecommunication service. |
The organization being inspected/assessed documents and implements mechanisms to protect the confidentiality and integrity of the information being transmitted across each interface for each external telecommunication service. |
Boundary Protection | External Telecommunications Services |
SC-7 (4) |
SC-7(4).3 |
Related control: SC-8. |
The organization:
(a) Implements a managed interface for each external telecommunication service;
(b) Establishes a traffic flow policy for each managed interface;
(c) Protects the confidentiality and integrity of the information being transmitted across each interface;
(d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and
(e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need. |
| CCI-002397 |
The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prevent the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2397. |
The organization being inspected/assessed configures the information system to prevent the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2397. |
Boundary Protection | Prevent Split Tunneling For Remote Devices |
SC-7 (7) |
SC-7(7).1 |
This control enhancement is implemented within remote devices (e.g., notebook computers) through configuration settings to disable split tunneling in those devices, and by preventing those configuration settings from being readily configurable by users. This control enhancement is implemented within the information system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. Split tunneling might be desirable by remote users to communicate with local information system resources such as printers/file servers. However, split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. The use of VPNs for remote connections, when adequately provisioned with appropriate security controls, may provide the organization with sufficient assurance that it can effectively treat such connections as non-remote connections from the confidentiality and integrity perspective. VPNs thus provide a means for allowing non-remote communications paths from remote devices. The use of an adequately provisioned VPN does not eliminate the need for preventing split tunneling. |
The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks. |
| CCI-002398 |
The information system detects outgoing communications traffic posing a threat to external information systems. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to detect outgoing communications traffic posing a threat to external information systems.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2398. |
The organization being inspected/assessed configures the information system to detect outgoing communications traffic posing a threat to external information systems.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2398. |
Boundary Protection | Restrict Threatening Outgoing Communications Traffic |
SC-7 (9) |
SC-7(9).1 |
Detecting outgoing communications traffic from internal actions that may pose threats to external information systems is sometimes termed extrusion detection. Extrusion detection at information system boundaries as part of managed interfaces includes the analysis of incoming and outgoing communications traffic searching for indications of internal threats to the security of external systems. Such threats include, for example, traffic indicative of denial of service attacks and traffic containing malicious code. Related controls: AU-2, AU-6, SC-38, SC-44, SI-3, SI-4. |
The information system:
(a) Detects and denies outgoing communications traffic posing a threat to external information systems; and
(b) Audits the identity of internal users associated with denied communications. |
| CCI-002399 |
The information system denies outgoing communications traffic posing a threat to external information systems. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to deny outgoing communications traffic posing a threat to external information systems.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2399. |
The organization being inspected/assessed configures the information system to deny outgoing communications traffic posing a threat to external information systems.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2399. |
Boundary Protection | Restrict Threatening Outgoing Communications Traffic |
SC-7 (9) |
SC-7(9).2 |
Detecting outgoing communications traffic from internal actions that may pose threats to external information systems is sometimes termed extrusion detection. Extrusion detection at information system boundaries as part of managed interfaces includes the analysis of incoming and outgoing communications traffic searching for indications of internal threats to the security of external systems. Such threats include, for example, traffic indicative of denial of service attacks and traffic containing malicious code. Related controls: AU-2, AU-6, SC-38, SC-44, SI-3, SI-4. |
The information system:
(a) Detects and denies outgoing communications traffic posing a threat to external information systems; and
(b) Audits the identity of internal users associated with denied communications. |
| CCI-002400 |
The information system audits the identity of internal users associated with denied outgoing communications traffic posing a threat to external information systems. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to audit the identity of internal users associated with denied outgoing communications traffic posing a threat to external information systems.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2400. |
The organization being inspected/assessed configures the information system to audit the identity of internal users associated with denied outgoing communications traffic posing a threat to external information systems.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2400. |
Boundary Protection | Restrict Threatening Outgoing Communications Traffic |
SC-7 (9) |
SC-7(9).3 |
Detecting outgoing communications traffic from internal actions that may pose threats to external information systems is sometimes termed extrusion detection. Extrusion detection at information system boundaries as part of managed interfaces includes the analysis of incoming and outgoing communications traffic searching for indications of internal threats to the security of external systems. Such threats include, for example, traffic indicative of denial of service attacks and traffic containing malicious code. Related controls: AU-2, AU-6, SC-38, SC-44, SI-3, SI-4. |
The information system:
(a) Detects and denies outgoing communications traffic posing a threat to external information systems; and
(b) Audits the identity of internal users associated with denied communications. |
| CCI-002401 |
The organization defines the authorized sources from which the information system will allow incoming communications. |
The organization conducting the inspection/assessment obtains and examines the documented authorized sources to ensure the organization being inspected/assessed defines the authorized sources from which the information system will allow incoming communications.
DoD has determined the authorized sources are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the authorized sources from which the information system will allow incoming communications.
DoD has determined the authorized sources are not appropriate to define at the Enterprise level. |
Boundary Protection | Restrict Incoming Communications Traffic |
SC-7 (11) |
SC-7(11).1 |
This control enhancement provides determinations that source and destination address pairs represent authorized/allowed communications. Such determinations can be based on several factors including, for example, the presence of source/destination address pairs in lists of authorized/allowed communications, the absence of address pairs in lists of unauthorized/disallowed pairs, or meeting more general rules for authorized/allowed source/destination pairs. Related control: AC-3. |
The information system only allows incoming communications from [Assignment: organization defined authorized sources] routed to [Assignment: organization-defined authorized destinations]. |
| CCI-002402 |
The organization defines the authorized destinations for routing inbound communications. |
The organization conducting the inspection/assessment obtains and examines the documented authorized destinations to ensure the organization being inspected/assessed defines the authorized destinations for routing inbound communications.
DoD has determined the authorized destinations are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the authorized destinations for routing inbound communications.
DoD has determined the authorized destinations are not appropriate to define at the Enterprise level. |
Boundary Protection | Restrict Incoming Communications Traffic |
SC-7 (11) |
SC-7(11).2 |
This control enhancement provides determinations that source and destination address pairs represent authorized/allowed communications. Such determinations can be based on several factors including, for example, the presence of source/destination address pairs in lists of authorized/allowed communications, the absence of address pairs in lists of unauthorized/disallowed pairs, or meeting more general rules for authorized/allowed source/destination pairs. Related control: AC-3. |
The information system only allows incoming communications from [Assignment: organization defined authorized sources] routed to [Assignment: organization-defined authorized destinations]. |
| CCI-002403 |
The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to allow incoming communications from authorized sources defined in SC-7 (11), CCI 2401 routed to authorized destinations defined in SC-7 (11), CCI 2402.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2403. |
The organization being inspected/assessed configures the information system to allow incoming communications from authorized sources defined in SC-7 (11), CCI 2401 routed to authorized destinations defined in SC-7 (11), CCI 2402.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2403. |
Boundary Protection | Restrict Incoming Communications Traffic |
SC-7 (11) |
SC-7(11).3 |
This control enhancement provides determinations that source and destination address pairs represent authorized/allowed communications. Such determinations can be based on several factors including, for example, the presence of source/destination address pairs in lists of authorized/allowed communications, the absence of address pairs in lists of unauthorized/disallowed pairs, or meeting more general rules for authorized/allowed source/destination pairs. Related control: AC-3. |
The information system only allows incoming communications from [Assignment: organization defined authorized sources] routed to [Assignment: organization-defined authorized destinations]. |
| CCI-002404 |
The organization defines the host-based boundary protection mechanisms that are to be implemented at organization-defined information system components. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the information system components as McAfee Host Intrusion Prevention (HIPS). |
DoD has defined the information system components as McAfee Host Intrusion Prevention (HIPS). |
Boundary Protection | Host-Based Protection |
SC-7 (12) |
SC-7(12).1 |
Host-based boundary protection mechanisms include, for example, host-based firewalls. Information system components employing host-based boundary protection mechanisms include, for example, servers, workstations, and mobile devices. |
The organization implements [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined information system components]. |
| CCI-002405 |
The organization defines the information system components at which organization-defined host-based boundary protection mechanisms will be implemented. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the information system components as all information system components. |
DoD has defined the information system components as all information system components. |
Boundary Protection | Host-Based Protection |
SC-7 (12) |
SC-7(12).2 |
Host-based boundary protection mechanisms include, for example, host-based firewalls. Information system components employing host-based boundary protection mechanisms include, for example, servers, workstations, and mobile devices. |
The organization implements [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined information system components]. |
| CCI-002406 |
The organization implements organization-defined host-based boundary protection mechanisms at organization-defined information system components. |
The organization conducting the inspection/assessment examines a sampling of information system components to ensure the organization being inspected/assessed implements McAfee Host Intrusion Prevention (HIPS) on all information system components.
DoD has defined the host-based boundary protection mechanisms as McAfee Host Intrusion Prevention (HIPS).
DoD has defined the information system components as all information system components. |
The organization being inspected/assessed implements McAfee Host Intrusion Prevention (HIPS) on all information system components.
DoD has defined the host-based boundary protection mechanisms as McAfee Host Intrusion Prevention (HIPS).
DoD has defined the information system components as all information system components. |
Boundary Protection | Host-Based Protection |
SC-7 (12) |
SC-7(12).3 |
Host-based boundary protection mechanisms include, for example, host-based firewalls. Information system components employing host-based boundary protection mechanisms include, for example, servers, workstations, and mobile devices. |
The organization implements [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined information system components]. |
| CCI-002407 |
The organization defines the managed interfaces at which the organization protects against unauthorized physical connections. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the managed interfaces as internet access points, enclave LAN to WAN, cross domain solutions, and any DoD Approved Alternate Gateways. |
DoD has defined the managed interfaces as internet access points, enclave LAN to WAN, cross domain solutions, and any DoD Approved Alternate Gateways. |
Boundary Protection | Protects Against Unauthorized Physical Connection |
SC-7 (14) |
SC-7(14).3 |
Information systems operating at different security categories or classification levels may share common physical and environmental controls, since the systems may share space within organizational facilities. In practice, it is possible that these separate information systems may share common equipment rooms, wiring closets, and cable distribution paths. Protection against unauthorized physical connections can be achieved, for example, by employing clearly identified and physically separated cable trays, connection frames, and patch panels for each side of managed interfaces with physical access controls enforcing limited authorized access to these items. Related controls: PE-4, PE-19. |
The organization protects against unauthorized physical connections at [Assignment: organization-defined managed interfaces]. |
| CCI-002408 |
The organization defines the independently configured communication clients, which are configured by end users and external service providers, between which the information system will block both inbound and outbound communications traffic. |
The organization conducting the inspection/assessment obtains and examines the documented communication clients to ensure the organization being inspected/assessed defines the independently configured communication clients, which are configured by end users and external service providers, between which the information system will block both inbound and outbound communications traffic.
DoD has determined the communication clients are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the independently configured communication clients, which are configured by end users and external service providers, between which the information system will block both inbound and outbound communications traffic.
DoD has determined the communication clients are not appropriate to define at the Enterprise level. |
Boundary Protection | Blocks Communication From Non-Organizationally Configured Hosts |
SC-7 (19) |
SC-7(19).1 |
Communication clients independently configured by end users and external service providers include, for example, instant messaging clients. Traffic blocking does not apply to communication clients that are configured by organizations to perform authorized functions. |
The information system blocks both inbound and outbound communications traffic between [Assignment: organization-defined communication clients] that are independently configured by end users and external service providers. |
| CCI-002409 |
The information system blocks both inbound and outbound communications traffic between organization-defined communication clients that are independently configured by end users and external service providers. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to block both inbound and outbound communications traffic between communication clients defined in SC-7 (19), CCI 2408 that are independently configured by end users and external service providers.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2409. |
The organization being inspected/assessed configures the information system to block both inbound and outbound communications traffic between communication clients defined in SC-7 (19), CCI 2408 that are independently configured by end users and external service providers.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2409. |
Boundary Protection | Blocks Communication From Non-Organizationally Configured Hosts |
SC-7 (19) |
SC-7(19).2 |
Communication clients independently configured by end users and external service providers include, for example, instant messaging clients. Traffic blocking does not apply to communication clients that are configured by organizations to perform authorized functions. |
The information system blocks both inbound and outbound communications traffic between [Assignment: organization-defined communication clients] that are independently configured by end users and external service providers. |
| CCI-002410 |
The organization defines information system components that are to be dynamically isolated/segregated from other components of the information system. |
The organization conducting the inspection/assessment obtains and examines the documented information system components to ensure the organization being inspected/assessed defines information system components that are to be dynamically isolated/segregated from other components of the information system.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents information system components that are to be dynamically isolated/segregated from other components of the information system.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
Boundary Protection | Dynamic Isolation / Segregation |
SC-7 (20) |
SC-7(20).1 |
The capability to dynamically isolate or segregate certain internal components of organizational information systems is useful when it is necessary to partition or separate certain components of dubious origin from those components possessing greater trustworthiness. Component isolation reduces the attack surface of organizational information systems. Isolation of selected information system components is also a means of limiting the damage from successful cyber attacks when those attacks occur. |
The information system provides the capability to dynamically isolate/segregate [Assignment: organization-defined information system components] from other components of the system. |
| CCI-002411 |
The information system provides the capability to dynamically isolate/segregate organization-defined information system components from other components of the system. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide the capability to dynamically isolate/segregate information system components defined in SC-7 (20), CCI 2410 from other components of the system.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2411. |
The organization being inspected/assessed configures the information system to provide the capability to dynamically isolate/segregate information system components defined in SC-7 (20), CCI 2410 from other components of the system.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2411. |
Boundary Protection | Dynamic Isolation / Segregation |
SC-7 (20) |
SC-7(20).2 |
The capability to dynamically isolate or segregate certain internal components of organizational information systems is useful when it is necessary to partition or separate certain components of dubious origin from those components possessing greater trustworthiness. Component isolation reduces the attack surface of organizational information systems. Isolation of selected information system components is also a means of limiting the damage from successful cyber attacks when those attacks occur. |
The information system provides the capability to dynamically isolate/segregate [Assignment: organization-defined information system components] from other components of the system. |
| CCI-002412 |
The organization defines the information system components supporting organization-defined missions and/or business functions that are to be separated using boundary protection mechanisms. |
|
|
|
|
|
|
|
| CCI-002413 |
The organization defines the information system components supporting organization-defined missions and/or business functions that are to be separated using boundary protection mechanisms. |
The organization conducting the inspection/assessment obtains and examines the documented information system components to ensure the organization being inspected/assessed defines the information system components supporting organization-defined missions and/or business functions that are to be separated using boundary protection mechanisms.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system components supporting organization-defined missions and/or business functions that are to be separated using boundary protection mechanisms.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
Boundary Protection | Isolation Of Information System Components |
SC-7 (21) |
SC-7(21).1 |
Organizations can isolate information system components performing different missions and/or business functions. Such isolation limits unauthorized information flows among system components and also provides the opportunity to deploy greater levels of protection for selected components. Separating system components with boundary protection mechanisms provides the capability for increased protection of individual components and to more effectively control information flows between those components. This type of enhanced protection limits the potential harm from cyber attacks and errors. The degree of separation provided varies depending upon the mechanisms chosen. Boundary protection mechanisms include, for example, routers, gateways, and firewalls separating system components into physically separate networks or subnetworks, cross-domain devices separating subnetworks, virtualization techniques, and encrypting information flows among system components using distinct encryption keys. Related controls: CA-9, SC-3. |
The organization employs boundary protection mechanisms to separate [Assignment: organization-defined information system components] supporting [Assignment: organization-defined missions and/or business functions]. |
| CCI-002414 |
The organization defines the missions and/or business functions for which boundary protection mechanisms will be employed to separate the supporting organization-defined information system components. |
The organization conducting the inspection/assessment obtains and examines the documented missions and/or business functions to ensure the organization being inspected/assessed defines the missions and/or business functions for which boundary protection mechanisms will be employed to separate the supporting organization-defined information system components.
DoD has determined the missions and/or business functions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the missions and/or business functions for which boundary protection mechanisms will be employed to separate the supporting organization-defined information system components.
DoD has determined the missions and/or business functions are not appropriate to define at the Enterprise level. |
Boundary Protection | Isolation Of Information System Components |
SC-7 (21) |
SC-7(21).2 |
Organizations can isolate information system components performing different missions and/or business functions. Such isolation limits unauthorized information flows among system components and also provides the opportunity to deploy greater levels of protection for selected components. Separating system components with boundary protection mechanisms provides the capability for increased protection of individual components and to more effectively control information flows between those components. This type of enhanced protection limits the potential harm from cyber attacks and errors. The degree of separation provided varies depending upon the mechanisms chosen. Boundary protection mechanisms include, for example, routers, gateways, and firewalls separating system components into physically separate networks or subnetworks, cross-domain devices separating subnetworks, virtualization techniques, and encrypting information flows among system components using distinct encryption keys. Related controls: CA-9, SC-3. |
The organization employs boundary protection mechanisms to separate [Assignment: organization-defined information system components] supporting [Assignment: organization-defined missions and/or business functions]. |
| CCI-002415 |
The organization employs boundary protection mechanisms to separate organization-defined information system components supporting organization-defined missions and/or business functions. |
The organization conducting the inspection/assessment obtains and examines network topology diagrams, architecture documentation, or any other documentation identifying component partitioning to ensure the organization being inspected/assessed employs boundary protection mechanisms to separate information system components defined in SC-7 (21), CCI 2413 supporting missions and/or business functions defined in SC-7 (21), CCI 2414. |
The organization being inspected/assessed designs the information system to employ boundary protection mechanisms to separate information system components defined in SC-7 (21), CCI 2413 supporting missions and/or business functions defined in SC-7 (21), CCI 2414. |
Boundary Protection | Isolation Of Information System Components |
SC-7 (21) |
SC-7(21).3 |
Organizations can isolate information system components performing different missions and/or business functions. Such isolation limits unauthorized information flows among system components and also provides the opportunity to deploy greater levels of protection for selected components. Separating system components with boundary protection mechanisms provides the capability for increased protection of individual components and to more effectively control information flows between those components. This type of enhanced protection limits the potential harm from cyber attacks and errors. The degree of separation provided varies depending upon the mechanisms chosen. Boundary protection mechanisms include, for example, routers, gateways, and firewalls separating system components into physically separate networks or subnetworks, cross-domain devices separating subnetworks, virtualization techniques, and encrypting information flows among system components using distinct encryption keys. Related controls: CA-9, SC-3. |
The organization employs boundary protection mechanisms to separate [Assignment: organization-defined information system components] supporting [Assignment: organization-defined missions and/or business functions]. |
| CCI-002416 |
The information system implements separate network addresses (i.e., different subnets) to connect to systems in different security domains. |
The organization conducting the inspection/assessment obtains and examines network topology diagrams, architecture documentation, or any other documentation identifying component partitioning to ensure the organization being inspected/assessed implements separate network addresses (i.e., different subnets) to connect to systems in different security domains. |
The organization being inspected/assessed designs the information system to implement separate network addresses (i.e., different subnets) to connect to systems in different security domains. |
Boundary Protection | Separate Subnets For Connecting To Different Security Domains |
SC-7 (22) |
SC-7(22).1 |
Decomposition of information systems into subnets helps to provide the appropriate level of protection for network connections to different security domains containing information with different security categories or classification levels. |
The information system implements separate network addresses (i.e., different subnets) to connect to systems in different security domains. |
| CCI-002417 |
The information system disables feedback to senders on protocol format validation failure. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to disable feedback to senders on protocol format validation failure
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2417. |
The organization being inspected/assessed configures the information system to disable feedback to senders on protocol format validation failure
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2417. |
Boundary Protection | Disable Sender Feedback On Protocol Validation Failure |
SC-7 (23) |
SC-7(23).1 |
Disabling feedback to senders when there is a failure in protocol validation format prevents adversaries from obtaining information which would otherwise be unavailable. |
The information system disables feedback to senders on protocol format validation failure. |
| CCI-002418 |
The information system protects the confidentiality and/or integrity of transmitted information. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to protect the confidentiality and/or integrity of transmitted information.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2418. |
The organization being inspected/assessed configures the information system to protect the confidentiality and/or integrity of transmitted information.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2418. |
Transmission Confidentiality And Integrity |
SC-8 |
SC-8.1 |
This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing protected distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4. |
The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information. |
| CCI-002419 |
The organization defines the alternative physical safeguards to be employed when cryptographic mechanisms are not implemented to protect information during transmission. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the alternative physical safeguards as Protected Distribution System (PDS). |
DoD has defined the alternative physical safeguards as Protected Distribution System (PDS). |
Transmission Confidentiality And Integrity | Cryptographic Or Alternate Physical Protection |
SC-8 (1) |
SC-8(1).1 |
Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems. Related control: SC-13. |
The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]. |
| CCI-002420 |
The information system maintains the confidentiality and/or integrity of information during preparation for transmission. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to maintain the confidentiality and integrity of information during preparation for transmission.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2420. |
The organization being inspected/assessed configures the information system to maintain the confidentiality and integrity of information during preparation for transmission.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2420.
DoD has defined the selection as both confidentiality and integrity. |
Transmission Confidentiality And Integrity | Pre / Post Transmission Handling |
SC-8 (2) |
SC-8(2).1 |
Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission or during reception including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Related control: AU-10. |
The information system maintains the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception. |
| CCI-002421 |
The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement cryptographic mechanisms to prevent unauthorized disclosure of information and detect changes to information during transmission unless otherwise protected by Protected Distribution System (PDS).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2421.
DoD has defined the alternative physical safeguards as Protected Distribution System (PDS). |
The organization being inspected/assessed configures the information system to implement cryptographic mechanisms to prevent unauthorized disclosure of information and detect changes to information during transmission unless otherwise protected by Protected Distribution System (PDS).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2421.
DoD has defined the selection as both prevention of unauthorized disclosure and detection of changes to information.
DoD has defined the alternative physical safeguards as Protected Distribution System (PDS). |
Transmission Confidentiality And Integrity | Cryptographic Or Alternate Physical Protection |
SC-8 (1) |
SC-8(1).2 |
Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems. Related control: SC-13. |
The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]. |
| CCI-002422 |
The information system maintains the confidentiality and/or integrity of information during reception. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to maintain the confidentiality and integrity of information during reception.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2422. |
The organization being inspected/assessed configures the information system to maintain the confidentiality and integrity of information during reception.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2422.
DoD has defined the selection as both confidentiality and integrity. |
Transmission Confidentiality And Integrity | Pre / Post Transmission Handling |
SC-8 (2) |
SC-8(2).2 |
Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission or during reception including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Related control: AU-10. |
The information system maintains the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception. |
| CCI-002423 |
The information system implements cryptographic mechanisms to protect message externals (e.g., message headers and routing information) unless otherwise protected by organization-defined alternative physical safeguards. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement cryptographic mechanisms to protect message externals (e.g., message headers and routing information) unless otherwise protected by Protected Distribution System (PDS).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2423.
DoD has defined the alternative physical safeguards as Protected Distribution System (PDS). |
The organization being inspected/assessed configures the information system to implement cryptographic mechanisms to protect message externals (e.g., message headers and routing information) unless otherwise protected by Protected Distribution System (PDS).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2423.
DoD has defined the alternative physical safeguards as Protected Distribution System (PDS). |
Transmission Confidentiality And Integrity | Cryptographic Protection For Message Externals |
SC-8 (3) |
SC-8(3).1 |
This control enhancement addresses protection against unauthorized disclosure of information. Message externals include, for example, message headers/routing information. This control enhancement prevents the exploitation of message externals and applies to both internal and external networks or links that may be visible to individuals who are not authorized users. Header/routing information is sometimes transmitted unencrypted because the information is not properly identified by organizations as having significant value or because encrypting the information can result in lower network performance and/or higher costs. Alternative physical safeguards include, for example, protected distribution systems. Related controls: SC-12, SC-13. |
The information system implements cryptographic mechanisms to protect message externals unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]. |
| CCI-002424 |
The organization defines the alternative physical safeguards to be employed when cryptographic mechanisms are not implemented by the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the alternative physical safeguards as Protected Distribution System (PDS). |
DoD has defined the alternative physical safeguards as Protected Distribution System (PDS). |
Transmission Confidentiality And Integrity | Conceal / Randomize Communications |
SC-8 (4) |
SC-8(4).1 |
This control enhancement addresses protection against unauthorized disclosure of information. Communication patterns include, for example, frequency, periods, amount, and predictability. Changes to communications patterns can reveal information having intelligence value especially when combined with other available information related to missions/business functions supported by organizational information systems. This control enhancement prevents the derivation of intelligence based on communications patterns and applies to both internal and external networks or links that may be visible to individuals who are not authorized users. Encrypting the links and transmitting in continuous, fixed/random patterns prevents the derivation of intelligence from the system communications patterns. Alternative physical safeguards include, for example, protected distribution systems. Related controls: SC-12, SC-13. |
The information system implements cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]. |
| CCI-002425 |
The information system implements cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by organization-defined alternative physical safeguards. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by Protected Distribution System (PDS).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2426.
DoD has defined the alternative physical safeguards as Protected Distribution System (PDS). |
The organization being inspected/assessed configures the information system to implement cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by Protected Distribution System (PDS).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2426.
DoD has defined the alternative physical safeguards as Protected Distribution System (PDS). |
Transmission Confidentiality And Integrity | Conceal / Randomize Communications |
SC-8 (4) |
SC-8(4).2 |
This control enhancement addresses protection against unauthorized disclosure of information. Communication patterns include, for example, frequency, periods, amount, and predictability. Changes to communications patterns can reveal information having intelligence value especially when combined with other available information related to missions/business functions supported by organizational information systems. This control enhancement prevents the derivation of intelligence based on communications patterns and applies to both internal and external networks or links that may be visible to individuals who are not authorized users. Encrypting the links and transmitting in continuous, fixed/random patterns prevents the derivation of intelligence from the system communications patterns. Alternative physical safeguards include, for example, protected distribution systems. Related controls: SC-12, SC-13. |
The information system implements cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]. |
| CCI-002427 |
The organization defines the alternative physical safeguards to be employed to protect message externals (e.g., message headers and routing information) when cryptographic mechanisms are not implemented. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the alternative physical safeguards as Protected Distribution System (PDS). |
DoD has defined the alternative physical safeguards as Protected Distribution System (PDS). |
Transmission Confidentiality And Integrity | Cryptographic Protection For Message Externals |
SC-8 (3) |
SC-8(3).2 |
This control enhancement addresses protection against unauthorized disclosure of information. Message externals include, for example, message headers/routing information. This control enhancement prevents the exploitation of message externals and applies to both internal and external networks or links that may be visible to individuals who are not authorized users. Header/routing information is sometimes transmitted unencrypted because the information is not properly identified by organizations as having significant value or because encrypting the information can result in lower network performance and/or higher costs. Alternative physical safeguards include, for example, protected distribution systems. Related controls: SC-12, SC-13. |
The information system implements cryptographic mechanisms to protect message externals unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]. |
| CCI-002426 |
The information system provides a trusted communications path that is logically isolated and distinguishable from other paths. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide a trusted communications path that is logically isolated and distinguishable from other paths.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2426. |
The organization being inspected/assessed configures the information system to provide a trusted communications path that is logically isolated and distinguishable from other paths.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2426. |
Trusted Path | Logical Isolation |
SC-11 (1) |
SC-11(1).1 |
|
The information system provides a trusted communications path that is logically isolated and distinguishable from other paths. |
| CCI-002428 |
The organization defines the requirements for cryptographic key generation to be employed within the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the requirements for key generation as requirements for key generation defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems." |
DoD has defined the requirements for key generation as requirements for key generation defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems." |
Cryptographic Key Establishment And Management |
SC-12 |
SC-12.1 |
Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17. |
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. |
| CCI-002429 |
The organization defines the requirements for cryptographic key distribution to be employed within the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the requirements for key distribution as requirements for key distribution defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems." |
DoD has defined the requirements for key distribution as requirements for key distribution defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems." |
Cryptographic Key Establishment And Management |
SC-12 |
SC-12.2 |
Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17. |
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. |
| CCI-002430 |
The organization defines the requirements for cryptographic key storage to be employed within the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the requirements for key storage as requirements for key storage defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems." |
DoD has defined the requirements for key storage as requirements for key storage defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems." |
Cryptographic Key Establishment And Management |
SC-12 |
SC-12.3 |
Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17. |
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. |
| CCI-002431 |
The organization defines the requirements for cryptographic key access to be employed within the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the requirements for key access as requirements for key access defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems." |
DoD has defined the requirements for key access as requirements for key access defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems." |
Cryptographic Key Establishment And Management |
SC-12 |
SC-12.4 |
Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17. |
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. |
| CCI-002432 |
The organization defines the requirements for cryptographic key destruction to be employed within the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the requirements for key destruction as requirements for key destruction defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems." |
DoD has defined the requirements for key destruction as requirements for key destruction defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems." |
Cryptographic Key Establishment And Management |
SC-12 |
SC-12.5 |
Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17. |
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. |
| CCI-002433 |
The organization establishes cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key generation. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed establishes cryptographic keys for required cryptography employed within the information system in accordance with requirements for key generation defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems."
DoD has defined the requirements for key generation as requirements for key generation defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems." |
The organization being inspected/assessed documents and implements a process to establish cryptographic keys for required cryptography employed within the information system in accordance with requirements for key generation defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems."
DoD has defined the requirements for key generation as requirements for key generation defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems." |
Cryptographic Key Establishment And Management |
SC-12 |
SC-12.6 |
Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17. |
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. |
| CCI-002434 |
The organization establishes cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key distribution. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed establishes cryptographic keys for required cryptography employed within the information system in accordance with requirements for key distribution defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems."
DoD has defined the requirements for key distribution as requirements for key distribution defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems." |
The organization being inspected/assessed documents and implements a process to establish cryptographic keys for required cryptography employed within the information system in accordance with requirements for key distribution defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems."
DoD has defined the requirements for key distribution as requirements for key distribution defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems." |
Cryptographic Key Establishment And Management |
SC-12 |
SC-12.7 |
Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17. |
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. |
| CCI-002435 |
The organization establishes cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key storage. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed establishes cryptographic keys for required cryptography employed within the information system in accordance with requirements for key storage defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems."
DoD has defined the requirements for key storage as requirements for key storage defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems." |
The organization being inspected/assessed documents and implements a process to establish cryptographic keys for required cryptography employed within the information system in accordance with requirements for key storage defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems."
DoD has defined the requirements for key storage as requirements for key storage defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems." |
Cryptographic Key Establishment And Management |
SC-12 |
SC-12.8 |
Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17. |
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. |
| CCI-002436 |
The organization establishes cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key access. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed establishes cryptographic keys for required cryptography employed within the information system in accordance with requirements for key access defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems."
DoD has defined the requirements for key access as requirements for key access defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems." |
The organization being inspected/assessed documents and implements a process to establish cryptographic keys for required cryptography employed within the information system in accordance with requirements for key access defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems."
DoD has defined the requirements for key access as requirements for key access defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems." |
Cryptographic Key Establishment And Management |
SC-12 |
SC-12.9 |
Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17. |
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. |
| CCI-002437 |
The organization establishes cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key destruction. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed establishes cryptographic keys for required cryptography employed within the information system in accordance with requirements for key destruction defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems."
DoD has defined the requirements for key destruction as requirements for key destruction defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems." |
The organization being inspected/assessed documents and implements a process to establish cryptographic keys for required cryptography employed within the information system in accordance with requirements for key destruction defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems."
DoD has defined the requirements for key destruction as requirements for key destruction defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems." |
Cryptographic Key Establishment And Management |
SC-12 |
SC-12.10 |
Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17. |
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. |
| CCI-002438 |
The organization manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key generation. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed manages cryptographic keys for required cryptography employed within the information system in accordance with requirements for key destruction defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems."
DoD has defined the requirements for key generation as requirements for key destruction defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems." |
The organization being inspected/assessed documents and implements a process to manage cryptographic keys for required cryptography employed within the information system in accordance with requirements for key destruction defined DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems."
DoD has defined the requirements for key generation as requirements for key destruction defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems." |
Cryptographic Key Establishment And Management |
SC-12 |
SC-12.11 |
Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17. |
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. |
| CCI-002439 |
The organization manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key distribution. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed manages cryptographic keys for required cryptography employed within the information system in accordance with requirements for key distribution defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems."
DoD has defined the requirements for key distribution as requirements for key distribution defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems." |
The organization being inspected/assessed documents and implements a process to manage cryptographic keys for required cryptography employed within the information system in accordance with requirements for key distribution defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems."
DoD has defined the requirements for key distribution as requirements for key distribution defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems." |
Cryptographic Key Establishment And Management |
SC-12 |
SC-12.12 |
Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17. |
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. |
| CCI-002440 |
The organization manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key storage. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed manages cryptographic keys for required cryptography employed within the information system in accordance with requirements for key storage defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems."
DoD has defined the requirements for key storage as requirements for key storage defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems." |
The organization being inspected/assessed documents and implements a process to manage cryptographic keys for required cryptography employed within the information system in accordance with requirements for key storage defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems."
DoD has defined the requirements for key storage as requirements for key storage defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems." |
Cryptographic Key Establishment And Management |
SC-12 |
SC-12.13 |
Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17. |
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. |
| CCI-002441 |
The organization manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key access. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed manages cryptographic keys for required cryptography employed within the information system in accordance with requirements for key access defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems."
DoD has defined the requirements for key access as requirements for key access defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems." |
The organization being inspected/assessed documents and implements a process to manage cryptographic keys for required cryptography employed within the information system in accordance with requirements for key access defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems."
DoD has defined the requirements for key access as requirements for key access defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems." |
Cryptographic Key Establishment And Management |
SC-12 |
SC-12.14 |
Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17. |
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. |
| CCI-002442 |
The organization manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key destruction. |
The organization being inspected/assessed documents and implements a process to manage cryptographic keys for required cryptography employed within the information system in accordance with requirements for key destruction defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems."
DoD has defined the requirements for key destruction as requirements for key destruction defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems." |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed manages cryptographic keys for required cryptography employed within the information system in accordance with requirements for key destruction defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems."
DoD has defined the requirements for key destruction as requirements for key destruction defined in DoDI 8520.02 "Public Key Infrastructure and Public Key Enabling" and DoDI 8520.03 "Identity Authentication for Information Systems." |
Cryptographic Key Establishment And Management |
SC-12 |
SC-12.15 |
Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17. |
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. |
| CCI-002443 |
The organization produces symmetric cryptographic keys using NIST FIPS-compliant or NSA-approved key management technology and processes. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed produces appropriate symmetric cryptographic keys using NIST FIPS-compliant or NSA-approved key management technology and processes. |
The organization being inspected/assessed documents and implements a process to produce symmetric cryptographic keys using NIST FIPS-compliant or NSA-approved key management technology and processes. An example process would be implementation of Key Management Infrastructure (KMI).
DoD requires a minimum of NIST approved cryptography for unclassified systems. Classified systems require NSA approved cryptography. |
Cryptographic Key Establishment And Management | Symmetric Keys |
SC-12 (2) |
SC-12(2).1 |
|
The organization produces, controls, and distributes symmetric cryptographic keys using [Selection: NIST FIPS-compliant; NSA-approved] key management technology and processes. |
| CCI-002444 |
The organization controls symmetric cryptographic keys using NIST FIPS-compliant or NSA-approved key management technology and processes. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed controls appropriate symmetric cryptographic keys using NIST FIPS-compliant or NSA-approved key management technology and processes. |
The organization being inspected/assessed documents and implements a process to control symmetric cryptographic keys using NIST FIPS-compliant or NSA-approved key management technology and processes. An example process would be implementation of Key Management Infrastructure (KMI).
DoD requires a minimum of NIST approved cryptography for unclassified systems. Classified systems require NSA approved cryptography. |
Cryptographic Key Establishment And Management | Symmetric Keys |
SC-12 (2) |
SC-12(2).2 |
|
The organization produces, controls, and distributes symmetric cryptographic keys using [Selection: NIST FIPS-compliant; NSA-approved] key management technology and processes. |
| CCI-002445 |
The organization distributes symmetric cryptographic keys using NIST FIPS-compliant or NSA-approved key management technology and processes. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed distributes appropriate symmetric cryptographic keys using NIST FIPS-compliant or NSA-approved key management technology and processes. |
The organization being inspected/assessed documents and implements a process to distribute symmetric cryptographic keys using NIST FIPS-compliant or NSA-approved key management technology and processes.
DoD requires a minimum of NIST approved cryptography for unclassified systems. Classified systems require NSA approved cryptography. |
Cryptographic Key Establishment And Management | Symmetric Keys |
SC-12 (2) |
SC-12(2).3 |
|
The organization produces, controls, and distributes symmetric cryptographic keys using [Selection: NIST FIPS-compliant; NSA-approved] key management technology and processes. |
| CCI-002446 |
The organization produces asymmetric cryptographic keys using: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; or approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user^s private key. |
The organization conducting the inspection/assessment obtains and examines any applicable evidence of asymmetric cryptographic key production to ensure the organization being inspected/assessed produces asymmetric cryptographic keys using: NSA-approved key management technology and processes; approved PKI medium certificates or prepositioned keying material; or, approved PKI medium or FORTEZZA certificates and hardware security tokens that protect the user's private key. |
The organization being inspected/assessed implements a process to produce asymmetric cryptographic keys using: NSA-approved key management technology and processes; approved PKI medium certificates or prepositioned keying material; or, approved PKI medium or FORTEZZA certificates and hardware security tokens that protect the user's private key. |
Cryptographic Key Establishment And Management | Asymmetric Keys |
SC-12 (3) |
SC-12(3).1 |
|
The organization produces, controls, and distributes asymmetric cryptographic keys using [Selection: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key]. |
| CCI-002447 |
The organization controls asymmetric cryptographic keys using: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; or approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user^s private key. |
The organization conducting the inspection/assessment obtains and examines any applicable evidence of asymmetric cryptographic key control to ensure the organization being inspected/assessed controls asymmetric cryptographic keys using: NSA-approved key management technology and processes; approved PKI medium certificates or prepositioned keying material; or, approved PKI medium or FORTEZZA certificates and hardware security tokens that protect the user's private key. |
The organization being inspected/assessed implements a process to control asymmetric cryptographic keys using: NSA-approved key management technology and processes; approved PKI medium certificates or prepositioned keying material; or, approved PKI medium or FORTEZZA certificates and hardware security tokens that protect the user's private key. |
Cryptographic Key Establishment And Management | Asymmetric Keys |
SC-12 (3) |
SC-12(3).2 |
|
The organization produces, controls, and distributes asymmetric cryptographic keys using [Selection: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key]. |
| CCI-002448 |
The organization distributes asymmetric cryptographic keys using: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; or approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user^s private key. |
The organization conducting the inspection/assessment obtains and examines any applicable evidence of asymmetric cryptographic key distribution to ensure the organization being inspected/assessed distributes asymmetric cryptographic keys using: NSA-approved key management technology and processes; approved PKI medium certificates or prepositioned keying material; or, approved PKI medium or FORTEZZA certificates and hardware security tokens that protect the user's private key. |
The organization being inspected/assessed implements a process to distribute asymmetric cryptographic keys using: NSA-approved key management technology and processes; approved PKI medium certificates or prepositioned keying material; or, approved PKI medium or FORTEZZA certificates and hardware security tokens that protect the user's private key. |
Cryptographic Key Establishment And Management | Asymmetric Keys |
SC-12 (3) |
SC-12(3).3 |
|
The organization produces, controls, and distributes asymmetric cryptographic keys using [Selection: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key]. |
| CCI-002449 |
The organization defines the cryptographic uses, and type of cryptography required for each use, to be implemented by the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the cryptographic uses and type of cryptography required for each use as protection of classified information: NSA-approved cryptography; provision of digital signatures and hashing: FIPS-validated cryptography. |
DoD has defined the cryptographic uses and type of cryptography required for each use as protection of classified information: NSA-approved cryptography; provision of digital signatures and hashing: FIPS-validated cryptography. |
Cryptographic Protection |
SC-13 |
SC-13.1 |
Cryptography can be employed to support a variety of security solutions including, for example, the protection of classified and Controlled Unclassified Information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. This control does not impose any requirements on organizations to use cryptography. However, if cryptography is required based on the selection of other security controls, organizations define each type of cryptographic use and the type of cryptography required (e.g., protection of classified information: NSA-approved cryptography; provision of digital signatures: FIPS-validated cryptography). Related controls: AC-2, AC-3, AC-7, AC-17, AC-18, AU-9, AU-10, CM-11, CP-9, IA-3, IA-7, MA-4, MP-2, MP-4, MP-5, SA-4, SC-8, SC-12, SC-28, SI-7. |
The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |
| CCI-002450 |
The information system implements organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement, for, protection of classified information: NSA-approved cryptography; for provision of digital signatures and hashing: FIPS-validated cryptography in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2450.
DoD has defined the cryptographic uses and type of cryptography required for each use as protection of classified information: NSA-approved cryptography; provision of digital signatures and hashing: FIPS-validated cryptography. |
The organization being inspected/assessed configures the information system to implement, for, protection of classified information: NSA-approved cryptography; for provision of digital signatures and hashing: FIPS-validated cryptography in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2450.
DoD has defined the cryptographic uses and type of cryptography required for each use as protection of classified information: NSA-approved cryptography; provision of digital signatures and hashing: FIPS-validated cryptography. |
Cryptographic Protection |
SC-13 |
SC-13.2 |
Cryptography can be employed to support a variety of security solutions including, for example, the protection of classified and Controlled Unclassified Information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. This control does not impose any requirements on organizations to use cryptography. However, if cryptography is required based on the selection of other security controls, organizations define each type of cryptographic use and the type of cryptography required (e.g., protection of classified information: NSA-approved cryptography; provision of digital signatures: FIPS-validated cryptography). Related controls: AC-2, AC-3, AC-7, AC-17, AC-18, AU-9, AU-10, CM-11, CP-9, IA-3, IA-7, MA-4, MP-2, MP-4, MP-5, SA-4, SC-8, SC-12, SC-28, SI-7. |
The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |
| CCI-002451 |
The organization defines the information systems or information system components from which collaborative computing devices in organization-defined secure work areas are to be disabled or removed. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined information systems or information system components as any device used that may incorporate camera, microphone, or smart board capability. |
DoD has defined information systems or information system components as any device used that may incorporate camera, microphone, or smart board capability. |
Collaborative Computing Devices | Disabling / Removal In Secure Work Areas |
SC-15 (3) |
SC-15(3).3 |
Failing to disable or remove collaborative computing devices from information systems or information system components can result in subsequent compromises of organizational information including, for example, eavesdropping on conversations. |
The organization disables or removes collaborative computing devices from [Assignment: organization-defined information systems or information system components] in [Assignment: organization-defined secure work areas]. |
| CCI-002452 |
The organization defines the online meetings and teleconferences for which the information system provides an explicit indication of current participants. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the online meetings and teleconferences as all VTC and all IP based online meetings and conferences (excludes audio only teleconferences using traditional telephony). |
DoD has defined the online meetings and teleconferences as all VTC and all IP based online meetings and conferences (excludes audio only teleconferences using traditional telephony). |
Collaborative Computing Devices | Explicitly Indicate Current Participants |
SC-15 (4) |
SC-15(4).1 |
This control enhancement helps to prevent unauthorized individuals from participating in collaborative computing sessions without the explicit knowledge of other participants. |
The information system provides an explicit indication of current participants in [Assignment: organization-defined online meetings and teleconferences]. |
| CCI-002453 |
The information system provides an explicit indication of current participants in organization-defined online meetings and teleconferences. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide an explicit indication of current participants in all VTC and all IP based online meetings and conferences (excludes audio only teleconferences using traditional telephony).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2453.
DoD has defined the online meetings and teleconferences as all VTC and all IP based online meetings and conferences (excludes audio only teleconferences using traditional telephony). |
The organization being inspected/assessed configures the information system to provide an explicit indication of current participants in all VTC and all IP based online meetings and conferences (excludes audio only teleconferences using traditional telephony).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2453.
DoD has defined the online meetings and teleconferences as all VTC and all IP based online meetings and conferences (excludes audio only teleconferences using traditional telephony). |
Collaborative Computing Devices | Explicitly Indicate Current Participants |
SC-15 (4) |
SC-15(4).2 |
This control enhancement helps to prevent unauthorized individuals from participating in collaborative computing sessions without the explicit knowledge of other participants. |
The information system provides an explicit indication of current participants in [Assignment: organization-defined online meetings and teleconferences]. |
| CCI-002454 |
The organization defines the security attributes the information system is to associate with the information being exchanged between information systems and between information system components. |
The organization conducting the inspection/assessment obtains and examines the documented security attributes to ensure the organization being inspected/assessed defines the security attributes the information system is to associate with the information being exchanged between information systems and between information system components.
DoD has determined the security attributes are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security attributes the information system is to associate with the information being exchanged between information systems and between information system components.
DoD has determined the security attributes are not appropriate to define at the Enterprise level. |
Transmission Of Security Attributes |
SC-16 |
SC-16.2 |
Security attributes can be explicitly or implicitly associated with the information contained in organizational information systems or system components. Related controls: AC-3, AC-4, AC-16. |
The information system associates [Assignment: organization-defined security attributes] with information exchanged between information systems and between system components.
|
| CCI-002455 |
The information system associates organization-defined security attributes with information exchanged between information system components. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to associate the security attributes defined in SC-16, CCI 2454 with information exchanged between information system components.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2455. |
The organization being inspected/assessed configures the information system to associate the security attributes defined in SC-16, CCI 2454 with information exchanged between information system components.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2455. |
Transmission Of Security Attributes |
SC-16 |
SC-16.3 |
Security attributes can be explicitly or implicitly associated with the information contained in organizational information systems or system components. Related controls: AC-3, AC-4, AC-16. |
The information system associates [Assignment: organization-defined security attributes] with information exchanged between information systems and between system components.
|
| CCI-002456 |
The organization defines the certificate policy employed to issue public key certificates. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the certificate policy as DoDI 8520.02, "Public Key Infrastructure (PKI) and Public Key (PK) Enabling. |
DoD has defined the certificate policy as DoDI 8520.02, "Public Key Infrastructure (PKI) and Public Key (PK) Enabling." |
Public Key Infrastructure Certificates |
SC-17 |
SC-17.2 |
For all certificates, organizations manage information system trust stores to ensure only approved trust anchors are in the trust stores. This control addresses both certificates with visibility external to organizational information systems and certificates related to the internal operations of systems, for example, application-specific time services. Related control: SC-12. |
The organization issues public key certificates under an [Assignment: organization defined certificate policy] or obtains public key certificates from an approved service provider. |
| CCI-002457 |
The organization defines the corrective actions to be taken when organization-defined unacceptable mobile code is identified. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the corrective actions to be taken when organization-defined unacceptable mobile code is identified as the corrective actions defined in the Protection Profile for Web Browsers and Application SRG.
|
DoD has defined the corrective actions to be taken when organization-defined unacceptable mobile code is identified as the corrective actions defined in the Protection Profile for Web Browsers and Application SRG.
|
Mobile Code | Identify Unacceptable Code / Take Corrective Actions |
SC-18 (1) |
SC-18(1).3 |
Corrective actions when unacceptable mobile code is detected include, for example, blocking, quarantine, or alerting administrators. Blocking includes, for example, preventing transmission of word processing files with embedded macros when such macros have been defined to be unacceptable mobile code. |
The information system identifies [Assignment: organization-defined unacceptable mobile code] and takes [Assignment: organization-defined corrective actions]. |
| CCI-002458 |
The organization defines what constitutes unacceptable mobile code for its information systems. |
The organization conducting the inspection/assessmenet obtains and examines the documented acceptable and unacceptable mobile code and mobile code technologies to ensure the organization being inspected/assessed defines unacceptable mobile code IAW the Protection Profile for Web Browsers and Application SRG.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has defined unacceptable mobile code IAW the applicable STIGs and SRGs pertaining to CCI 2458.
DoD has determined the unnacceptable mobile code is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents unacceptable mobile code IAW the Protection Profile for Web Browsers and Application SRG.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must define IAW the STIG/SRG guidance that pertains to CCI 2458.
DoD has determined the unnacceptable mobile code is not appropriate to define at the Enterprise level. |
Mobile Code | Identify Unacceptable Code / Take Corrective Actions |
SC-18 (1) |
SC-18(1).4 |
Corrective actions when unacceptable mobile code is detected include, for example, blocking, quarantine, or alerting administrators. Blocking includes, for example, preventing transmission of word processing files with embedded macros when such macros have been defined to be unacceptable mobile code. |
The information system identifies [Assignment: organization-defined unacceptable mobile code] and takes [Assignment: organization-defined corrective actions]. |
| CCI-002459 |
The organization defines the unacceptable mobile code of which the information system is to prevent download and execution. |
The organization conducting the inspection/assessmenet obtains and examines the documented unacceptable mobile code to ensure the organization being inspected/assessed defines unacceptable mobile code of which the information system is to prevent download and execution IAW the Protection Profile for Web Browsers and Application SRG.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has defined unacceptable mobile code IAW the applicable STIGs and SRGs pertaining to CCI 2459.
DoD has determined the unnaceptable mobile code is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents unacceptable mobile code of which the information system is to prevent download and execution IAW the Protection Profile for Web Browsers and Application SRG.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must define IAW the STIG/SRG guidance that pertains to CCI 2459.
DoD has determined the unnaceptable mobile code is not appropriate to define at the Enterprise level. |
Mobile Code | Prevent Downloading / Execution |
SC-18 (3) |
SC-18(3).3 |
|
The information system prevents the download and execution of [Assignment: organization defined unacceptable mobile code]. |
| CCI-002460 |
The information system enforces organization-defined actions prior to executing mobile code. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prompt the user prior to executing the code.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2460.
DoD has defined the actions as the user be prompted.
|
The organization being inspected/assessed configures the information system to prompt the user prior to executing the code.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2460.
DoD has defined the actions as the user be prompted. |
Mobile Code | Prevent Automatic Execution |
SC-18 (4) |
SC-18(4).4 |
Actions enforced before executing mobile code, include, for example, prompting users prior to opening electronic mail attachments. Preventing automatic execution of mobile code includes, for example, disabling auto execute features on information system components employing portable storage devices such as Compact Disks (CDs), Digital Video Disks (DVDs), and Universal Serial Bus (USB) devices. |
The information system prevents the automatic execution of mobile code in [Assignment: organization-defined software applications] and enforces [Assignment: organization-defined actions] prior to executing the code. |
| CCI-002461 |
The organization allows execution of permitted mobile code only in confined virtual machine environments. |
The organization conducting the inspection/assessment obtains and examines the system and communications protection policy and inspects the information systems to ensure the organization being inspected/assessed implements mechanisms to allow the execution of permitted mobile code only in confined virtual machine environments. |
The organization being inspected/assessed documents within the system and communications protection policy and implements mechanisms to allow the execution of permitted mobile code only in confined virtual machine environments.
Unacceptable mobile code is defined in SC-18 (3).
|
Mobile Code | Allow Execution Only In Confined Environments |
SC-18 (5) |
SC-18(5).1 |
|
The organization allows execution of permitted mobile code only in confined virtual machine environments. |
| CCI-002462 |
The information system provides additional data integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries. |
The organization conducting the inspection/assessment:
1. inspects the configuration files for the presence of DNSSEC records for each A record hosted in a zone;
2. utilizes DNSSEC diagnostic tools, such as dig; and
3. performs queries which will exercise the data flow path for authoritative name resolution services.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs that determine the name server software configuration files and pertain to CCI 2462. |
The organization being inspected/assessed configures the authoritative name server software for external queries to enable DNSSEC and creates resource records with digital signatures (RRSig) for each A record.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that determines the name server software configuration files and pertains to CCI 2462. |
Secure Name / Address Resolution Service (Authoritative Source) |
SC-20 |
SC-20.2 |
This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data. Related controls: AU-10, SC-8, SC-12, SC-13, SC-21, SC-22. |
The information system:
a. Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and
b. Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace. |
| CCI-002463 |
The information system provides data origin artifacts for internal name/address resolution queries. |
The organization conducting the inspection/assessment:
1. inspects the configuration files for the presence of DNSSEC records for each A record hosted in a zone;
2. utilizes DNSSEC diagnostic tools, such as dig; and
3. performs queries which will exercise the data flow path for authoritative name resolution services.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs that determine the name server software configuration files and pertain to CCI 2463. |
The organization being inspected/assessed configures the authoritative name server software for internal queries to enable DNSSEC and creates resource records with digital signatures (RRSig) for each A record.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that determines the name server software configuration files and pertains to CCI 2463. |
Secure Name / Address Resolution Service (Authoritative Source) | Data Origin / Integrity |
SC-20 (2) |
SC-20(2).1 |
|
The information system provides data origin and integrity protection artifacts for internal name/address resolution queries. |
| CCI-002464 |
The information system provides data integrity protection artifacts for internal name/address resolution queries. |
The organization conducting the inspection/assessment:
1. inspects the configuration files for the presence of DNSSEC records for each A record hosted in a zone;
2. utilizes DNSSEC diagnostic tools, such as dig; and
3. performs queries which will exercise the data flow path for authoritative name resolution services.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs that determine the name server software configuration files and pertain to CCI 2464. |
The organization being inspected/assessed configures the authoritative name server software for internal software to enable DNSSEC and creates resource records with digital signatures(RRSig) for each A record.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that determines the name server software configuration files and pertains to CCI 2464. |
Secure Name / Address Resolution Service (Authoritative Source) | Data Origin / Integrity |
SC-20 (2) |
SC-20(2).2 |
|
The information system provides data origin and integrity protection artifacts for internal name/address resolution queries. |
| CCI-002465 |
The information system requests data origin authentication verification on the name/address resolution responses the system receives from authoritative sources. |
The organization conducting the inspection/assessment utilizes DNSSEC diagnostic tools, such as dig, and performs queries which will exercise the data flow path for recursive name resolution services.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs that determine the name server software configuration files and pertain to CCI 2465. |
The organization being inspected/assessed configures the:
1. recursive/caching name server software to enable DNSSEC;
2. software to enable DNSSEC validation; and
3. software to establish a secure entry point trust anchor by installing key signing keys in the software configuration of trusted keys.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that determines the name server software configuration files and pertains to CCI 2465. |
Secure Name / Address Resolution Service (Recursive Or Caching Resolver) |
SC-21 |
SC-21.1 |
Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data. Related controls: SC-20, SC-22. |
The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources. |
| CCI-002466 |
The information system requests data integrity verification on the name/address resolution responses the system receives from authoritative sources. |
The organization conducting the inspection/assessment utilizes DNSSEC diagnostic tools, such as dig, and performs queries which will exercise the data flow path for recursive name resolution services.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs that determine the name server software configuration files and pertain to CCI 2466. |
The organization being inspected/assessed configures the:
1. recursive/caching name server software to enable DNSSEC;
2. software to enable DNSSEC validation; and
3. software to establish a secure entry point trust anchor by installing key signing keys in the software configuration of trusted keys.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that determines the name server software configuration files and pertains to CCI 2466. |
Secure Name / Address Resolution Service (Recursive Or Caching Resolver) |
SC-21 |
SC-21.2 |
Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data. Related controls: SC-20, SC-22. |
The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources. |
| CCI-002467 |
The information system performs data integrity verification on the name/address resolution responses the system receives from authoritative sources. |
The organization conducting the inspection/assessment utilizes DNSSEC diagnostic tools, such as dig, and performs queries which will exercise the data flow path for recursive name resolution services.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs that determine the name server software configuration files and pertain to CCI 2467. |
The organization being inspected/assessed configures the:
1. recursive/caching name server software to enable DNSSEC;
2. software to enable DNSSEC validation; and
3. software to establish a secure entry point trust anchor by installing key signing keys in the software configuration of trusted keys.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that determines the name server software configuration files and pertains to CCI 2467. |
Secure Name / Address Resolution Service (Recursive Or Caching Resolver) |
SC-21 |
SC-21.3 |
Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data. Related controls: SC-20, SC-22. |
The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources. |
| CCI-002468 |
The information system performs data origin verification authentication on the name/address resolution responses the system receives from authoritative sources. |
The organization conducting the inspection/assessment utilizes DNSSEC diagnostic tools, such as dig, and performs queries which will exercise the data flow path for recursive name resolution services.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs that determine the name server software configuration files and pertain to CCI 2468. |
The organization being inspected/assessed configures the:
1. recursive/caching name server software to enable DNSSEC;
2. software to enable DNSSEC validation; and
3. software to establish a secure entry point trust anchor by installing key signing keys in the software configuration of trusted keys.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that determines the name server software configuration files and pertains to CCI 2468. |
Secure Name / Address Resolution Service (Recursive Or Caching Resolver) |
SC-21 |
SC-21.4 |
Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data. Related controls: SC-20, SC-22. |
The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources. |
| CCI-002469 |
The organization defines the certificate authorities the information system will allow to be used on the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the certificate authorities as DoD PKI established certificate authorities. |
DoD has defined the certificate authorities as DoD PKI established certificate authorities. |
Session Authenticity | Allowed Certificate Authorities |
SC-23 (5) |
SC-23(5).1 |
Reliance on certificate authorities (CAs) for the establishment of secure sessions includes, for example, the use of Secure Socket Layer (SSL) and/or Transport Layer Security (TLS) certificates. These certificates, after verification by the respective certificate authorities, facilitate the establishment of protected sessions between web clients and web servers. Related control: SC-13. |
The information system only allows the installation of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions. |
| CCI-002470 |
The information system only allows the use of organization-defined certificate authorities for verification of the establishment of protected sessions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2470.
DoD has defined the certificate authorities as DoD PKI established certificate authorities. |
The organization being inspected/assessed configures the information system to allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2470.
DoD has defined the certificate authorities as DoD PKI established certificate authorities. |
Session Authenticity | Allowed Certificate Authorities |
SC-23 (5) |
SC-23(5).2 |
Reliance on certificate authorities (CAs) for the establishment of secure sessions includes, for example, the use of Secure Socket Layer (SSL) and/or Transport Layer Security (TLS) certificates. These certificates, after verification by the respective certificate authorities, facilitate the establishment of protected sessions between web clients and web servers. Related control: SC-13. |
The information system only allows the installation of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions. |
| CCI-002471 |
The organization defines the information system components, with minimal functionality and information storage, to be employed. |
The organization conducting the inspection/assessment obtains and examines the documented information system components to ensure the organization being inspected/assessed defines the information system components, with minimal functionality and information storage, to be employed.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system components, with minimal functionality and information storage, to be employed.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
Thin Nodes |
SC-25 |
SC-25.2 |
The deployment of information system components with reduced/minimal functionality (e.g., diskless nodes and thin client technologies) reduces the need to secure every user endpoint, and may reduce the exposure of information, information systems, and services to cyber attacks. Related control: SC-30. |
The organization employs [Assignment: organization-defined information system components] with minimal functionality and information storage. |
| CCI-002472 |
The organization defines the information at rest that is to be protected by the information system. |
The organization conducting the inspection/assessment obtains and examines the documented information at rest to ensure the organization being inspected/assessed defines and documents the information at rest that is to be protected by the information system which must include, at a minimum, PII and classified information.
DoD has determined the information at rest is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information at rest that is to be protected by the information system which must include, at a minimum, PII and classified information.
DoD has determined the information at rest is not appropriate to define at the Enterprise level. |
Protection Of Information At Rest |
SC-28 |
SC-28.2 |
This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest. Related controls: AC-3, AC-6, CA-7, CM-3, CM-5, CM-6, PE-3, SC-8, SC-13, SI-3, SI-7. |
The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest]. |
| CCI-002473 |
The organization defines the information at rest for which cryptographic mechanisms will be implemented. |
The organization conducting the inspection/assessment obtains and examines the documented information at rest to ensure the organization being inspected/assessed defines and documents the information at rest that is to be protected by the information system which must include, at a minimum, PII and classified information.
DoD has determined the information at rest is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information at rest that is to be protected by the information system which must include, at a minimum, PII and classified information.
DoD has determined the information at rest is not appropriate to define at the Enterprise level. |
Protection Of Information At Rest | Cryptographic Protection |
SC-28 (1) |
SC-28(1).1 |
Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. This control enhancement applies to significant concentrations of digital media in organizational areas designated for media storage and also to limited quantities of media generally associated with information system components in operational environments (e.g., portable storage devices, mobile devices). Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Organizations employing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions. Related controls: AC-19, SC-12. |
The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components]. |
| CCI-002474 |
The organization defines the information system components which require the implementation of cryptographic mechanisms to prevent unauthorized disclosure and modification of organization-defined information at rest. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the information system components as any information system components storing data defined in SC-28 (1), 2473. |
DoD has defined the information system components as any information system components storing data defined in SC-28 (1), 2473. |
Protection Of Information At Rest | Cryptographic Protection |
SC-28 (1) |
SC-28(1).2 |
Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. This control enhancement applies to significant concentrations of digital media in organizational areas designated for media storage and also to limited quantities of media generally associated with information system components in operational environments (e.g., portable storage devices, mobile devices). Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Organizations employing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions. Related controls: AC-19, SC-12. |
The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components]. |
| CCI-002475 |
The information system implements cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement cryptographic mechanisms to prevent unauthorized modification of information at rest defined in SC-28 (1), CCI 2473 on any information system components storing data defined in SC-28 (1), 2473.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2475.
DoD has defined the information system components as any information system components storing data defined in SC-28 (1), 2473. |
The organization being inspected/assessed configures the information system to implement cryptographic mechanisms to prevent unauthorized modification of information at rest defined in SC-28 (1), CCI 2473 on any information system components storing data defined in SC-28 (1), 2473.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2475.
DoD has defined the information system components as any information system components storing data defined in SC-28 (1), 2473. |
Protection Of Information At Rest | Cryptographic Protection |
SC-28 (1) |
SC-28(1).3 |
Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. This control enhancement applies to significant concentrations of digital media in organizational areas designated for media storage and also to limited quantities of media generally associated with information system components in operational environments (e.g., portable storage devices, mobile devices). Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Organizations employing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions. Related controls: AC-19, SC-12. |
The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components]. |
| CCI-002476 |
The information system implements cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined information system components. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement cryptographic mechanisms to prevent unauthorized disclosure of information at rest defined in SC-28 (1), CCI 2473 on any information system components storing data defined in SC-28 (1), 2473.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2476.
DoD has defined the information system components as any information system components storing data defined in SC-28 (1), 2473. |
The organization being inspected/assessed configures the information system to implement cryptographic mechanisms to prevent unauthorized disclosure of information at rest defined in SC-28 (1), CCI 2473 on any information system components storing data defined in SC-28 (1), 2473.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2476.
DoD has defined the information system components as any information system components storing data defined in SC-28 (1), 2473. |
Protection Of Information At Rest | Cryptographic Protection |
SC-28 (1) |
SC-28(1).4 |
Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. This control enhancement applies to significant concentrations of digital media in organizational areas designated for media storage and also to limited quantities of media generally associated with information system components in operational environments (e.g., portable storage devices, mobile devices). Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Organizations employing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions. Related controls: AC-19, SC-12. |
The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components]. |
| CCI-002477 |
The organization defines the information at rest to be removed from online storage and stored in an off-line secure location. |
The organization conducting the inspection/assessment obtains and examines the documented information to ensure the organization being inspected/assessed defines the information at rest to be removed from on-line storage and stored in an off-line secure location.
DoD has determined the information is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information at rest to be removed from on-line storage and stored in an off-line secure location.
DoD has determined the information is not appropriate to define at the Enterprise level. |
Protection Of Information At Rest | Off-Line Storage |
SC-28 (2) |
SC-28(2).1 |
Removing organizational information from online information system storage to off-line storage eliminates the possibility of individuals gaining unauthorized access to the information through a network. Therefore, organizations may choose to move information to off-line storage in lieu of protecting such information in online storage. |
The organization removes from online storage and stores off-line in a secure location [Assignment: organization-defined information]. |
| CCI-002478 |
The organization removes organization-defined information at rest from online storage. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed removes information at rest defined in SC-28 (2), CCI 2477 from online storage.
Additionally, the organization conducting the inspection/assessment examines the information system to ensure that information defined in SC-28 (2), CCI 2477 is not stored on the information system. |
The organization being inspected/assessed documents and implements a process to remove information at rest defined in SC-28 (2), CCI 2477 from online storage. |
Protection Of Information At Rest | Off-Line Storage |
SC-28 (2) |
SC-28(2).2 |
Removing organizational information from online information system storage to off-line storage eliminates the possibility of individuals gaining unauthorized access to the information through a network. Therefore, organizations may choose to move information to off-line storage in lieu of protecting such information in online storage. |
The organization removes from online storage and stores off-line in a secure location [Assignment: organization-defined information]. |
| CCI-002479 |
The organization stores organization-defined information at rest in an off-line secure location. |
The organization conducting the inspection/assessment obtains and examines the documented process and off-line storage records to ensure the organization being inspected/assessed stores information at rest defined in SC-28 (2), CCI 2477 in an off-line secure location. |
The organization being inspected/assessed documents and implements a process to store information at rest defined in SC-28 (2), CCI 2477 in an off-line secure location. |
Protection Of Information At Rest | Off-Line Storage |
SC-28 (2) |
SC-28(2).3 |
Removing organizational information from online information system storage to off-line storage eliminates the possibility of individuals gaining unauthorized access to the information through a network. Therefore, organizations may choose to move information to off-line storage in lieu of protecting such information in online storage. |
The organization removes from online storage and stores off-line in a secure location [Assignment: organization-defined information]. |
| CCI-002480 |
The organization defines the information system components for which a diverse set of information technologies are to be employed. |
The organization conducting the inspection/assessment obtains and examines the documented information system components to ensure the organization being inspected/assessed defines the information system components for which a diverse set of information technologies are to be employed.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system components for which a diverse set of information technologies are to be employed.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
Heterogeneity |
SC-29 |
SC-29.2 |
Increasing the diversity of information technologies within organizational information systems reduces the impact of potential exploitations of specific technologies and also defends against common mode failures, including those failures induced by supply chain attacks. Diversity in information technologies also reduces the likelihood that the means adversaries use to compromise one information system component will be equally effective against other system components, thus further increasing the adversary work factor to successfully complete planned cyber attacks. An increase in diversity may add complexity and management overhead which could ultimately lead to mistakes and unauthorized configurations. Related controls: SA-12, SA-14, SC-27. |
The organization employs a diverse set of information technologies for [Assignment: organization-defined information system components] in the implementation of the information system. |
| CCI-002481 |
The organization employs virtualization techniques to support the deployment of a diversity of applications that are changed per organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the hardware and software lists to ensure the organization being inspected/assessed employs virtualization techniques to support the deployment of a diversity of applications that are changed per the frequency defined in SC-29 (1), CCI 1204. |
The organization being inspected/assessed designs the information system to employ virtualization techniques to support the deployment of a diversity of applications that are changed per the frequency defined in SC-29 (1), CCI 1204. |
Heterogeneity | Virtualization Techniques |
SC-29 (1) |
SC-29(1).3 |
While frequent changes to operating systems and applications pose configuration management challenges, the changes can result in an increased work factor for adversaries in order to carry out successful cyber attacks. Changing virtual operating systems or applications, as opposed to changing actual operating systems/applications, provide virtual changes that impede attacker success while reducing configuration management efforts. In addition, virtualization techniques can assist organizations in isolating untrustworthy software and/or software of dubious provenance into confined execution environments. |
The organization employs virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed [Assignment: organization-defined frequency]. |
| CCI-002482 |
The organization defines the concealment and misdirection techniques employed for organization-defined information systems to confuse and mislead adversaries. |
The organization conducting the inspection/assessment obtains and examines the documented concealment and misdirection techniques to ensure the organization being inspected/assessed defines the concealment and misdirection techniques employed for organization-defined information systems to confuse and mislead adversaries..
DoD has determined the concealment and misdirection techniques are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the concealment and misdirection techniques employed for organization-defined information systems to confuse and mislead adversaries.
DoD has determined the concealment and misdirection techniques are not appropriate to define at the Enterprise level. |
Concealment And Misdirection |
SC-30 |
SC-30.1 |
Concealment and misdirection techniques can significantly reduce the targeting capability of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete cyber attacks. For example, virtualization techniques provide organizations with the ability to disguise information systems, potentially reducing the likelihood of successful attacks without the cost of having multiple platforms. Increased use of concealment/misdirection techniques including, for example, randomness, uncertainty, and virtualization, may sufficiently confuse and mislead adversaries and subsequently increase the risk of discovery and/or exposing tradecraft. Concealment/misdirection techniques may also provide organizations additional time to successfully perform core missions and business functions. Because of the time and effort required to support concealment/misdirection techniques, it is anticipated that such techniques would be used by organizations on a very limited basis. Related controls: SC-26, SC-29, SI-14. |
The organization employs [Assignment: organization-defined concealment and misdirection techniques] for [Assignment: organization-defined information systems] at [Assignment: organization-defined time periods] to confuse and mislead adversaries. |
| CCI-002483 |
The organization defines the information systems for which organization-defined concealment and misdirection techniques are to be employed. |
The organization conducting the inspection/assessment obtains and examines the documented information systems to ensure the organization being inspected/assessed defines the information systems for which organization-defined concealment and misdirection techniques are to be employed.
DoD has determined the information systems are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information systems for which organization-defined concealment and misdirection techniques are to be employed.
DoD has determined the information systems are not appropriate to define at the Enterprise level. |
Concealment And Misdirection |
SC-30 |
SC-30.2 |
Concealment and misdirection techniques can significantly reduce the targeting capability of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete cyber attacks. For example, virtualization techniques provide organizations with the ability to disguise information systems, potentially reducing the likelihood of successful attacks without the cost of having multiple platforms. Increased use of concealment/misdirection techniques including, for example, randomness, uncertainty, and virtualization, may sufficiently confuse and mislead adversaries and subsequently increase the risk of discovery and/or exposing tradecraft. Concealment/misdirection techniques may also provide organizations additional time to successfully perform core missions and business functions. Because of the time and effort required to support concealment/misdirection techniques, it is anticipated that such techniques would be used by organizations on a very limited basis. Related controls: SC-26, SC-29, SI-14. |
The organization employs [Assignment: organization-defined concealment and misdirection techniques] for [Assignment: organization-defined information systems] at [Assignment: organization-defined time periods] to confuse and mislead adversaries. |
| CCI-002484 |
The organization defines the time periods at which it will employ organization-defined concealment and misdirection techniques on organization-defined information systems. |
The organization conducting the inspection/assessment obtains and examines the documented time periods to ensure the organization being inspected/assessed defines the time periods at which it will employ organization-defined concealment and misdirection techniques on organization-defined information systems.
DoD has determined the time periods are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the time periods at which it will employ organization-defined concealment and misdirection techniques on organization-defined information systems.
DoD has determined the time periods are not appropriate to define at the Enterprise level. |
Concealment And Misdirection |
SC-30 |
SC-30.3 |
Concealment and misdirection techniques can significantly reduce the targeting capability of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete cyber attacks. For example, virtualization techniques provide organizations with the ability to disguise information systems, potentially reducing the likelihood of successful attacks without the cost of having multiple platforms. Increased use of concealment/misdirection techniques including, for example, randomness, uncertainty, and virtualization, may sufficiently confuse and mislead adversaries and subsequently increase the risk of discovery and/or exposing tradecraft. Concealment/misdirection techniques may also provide organizations additional time to successfully perform core missions and business functions. Because of the time and effort required to support concealment/misdirection techniques, it is anticipated that such techniques would be used by organizations on a very limited basis. Related controls: SC-26, SC-29, SI-14. |
The organization employs [Assignment: organization-defined concealment and misdirection techniques] for [Assignment: organization-defined information systems] at [Assignment: organization-defined time periods] to confuse and mislead adversaries. |
| CCI-002485 |
The organization employs organization-defined concealment and misdirection techniques for organization-defined information systems at organization-defined time periods to confuse and mislead adversaries. |
The organization conducting the inspection/assessment obtains and examines network topology diagrams, architecture documentation, or any other documentation identifying concealment and misdirection techniques to ensure the organization being inspected/assessed employs concealment and misdirection techniques defined in SC-30, CCI 2482 for information systems defined in SC-30, 2483 at time periods defined in SC-30, CCI 2484 to confuse and mislead adversaries. |
The organization being inspected/assessed designs the information system to employ concealment and misdirection techniques defined in SC-30, CCI 2482 for information systems defined in SC-30, 2483 at time periods defined in SC-30, CCI 2484 to confuse and mislead adversaries. |
Concealment And Misdirection |
SC-30 |
SC-30.4 |
Concealment and misdirection techniques can significantly reduce the targeting capability of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete cyber attacks. For example, virtualization techniques provide organizations with the ability to disguise information systems, potentially reducing the likelihood of successful attacks without the cost of having multiple platforms. Increased use of concealment/misdirection techniques including, for example, randomness, uncertainty, and virtualization, may sufficiently confuse and mislead adversaries and subsequently increase the risk of discovery and/or exposing tradecraft. Concealment/misdirection techniques may also provide organizations additional time to successfully perform core missions and business functions. Because of the time and effort required to support concealment/misdirection techniques, it is anticipated that such techniques would be used by organizations on a very limited basis. Related controls: SC-26, SC-29, SI-14. |
The organization employs [Assignment: organization-defined concealment and misdirection techniques] for [Assignment: organization-defined information systems] at [Assignment: organization-defined time periods] to confuse and mislead adversaries. |
| CCI-002486 |
The organization defines the techniques to be employed to introduce randomness into organizational operations and assets. |
The organization conducting the inspection/assessment obtains and examines the documented techniques to ensure the organization being inspected/assessed defines the techniques to be employed to introduce randomness into organizational operations and assets.
DoD has determined the techniques are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the techniques to be employed to introduce randomness into organizational operations and assets.
DoD has determined the techniques are not appropriate to define at the Enterprise level. |
Concealment And Misdirection | Randomness |
SC-30 (2) |
SC-30(2).1 |
Randomness introduces increased levels of uncertainty for adversaries regarding the actions organizations take in defending against cyber attacks. Such actions may impede the ability of adversaries to correctly target information resources of organizations supporting critical missions/business functions. Uncertainty may also cause adversaries to hesitate before initiating or continuing attacks. Misdirection techniques involving randomness include, for example, performing certain routine actions at different times of day, employing different information technologies (e.g., browsers, search engines), using different suppliers, and rotating roles and responsibilities of organizational personnel. |
The organization employs [Assignment: organization-defined techniques] to introduce randomness into organizational operations and assets. |
| CCI-002487 |
The organization employs organization-defined techniques to introduce randomness into organizational operations. |
The organization conducting the inspection/assessment obtains and examines any applicable evidence of techniques used to introduce randomness to ensure the organization being inspected/assessed employs techniques defined in SC-30 (2), CCI 2486 to introduce randomness into organizational operations. |
The organization being inspected/assessed employs techniques defined in SC-30 (2), CCI 2486 to introduce randomness into organizational operations. |
Concealment And Misdirection | Randomness |
SC-30 (2) |
SC-30(2).2 |
Randomness introduces increased levels of uncertainty for adversaries regarding the actions organizations take in defending against cyber attacks. Such actions may impede the ability of adversaries to correctly target information resources of organizations supporting critical missions/business functions. Uncertainty may also cause adversaries to hesitate before initiating or continuing attacks. Misdirection techniques involving randomness include, for example, performing certain routine actions at different times of day, employing different information technologies (e.g., browsers, search engines), using different suppliers, and rotating roles and responsibilities of organizational personnel. |
The organization employs [Assignment: organization-defined techniques] to introduce randomness into organizational operations and assets. |
| CCI-002488 |
The organization employs organization-defined techniques to introduce randomness into organizational assets. |
The organization conducting the inspection/assessment obtains and examines any applicable evidence of techniques used to introduce randomness to ensure the organization being inspected/assessed employs techniques defined in SC-30 (2), CCI 2486 to introduce randomness into organizational assets. |
The organization being inspected/assessed employs techniques defined in SC-30 (2), CCI 2486 to introduce randomness into organizational assets. |
Concealment And Misdirection | Randomness |
SC-30 (2) |
SC-30(2).3 |
Randomness introduces increased levels of uncertainty for adversaries regarding the actions organizations take in defending against cyber attacks. Such actions may impede the ability of adversaries to correctly target information resources of organizations supporting critical missions/business functions. Uncertainty may also cause adversaries to hesitate before initiating or continuing attacks. Misdirection techniques involving randomness include, for example, performing certain routine actions at different times of day, employing different information technologies (e.g., browsers, search engines), using different suppliers, and rotating roles and responsibilities of organizational personnel. |
The organization employs [Assignment: organization-defined techniques] to introduce randomness into organizational operations and assets. |
| CCI-002489 |
The organization defines the processing and/or storage locations to be changed at random intervals or at an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the documented processing and/or storage sites to ensure the organization being inspected/assessed defines the processing and/or storage locations to be changed at random intervals or at an organization-defined frequency.
DoD has determined the processing and/or storage sites are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the processing and/or storage locations to be changed at random intervals or at an organization-defined frequency.
DoD has determined the processing and/or storage sites are not appropriate to define at the Enterprise level. |
Concealment And Misdirection | Change Processing / Storage Locations |
SC-30 (3) |
SC-30(3).1 |
Adversaries target critical organizational missions/business functions and the information resources supporting those missions and functions while at the same time, trying to minimize exposure of their existence and tradecraft. The static, homogeneous, and deterministic nature of organizational information systems targeted by adversaries, make such systems more susceptible to cyber attacks with less adversary cost and effort to be successful. Changing organizational processing and storage locations (sometimes referred to as moving target defense) addresses the advanced persistent threat (APT) using techniques such as virtualization, distributed processing, and replication. This enables organizations to relocate the information resources (i.e., processing and/or storage) supporting critical missions and business functions. Changing locations of processing activities and/or storage sites introduces uncertainty into the targeting activities by adversaries. This uncertainty increases the work factor of adversaries making compromises or breaches to organizational information systems much more difficult and time-consuming, and increases the chances that adversaries may inadvertently disclose aspects of tradecraft while attempting to locate critical organizational resources. |
The organization changes the location of [Assignment: organization-defined processing and/or storage] [Selection: [Assignment: organization-defined time frequency]; at random time intervals]]. |
| CCI-002490 |
The organization defines the frequency at which it changes the location of organization-defined processing and/or storage. |
The organization conducting the inspection/assessment obtains and examines the documented frequency to ensure the organization being inspected/assessed defines the frequency at which it changes the location of organization-defined processing and/or storage.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the frequency at which it changes the location of organization-defined processing and/or storage.
The frequency can be defined as random time intervals.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
Concealment And Misdirection | Change Processing / Storage Locations |
SC-30 (3) |
SC-30(3).2 |
Adversaries target critical organizational missions/business functions and the information resources supporting those missions and functions while at the same time, trying to minimize exposure of their existence and tradecraft. The static, homogeneous, and deterministic nature of organizational information systems targeted by adversaries, make such systems more susceptible to cyber attacks with less adversary cost and effort to be successful. Changing organizational processing and storage locations (sometimes referred to as moving target defense) addresses the advanced persistent threat (APT) using techniques such as virtualization, distributed processing, and replication. This enables organizations to relocate the information resources (i.e., processing and/or storage) supporting critical missions and business functions. Changing locations of processing activities and/or storage sites introduces uncertainty into the targeting activities by adversaries. This uncertainty increases the work factor of adversaries making compromises or breaches to organizational information systems much more difficult and time-consuming, and increases the chances that adversaries may inadvertently disclose aspects of tradecraft while attempting to locate critical organizational resources. |
The organization changes the location of [Assignment: organization-defined processing and/or storage] [Selection: [Assignment: organization-defined time frequency]; at random time intervals]]. |
| CCI-002491 |
The organization changes the location of organization-defined processing and/or storage at an organization-defined time frequency or at random time intervals. |
|
|
|
|
|
|
|
| CCI-002492 |
The organization changes the location of organization-defined processing and/or storage at an organization-defined time frequency or at random time intervals. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of changes to ensure the organization being inspected/assessed changes the location of the processing and/or storage defined in SC-30 (3), CCI 2489 at the time frequency defined in SC-30 (3), CCI 2490 or at random time intervals. |
The organization being inspected/assessed documents and implements a process to change the location of the processing and/or storage defined in SC-30 (3), CCI 2489 at the time frequency defined in SC-30 (3), CCI 2490 or at random time intervals.
The organization must maintain an audit trail of changes. |
Concealment And Misdirection | Change Processing / Storage Locations |
SC-30 (3) |
SC-30(3).3 |
Adversaries target critical organizational missions/business functions and the information resources supporting those missions and functions while at the same time, trying to minimize exposure of their existence and tradecraft. The static, homogeneous, and deterministic nature of organizational information systems targeted by adversaries, make such systems more susceptible to cyber attacks with less adversary cost and effort to be successful. Changing organizational processing and storage locations (sometimes referred to as moving target defense) addresses the advanced persistent threat (APT) using techniques such as virtualization, distributed processing, and replication. This enables organizations to relocate the information resources (i.e., processing and/or storage) supporting critical missions and business functions. Changing locations of processing activities and/or storage sites introduces uncertainty into the targeting activities by adversaries. This uncertainty increases the work factor of adversaries making compromises or breaches to organizational information systems much more difficult and time-consuming, and increases the chances that adversaries may inadvertently disclose aspects of tradecraft while attempting to locate critical organizational resources. |
The organization changes the location of [Assignment: organization-defined processing and/or storage] [Selection: [Assignment: organization-defined time frequency]; at random time intervals]]. |
| CCI-002493 |
The organization defines the information system components in which it will employ realistic but misleading information regarding its security state or posture. |
The organization conducting the inspection/assessment obtains and examines the documented information system components to ensure the organization being inspected/assessed defines the information system components in which it will employ realistic but misleading information regarding its security state or posture.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system components in which it will employ realistic but misleading information regarding its security state or posture.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
Concealment And Misdirection | Misleading Information |
SC-30 (4) |
SC-30(4).1 |
This control enhancement misleads potential adversaries regarding the nature and extent of security safeguards deployed by organizations. As a result, adversaries may employ incorrect (and as a result ineffective) attack techniques. One way of misleading adversaries is for organizations to place misleading information regarding the specific security controls deployed in external information systems that are known to be accessed or targeted by adversaries. Another technique is the use of deception nets (e.g., honeynets, virtualized environments) that mimic actual aspects of organizational information systems but use, for example, out-of-date software configurations. |
The organization employs realistic, but misleading information in [Assignment: organization defined information system components] with regard to its security state or posture. |
| CCI-002494 |
The organization employs realistic, but misleading, information in organization-defined information system components with regard to its security state or posture. |
The organization conducting the inspection/assessment obtains and examines any applicable evidence of methods to employ misinformation to ensure the organization being inspected/assessed employs realistic, but misleading, information in information system components defined in SC-30 (4), CCI 2493 with regard to its security state or posture. |
The organization being inspected/assessed employs realistic, but misleading, information in information system components defined in SC-30 (4), CCI 2493 with regard to its security state or posture. |
Concealment And Misdirection | Misleading Information |
SC-30 (4) |
SC-30(4).2 |
This control enhancement misleads potential adversaries regarding the nature and extent of security safeguards deployed by organizations. As a result, adversaries may employ incorrect (and as a result ineffective) attack techniques. One way of misleading adversaries is for organizations to place misleading information regarding the specific security controls deployed in external information systems that are known to be accessed or targeted by adversaries. Another technique is the use of deception nets (e.g., honeynets, virtualized environments) that mimic actual aspects of organizational information systems but use, for example, out-of-date software configurations. |
The organization employs realistic, but misleading information in [Assignment: organization defined information system components] with regard to its security state or posture. |
| CCI-002495 |
The organization defines the techniques to be employed to hide or conceal organization-defined information system components. |
The organization conducting the inspection/assessment obtains and examines the documented techniques to ensure the organization being inspected/assessed defines the techniques to be employed to hide or conceal organization-defined information system components.
DoD has determined the techniques are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the techniques to be employed to hide or conceal organization-defined information system components.
DoD has determined the techniques are not appropriate to define at the Enterprise level. |
Concealment And Misdirection | Concealment Of System Components |
SC-30 (5) |
SC-30(5).1 |
By hiding, disguising, or otherwise concealing critical information system components, organizations may be able to decrease the probability that adversaries target and successfully compromise those assets. Potential means for organizations to hide and/or conceal information system components include, for example, configuration of routers or the use of honeynets or virtualization techniques. |
The organization employs [Assignment: organization-defined techniques] to hide or conceal [Assignment: organization-defined information system components]. |
| CCI-002496 |
The organization defines the information system components to be hidden or concealed. |
The organization conducting the inspection/assessment obtains and examines the documented information system components to ensure the organization being inspected/assessed defines the information system components to be hidden or concealed.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system components to be hidden or concealed.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
Concealment And Misdirection | Concealment Of System Components |
SC-30 (5) |
SC-30(5).2 |
By hiding, disguising, or otherwise concealing critical information system components, organizations may be able to decrease the probability that adversaries target and successfully compromise those assets. Potential means for organizations to hide and/or conceal information system components include, for example, configuration of routers or the use of honeynets or virtualization techniques. |
The organization employs [Assignment: organization-defined techniques] to hide or conceal [Assignment: organization-defined information system components]. |
| CCI-002497 |
The organization employs organization-defined techniques to hide or conceal organization-defined information system components. |
The organization conducting the inspection/assessment obtains and examines any applicable evidence of techniques to conceal information to ensure the organization being inspected/assessed employs techniques defined in SC-30 (5), CCI 2495 to hide or conceal information system components defined in SC-30 (5), CCI 2496. |
The organization being inspected/assessed employs techniques defined in SC-30 (5), CCI 2495 to hide or conceal information system components defined in SC-30 (5), CCI 2496. |
Concealment And Misdirection | Concealment Of System Components |
SC-30 (5) |
SC-30(5).3 |
By hiding, disguising, or otherwise concealing critical information system components, organizations may be able to decrease the probability that adversaries target and successfully compromise those assets. Potential means for organizations to hide and/or conceal information system components include, for example, configuration of routers or the use of honeynets or virtualization techniques. |
The organization employs [Assignment: organization-defined techniques] to hide or conceal [Assignment: organization-defined information system components]. |
| CCI-002498 |
The organization performs a covert channel analysis to identify those aspects of communications within the information system that are potential avenues for covert storage and/or timing channels. |
The organization conducting the inspection/assessment obtains and examines the results of the analysis to ensure the organization being inspected/assessed performs a covert channel analysis to identify those aspects of communications within the information system that are potential avenues for covert storage and/or timing channels. |
The organization being inspected/assessed performs a covert channel analysis to identify those aspects of communications within the information system that are potential avenues for covert storage and/or timing channels.
The organization must maintain an audit trail of analyses. |
Covert Channel Analysis |
SC-31 |
SC-31.1 |
Developers are in the best position to identify potential areas within systems that might lead to covert channels. Covert channel analysis is a meaningful activity when there is the potential for unauthorized information flows across security domains, for example, in the case of information systems containing export-controlled information and having connections to external networks (i.e., networks not controlled by organizations). Covert channel analysis is also meaningful for multilevel secure (MLS) information systems, multiple security level (MSL) systems, and cross-domain systems. Related controls: AC-3, AC-4, PL-2. |
The organization:
a. Performs a covert channel analysis to identify those aspects of communications within the information system that are potential avenues for covert [Selection (one or more): storage; timing] channels; and
b. Estimates the maximum bandwidth of those channels. |
| CCI-002499 |
The organization estimates the maximum bandwidth of the covert storage and timing channels. |
The organization conducting the inspection/assessment obtains and examines the estimate to ensure the organization being inspected/assessed estimates the maximum bandwidth of the covert storage and timing channels. |
The organization being inspected/assessed implements a process to estimate the maximum bandwidth of the covert storage and timing channels. |
Covert Channel Analysis |
SC-31 |
SC-31.2 |
Developers are in the best position to identify potential areas within systems that might lead to covert channels. Covert channel analysis is a meaningful activity when there is the potential for unauthorized information flows across security domains, for example, in the case of information systems containing export-controlled information and having connections to external networks (i.e., networks not controlled by organizations). Covert channel analysis is also meaningful for multilevel secure (MLS) information systems, multiple security level (MSL) systems, and cross-domain systems. Related controls: AC-3, AC-4, PL-2. |
The organization:
a. Performs a covert channel analysis to identify those aspects of communications within the information system that are potential avenues for covert [Selection (one or more): storage; timing] channels; and
b. Estimates the maximum bandwidth of those channels. |
| CCI-002500 |
The organization defines the maximum bandwidth values to which covert storage and/or timing channels are to be reduced. |
The organization conducting the inspection/assessment obtains and examines the documented maximum bandwidth values to ensure the organization being inspected/assessed defines the maximum bandwidth values to which covert storage and/or timing channels are to be reduced.
DoD has determined the maximum bandwidth values are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the maximum bandwidth values to which covert storage and/or timing channels are to be reduced.
DoD has determined the maximum bandwidth values are not appropriate to define at the Enterprise level. |
Covert Channel Analysis | Maximum Bandwidth |
SC-31 (2) |
SC-31(2).1 |
Information system developers are in the best position to reduce the maximum bandwidth for identified covert storage and timing channels. |
The organization reduces the maximum bandwidth for identified covert [Selection (one or more); storage; timing] channels to [Assignment: organization-defined values]. |
| CCI-002501 |
The organization reduces the maximum bandwidth for identified covert storage and/or timing channels to organization-defined values. |
The organization conducting the inspection/assessment obtains and examines any applicable evidence of bandwidth reduction to ensure the organization being inspected/assessed reduces the maximum bandwidth for identified covert storage and/or timing channels to values defined in SC-31 (2), CCI 2500. |
The organization being inspected/assessed reduces the maximum bandwidth for identified covert storage and/or timing channels to values defined in SC-31 (2), CCI 2500. |
Covert Channel Analysis | Maximum Bandwidth |
SC-31 (2) |
SC-31(2).2 |
Information system developers are in the best position to reduce the maximum bandwidth for identified covert storage and timing channels. |
The organization reduces the maximum bandwidth for identified covert [Selection (one or more); storage; timing] channels to [Assignment: organization-defined values]. |
| CCI-002502 |
The organization defines the subset of identified covert channels in the operational environment of the information system that are to have the bandwidth measured. |
The organization conducting the inspection/assessment obtains and examines the documented subset of identified covert channels to ensure the organization being inspected/assessed defines the subset of identified covert channels in the operational environment of the information system that are to have the bandwidth measured.
DoD has determined the subset is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the subset of identified covert channels in the operational environment of the information system that are to have the bandwidth measured.
DoD has determined the subset is not appropriate to define at the Enterprise level. |
Covert Channel Analysis | Measure Bandwidth In Operational Environments |
SC-31 (3) |
SC-31(3).1 |
This control enhancement addresses covert channel bandwidth in operational environments versus developmental environments. Measuring covert channel bandwidth in operational environments helps organizations to determine how much information can be covertly leaked before such leakage adversely affects organizational missions/business functions. Covert channel bandwidth may be significantly different when measured in those settings that are independent of the particular environments of operation (e.g., laboratories or development environments). |
The organization measures the bandwidth of [Assignment: organization-defined subset of identified covert channels] in the operational environment of the information system. |
| CCI-002503 |
The organization measures the bandwidth of an organization-defined subset of identified covert channels in the operational environment of the information system. |
The organization conducting the inspection/assessment obtains and examines any applicable evidence of measurements to ensure the organization being inspected/assessed measures the bandwidth of a subset of identified covert channels defined in SC-31 (3), CCI 2502 in the operational environment of the information system. |
The organization being inspected/assessed measures the bandwidth of a subset of identified covert channels defined in SC-31 (3), CCI 2502 in the operational environment of the information system. |
Covert Channel Analysis | Measure Bandwidth In Operational Environments |
SC-31 (3) |
SC-31(3).2 |
This control enhancement addresses covert channel bandwidth in operational environments versus developmental environments. Measuring covert channel bandwidth in operational environments helps organizations to determine how much information can be covertly leaked before such leakage adversely affects organizational missions/business functions. Covert channel bandwidth may be significantly different when measured in those settings that are independent of the particular environments of operation (e.g., laboratories or development environments). |
The organization measures the bandwidth of [Assignment: organization-defined subset of identified covert channels] in the operational environment of the information system. |
| CCI-002504 |
The organization defines the information system components into which the information system is partitioned. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed defines the information system components into which the information system is partitioned.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system components into which the information system is partitioned.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
Information System Partitioning |
SC-32 |
SC-32.1 |
Information system partitioning is a part of a defense-in-depth protection strategy. Organizations determine the degree of physical separation of system components from physically distinct components in separate racks in the same room, to components in separate rooms for the more critical components, to more significant geographical separation of the most critical components. Security categorization can guide the selection of appropriate candidates for domain partitioning. Managed interfaces restrict or prohibit network access and information flow among partitioned information system components. Related controls: AC-4, SA-8, SC-2, SC-3, SC-7. |
The organization partitions the information system into [Assignment: organization-defined information system components] residing in separate physical domains or environments based on [Assignment: organization-defined circumstances for physical separation of components]. |
| CCI-002505 |
The organization defines the circumstances under which the information system components are to be physically separated to support partitioning. |
The organization conducting the inspection/assessment obtains and examines the documented circumstances to ensure the organization being inspected/assessed defines the circumstances under which the information system components are to be physically separated to support partitioning.
DoD has determined the circumstances are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the circumstances under which the information system components are to be physically separated to support partitioning.
DoD has determined the circumstances are not appropriate to define at the Enterprise level. |
Information System Partitioning |
SC-32 |
SC-32.2 |
Information system partitioning is a part of a defense-in-depth protection strategy. Organizations determine the degree of physical separation of system components from physically distinct components in separate racks in the same room, to components in separate rooms for the more critical components, to more significant geographical separation of the most critical components. Security categorization can guide the selection of appropriate candidates for domain partitioning. Managed interfaces restrict or prohibit network access and information flow among partitioned information system components. Related controls: AC-4, SA-8, SC-2, SC-3, SC-7. |
The organization partitions the information system into [Assignment: organization-defined information system components] residing in separate physical domains or environments based on [Assignment: organization-defined circumstances for physical separation of components]. |
| CCI-002506 |
The organization partitions the information system into organization-defined information system components residing in separate physical domains or environments based on organization-defined circumstances for physical separation of components. |
The organization conducting the inspection/assessment obtains and examines network topology diagrams, architecture documentation, or any other documentation identifying component partitioning to ensure the organization being inspected/assessed partitions components defined in SC-32, CCI 2504 residing in separate physical domains or environments based on circumstances defined in SC-32, CCI 2505 for physical separation of components. |
The organization being inspected/assessed designs the information system to partition components defined in SC-32, CCI 2504 residing in separate physical domains or environments based on circumstances defined in SC-32, CCI 2505 for physical separation of components. |
Information System Partitioning |
SC-32 |
SC-32.3 |
Information system partitioning is a part of a defense-in-depth protection strategy. Organizations determine the degree of physical separation of system components from physically distinct components in separate racks in the same room, to components in separate rooms for the more critical components, to more significant geographical separation of the most critical components. Security categorization can guide the selection of appropriate candidates for domain partitioning. Managed interfaces restrict or prohibit network access and information flow among partitioned information system components. Related controls: AC-4, SA-8, SC-2, SC-3, SC-7. |
The organization partitions the information system into [Assignment: organization-defined information system components] residing in separate physical domains or environments based on [Assignment: organization-defined circumstances for physical separation of components]. |
| CCI-002507 |
The organization controls read-only media after information has been recorded onto the media. |
The organization conducting the inspection/assessment obtains and examines the documented mechanisms to ensure the organization being inspected/assessed controls the read-only media after information has been recorded onto the media. |
The organization being inspected/assessed documents and implements mechanisms to control the read-only media after information has been recorded onto the media. |
Non-Modifiable Executable Programs | Integrity Protection / Read-Only Media |
SC-34 (2) |
SC-34(2).2 |
Security safeguards prevent the substitution of media into information systems or the reprogramming of programmable read-only media prior to installation into the systems. Security safeguards include, for example, a combination of prevention, detection, and response. Related controls: AC-5, CM-3, CM-5, CM-9, MP-2, MP-4, MP-5, SA-12, SC-28, SI-3. |
The organization protects the integrity of information prior to storage on read-only media and controls the media after such information has been recorded onto the media. |
| CCI-002508 |
The organization defines the information system firmware components for which hardware-based, write-protect is employed. |
The organization conducting the inspection/assessment obtains and examines the documented information system firmware components to ensure the organization being inspected/assessed defines the information system firmware components for which hardware-based, write-protect is employed.
DoD has determined the information system firmware components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system firmware components for which hardware-based, write-protect is employed.
DoD has determined the information system firmware components are not appropriate to define at the Enterprise level. |
Non-Modifiable Executable Programs | Hardware-Based Protection |
SC-34 (3) |
SC-34(3).1 |
|
The organization:
(a) Employs hardware-based, write-protect for [Assignment: organization-defined information system firmware components]; and
(b) Implements specific procedures for [Assignment: organization-defined authorized individuals] to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode. |
| CCI-002509 |
The organization employs hardware-based, write-protect for organization-defined information system firmware components. |
The organization conducting the inspection/assessment obtains and examines any applicable evidence of hardware-based, write-protect to ensure the organization being inspected/assessed employs hardware-based, write-protect for information system firmware components defined in SC-34 (3), CCI 2508. |
The organization being inspected/assessed employs hardware-based, write-protect for information system firmware components defined in SC-34 (3), CCI 2508. |
Non-Modifiable Executable Programs | Hardware-Based Protection |
SC-34 (3) |
SC-34(3).2 |
|
The organization:
(a) Employs hardware-based, write-protect for [Assignment: organization-defined information system firmware components]; and
(b) Implements specific procedures for [Assignment: organization-defined authorized individuals] to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode. |
| CCI-002510 |
The organization defines the individuals authorized to manually disable hardware-based, write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode. |
The organization conducting the inspection/assessment obtains and examines the documented authorized individuals to ensure the organization being inspected/assessed defines the individuals authorized to manually disable hardware-based, write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode.
DoD has determined the individuals are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the individuals authorized to manually disable hardware-based, write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode.
DoD has determined the individuals are not appropriate to define at the Enterprise level. |
Non-Modifiable Executable Programs | Hardware-Based Protection |
SC-34 (3) |
SC-34(3).3 |
|
The organization:
(a) Employs hardware-based, write-protect for [Assignment: organization-defined information system firmware components]; and
(b) Implements specific procedures for [Assignment: organization-defined authorized individuals] to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode. |
| CCI-002511 |
The organization implements specific procedures for organization-defined authorized individuals to manually disable hardware-based, write-protect for firmware modifications. |
The organization conducting the inspection/assessment obtains and examines the documented procedures and a sampling of the information system components defined in SC-34 (3), CCI 2508 to ensure the organization being inspected/assessed implements specific procedures for authorized individuals defined in SC-34 (3), CCI 2510 to manually disable hardware-based, write-protect for firmware modifications. |
The organization being inspected/assessed documents and implements specific procedures for authorized individuals defined in SC-34 (3), CCI 2510 to manually disable hardware-based, write-protect for firmware modifications. |
Non-Modifiable Executable Programs | Hardware-Based Protection |
SC-34 (3) |
SC-34(3).4 |
|
The organization:
(a) Employs hardware-based, write-protect for [Assignment: organization-defined information system firmware components]; and
(b) Implements specific procedures for [Assignment: organization-defined authorized individuals] to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode. |
| CCI-002512 |
The organization implements specific procedures for organization-defined authorized individuals to manually re-enable hardware write-protect prior to returning to operational mode. |
The organization conducting the inspection/assessment obtains and examines the documented procedures and a sampling of the information system components defined in SC-34 (3), CCI 2508 to ensure the organization being inspected/assessed implements specific procedures for authorized individuals defined in SC-34 (3), CCI 2510 to manually re-enable the write-protect prior to returning to operational mode. |
The organization being inspected/assessed documents and implements specific procedures for authorized individuals defined in SC-34 (3), CCI 2510 to manually re-enable the write-protect prior to returning to operational mode. |
Non-Modifiable Executable Programs | Hardware-Based Protection |
SC-34 (3) |
SC-34(3).5 |
|
The organization:
(a) Employs hardware-based, write-protect for [Assignment: organization-defined information system firmware components]; and
(b) Implements specific procedures for [Assignment: organization-defined authorized individuals] to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode. |
| CCI-002513 |
The organization defines the processing that is to be distributed across multiple physical locations. |
The organization conducting the inspection/assessment obtains and examines the documented processing to ensure the organization being inspected/assessed defines the processing that is to be distributed across multiple physical locations.
DoD has determined the processing is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the processing that is to be distributed across multiple physical locations.
DoD has determined the processing is not appropriate to define at the Enterprise level. |
Distributed Processing And Storage |
SC-36 |
SC-36.1 |
Distributing processing and storage across multiple physical locations provides some degree of redundancy or overlap for organizations, and therefore increases the work factor of adversaries to adversely impact organizational operations, assets, and individuals. This control does not assume a single primary processing or storage location, and thus allows for parallel processing and storage. Related controls: CP-6, CP-7. |
The organization distributes [Assignment: organization-defined processing and storage] across multiple physical locations. |
| CCI-002514 |
The organization defines the storage that is to be distributed across multiple physical locations. |
The organization conducting the inspection/assessment obtains and examines the documented storage to ensure the organization being inspected/assessed defines the storage that is to be distributed across multiple physical locations.
DoD has determined the storage is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the storage that is to be distributed across multiple physical locations.
DoD has determined the storage is not appropriate to define at the Enterprise level. |
Distributed Processing And Storage |
SC-36 |
SC-36.2 |
Distributing processing and storage across multiple physical locations provides some degree of redundancy or overlap for organizations, and therefore increases the work factor of adversaries to adversely impact organizational operations, assets, and individuals. This control does not assume a single primary processing or storage location, and thus allows for parallel processing and storage. Related controls: CP-6, CP-7. |
The organization distributes [Assignment: organization-defined processing and storage] across multiple physical locations. |
| CCI-002515 |
The organization distributes organization-defined processing across multiple physical locations. |
The organization conducting the inspection/assessment obtains and examines hardware lists and other applicable artifacts to ensure the organization being inspected/assessed distributes processing defined in SC-36, CCI 2513 across multiple physical locations. |
The organization being inspected/assessed distributes processing defined in SC-36, CCI 2513 across multiple physical locations. |
Distributed Processing And Storage |
SC-36 |
SC-36.3 |
Distributing processing and storage across multiple physical locations provides some degree of redundancy or overlap for organizations, and therefore increases the work factor of adversaries to adversely impact organizational operations, assets, and individuals. This control does not assume a single primary processing or storage location, and thus allows for parallel processing and storage. Related controls: CP-6, CP-7. |
The organization distributes [Assignment: organization-defined processing and storage] across multiple physical locations. |
| CCI-002516 |
The organization distributes organization-defined storage across multiple physical locations. |
The organization conducting the inspection/assessment obtains and examines hardware lists and other applicable artifacts to ensure the organization being inspected/assessed distributes storage defined in SC-36, CCI 2514 across multiple physical locations. |
The organization being inspected/assessed distributes storage defined in SC-36, CCI 2514 across multiple physical locations. |
Distributed Processing And Storage |
SC-36 |
SC-36.4 |
Distributing processing and storage across multiple physical locations provides some degree of redundancy or overlap for organizations, and therefore increases the work factor of adversaries to adversely impact organizational operations, assets, and individuals. This control does not assume a single primary processing or storage location, and thus allows for parallel processing and storage. Related controls: CP-6, CP-7. |
The organization distributes [Assignment: organization-defined processing and storage] across multiple physical locations. |
| CCI-002517 |
The organization defines the distributed processing components that are to be polled to identify potential faults, errors, or compromises. |
The organization conducting the inspection/assessment obtains and examines the documented distributed processing components to ensure the organization being inspected/assessed defines the distributed processing components that are to be polled to identify potential faults, errors, or compromises.
DoD has determined the distributed processing components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the distributed processing components that are to be polled to identify potential faults, errors, or compromises.
DoD has determined the distributed processing components are not appropriate to define at the Enterprise level. |
Distributed Processing And Storage | Polling Techniques |
SC-36 (1) |
SC-36(1).1 |
Distributed processing and/or storage may be employed to reduce opportunities for adversaries to successfully compromise the confidentiality, integrity, or availability of information and information systems. However, distribution of processing and/or storage components does not prevent adversaries from compromising one (or more) of the distributed components. Polling compares the processing results and/or storage content from the various distributed components and subsequently voting on the outcomes. Polling identifies potential faults, errors, or compromises in distributed processing and/or storage components. Related control: SI-4. |
The organization employs polling techniques to identify potential faults, errors, or compromises to [Assignment: organization-defined distributed processing and storage components]. |
| CCI-002518 |
The organization defines the distributed storage components that are to be polled to identify potential faults, errors, or compromises. |
The organization conducting the inspection/assessment obtains and examines the documented distributed storage components to ensure the organization being inspected/assessed defines the distributed storage components that are to be polled to identify potential faults, errors, or compromises.
DoD has determined the distributed storage components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the distributed storage components that are to be polled to identify potential faults, errors, or compromises.
DoD has determined the distributed storage components are not appropriate to define at the Enterprise level. |
Distributed Processing And Storage | Polling Techniques |
SC-36 (1) |
SC-36(1).2 |
Distributed processing and/or storage may be employed to reduce opportunities for adversaries to successfully compromise the confidentiality, integrity, or availability of information and information systems. However, distribution of processing and/or storage components does not prevent adversaries from compromising one (or more) of the distributed components. Polling compares the processing results and/or storage content from the various distributed components and subsequently voting on the outcomes. Polling identifies potential faults, errors, or compromises in distributed processing and/or storage components. Related control: SI-4. |
The organization employs polling techniques to identify potential faults, errors, or compromises to [Assignment: organization-defined distributed processing and storage components]. |
| CCI-002519 |
The organization employs polling techniques to identify potential faults, errors, or compromises to organization-defined distributed processing components. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to employ polling techniques to identify potential faults, errors, or compromises to distributed processing components defined in SC-36 (1), CCI 2517.
If there is no applicable STIG for the polling technique in use, the organization conducting the inspection/assessment obtains and examines system design documents to ensure the organization being inspected/assessed employs polling techniques to identify potential faults, errors, or compromises to distributed processing components defined in SC-36 (1), CCI 2517.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2519. |
The organization being inspected/assessed designs and configures the information system to employ polling techniques to identify potential faults, errors, or compromises to distributed processing components defined in SC-36 (1), CCI 2517.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2519. |
Distributed Processing And Storage | Polling Techniques |
SC-36 (1) |
SC-36(1).3 |
Distributed processing and/or storage may be employed to reduce opportunities for adversaries to successfully compromise the confidentiality, integrity, or availability of information and information systems. However, distribution of processing and/or storage components does not prevent adversaries from compromising one (or more) of the distributed components. Polling compares the processing results and/or storage content from the various distributed components and subsequently voting on the outcomes. Polling identifies potential faults, errors, or compromises in distributed processing and/or storage components. Related control: SI-4. |
The organization employs polling techniques to identify potential faults, errors, or compromises to [Assignment: organization-defined distributed processing and storage components]. |
| CCI-002520 |
The organization employs polling techniques to identify potential faults, errors, or compromises to organization-defined distributed storage components. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to employ polling techniques to identify potential faults, errors, or compromises to distributed storage components defined in SC-36 (1), CCI 2518.
If there is no applicable STIG for the polling technique in use, the organization conducting the inspection/assessment obtains and examines system design documents to ensure the organization being inspected/assessed employs polling techniques to identify potential faults, errors, or compromises to distributed storage components defined in SC-36 (1), CCI 2518.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2520. |
The organization being inspected/assessed designs and configures the information system to employ polling techniques to identify potential faults, errors, or compromises to distributed storage components defined in SC-36 (1), CCI 2518.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2520. |
Distributed Processing And Storage | Polling Techniques |
SC-36 (1) |
SC-36(1).4 |
Distributed processing and/or storage may be employed to reduce opportunities for adversaries to successfully compromise the confidentiality, integrity, or availability of information and information systems. However, distribution of processing and/or storage components does not prevent adversaries from compromising one (or more) of the distributed components. Polling compares the processing results and/or storage content from the various distributed components and subsequently voting on the outcomes. Polling identifies potential faults, errors, or compromises in distributed processing and/or storage components. Related control: SI-4. |
The organization employs polling techniques to identify potential faults, errors, or compromises to [Assignment: organization-defined distributed processing and storage components]. |
| CCI-002521 |
The organization defines the out-of-band channels to be employed for the physical delivery or electronic transmission of organization-defined information, information system components, or devices. |
The organization conducting the inspection/assessment obtains and examines the documented out-of-band channels to ensure the organization being inspected/assessed defines the out-of-band channels to be employed for the physical delivery or electronic transmission of organization-defined information, information system components, or devices.
DoD has determined the out-of-band channels are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the out-of-band channels to be employed for the physical delivery or electronic transmission of organization-defined information, information system components, or devices.
DoD has determined the out-of-band channels are not appropriate to define at the Enterprise level. |
Out-Of-Band Channels |
SC-37 |
SC-37.1 |
Out-of-band channels include, for example, local (nonnetwork) accesses to information systems, network paths physically separate from network paths used for operational traffic, or nonelectronic paths such as the US Postal Service. This is in contrast with using the same channels (i.e., in-band channels) that carry routine operational traffic. Out-of-band channels do not have the same vulnerability/exposure as in-band channels, and hence the confidentiality, integrity, or availability compromises of in-band channels will not compromise the out-of-band channels. Organizations may employ out-of-band channels in the delivery or transmission of many organizational items including, for example, identifiers/authenticators, configuration management changes for hardware, firmware, or software, cryptographic key management information, security updates, system/data backups, maintenance information, and malicious code protection updates. Related controls: AC-2, CM-3, CM-5, CM-7, IA-4, IA-5, MA-4, SC-12, SI-3, SI-4, SI-7. |
The organization employs [Assignment: organization-defined out-of-band channels] for the physical delivery or electronic transmission of [Assignment: organization-defined information, information system components, or devices] to [Assignment: organization-defined individuals or information systems]. |
| CCI-002522 |
The organization defines the information, information system components, or devices that are to be electronically transmitted or physically delivered via organization-defined out-of-band channels. |
The organization conducting the inspection/assessment obtains and examines the documented information, information system components or devices to ensure the organization being inspected/assessed defines the information, information system components or devices that are to be electronically transmitted or physically delivered via organization-defined out-of-band channels.
DoD has determined the information, information system components, or devices are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information, information system components or devices that are to be electronically transmitted or physically delivered via organization-defined out-of-band channels.
DoD has determined the information, information system components, or devices are not appropriate to define at the Enterprise level. |
Out-Of-Band Channels |
SC-37 |
SC-37.2 |
Out-of-band channels include, for example, local (nonnetwork) accesses to information systems, network paths physically separate from network paths used for operational traffic, or nonelectronic paths such as the US Postal Service. This is in contrast with using the same channels (i.e., in-band channels) that carry routine operational traffic. Out-of-band channels do not have the same vulnerability/exposure as in-band channels, and hence the confidentiality, integrity, or availability compromises of in-band channels will not compromise the out-of-band channels. Organizations may employ out-of-band channels in the delivery or transmission of many organizational items including, for example, identifiers/authenticators, configuration management changes for hardware, firmware, or software, cryptographic key management information, security updates, system/data backups, maintenance information, and malicious code protection updates. Related controls: AC-2, CM-3, CM-5, CM-7, IA-4, IA-5, MA-4, SC-12, SI-3, SI-4, SI-7. |
The organization employs [Assignment: organization-defined out-of-band channels] for the physical delivery or electronic transmission of [Assignment: organization-defined information, information system components, or devices] to [Assignment: organization-defined individuals or information systems]. |
| CCI-002523 |
The organization defines the individuals or information systems authorized to be recipients of organization-defined information, information system components, or devices to be delivered by employing organization-defined out-of-band channels for electronic transmission or physical delivery. |
The organization conducting the inspection/assessment obtains and examines the documented information, information system components, or devices to ensure the organization being inspected/assessed defines the individuals or information systems authorized to be recipients of organization-defined information, information system components, or devices to be delivered by employing organization-defined out-of-band channels for electronic transmission or physical delivery.
DoD has determined the individuals or information systems are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the individuals or information systems authorized to be recipients of organization-defined information, information system components, or devices to be delivered by employing organization-defined out-of-band channels for electronic transmission or physical delivery.
DoD has determined the individuals or information systems are not appropriate to define at the Enterprise level. |
Out-Of-Band Channels |
SC-37 |
SC-37(1).1 |
Out-of-band channels include, for example, local (nonnetwork) accesses to information systems, network paths physically separate from network paths used for operational traffic, or nonelectronic paths such as the US Postal Service. This is in contrast with using the same channels (i.e., in-band channels) that carry routine operational traffic. Out-of-band channels do not have the same vulnerability/exposure as in-band channels, and hence the confidentiality, integrity, or availability compromises of in-band channels will not compromise the out-of-band channels. Organizations may employ out-of-band channels in the delivery or transmission of many organizational items including, for example, identifiers/authenticators, configuration management changes for hardware, firmware, or software, cryptographic key management information, security updates, system/data backups, maintenance information, and malicious code protection updates. Related controls: AC-2, CM-3, CM-5, CM-7, IA-4, IA-5, MA-4, SC-12, SI-3, SI-4, SI-7. |
The organization employs [Assignment: organization-defined out-of-band channels] for the physical delivery or electronic transmission of [Assignment: organization-defined information, information system components, or devices] to [Assignment: organization-defined individuals or information systems]. |
| CCI-002524 |
The organization employs organization-defined out-of-band channels for the electronic transmission or physical delivery of organization-defined information, information system components, or devices to organization-defined individuals or information systems. |
The organization conducting the inspection/assessment obtains and examines any applicable evidence of out-of-band channels to ensure the organization being inspected/assessed employs out-of-band channels defined in SC-37, CCI 2521 for the electronic transmission or physical delivery of information, information system components, or devices defined in SC-37, CCI 2522 to individuals or information systems defined in SC-37, CCI 2523. |
The organization being inspected/assessed employs out-of-band channels defined in SC-37, CCI 2521 for the electronic transmission or physical delivery of information, information system components, or devices defined in SC-37, CCI 2522 to individuals or information systems defined in SC-37, CCI 2523. |
Out-Of-Band Channels |
SC-37 |
SC-37.4 |
Out-of-band channels include, for example, local (nonnetwork) accesses to information systems, network paths physically separate from network paths used for operational traffic, or nonelectronic paths such as the US Postal Service. This is in contrast with using the same channels (i.e., in-band channels) that carry routine operational traffic. Out-of-band channels do not have the same vulnerability/exposure as in-band channels, and hence the confidentiality, integrity, or availability compromises of in-band channels will not compromise the out-of-band channels. Organizations may employ out-of-band channels in the delivery or transmission of many organizational items including, for example, identifiers/authenticators, configuration management changes for hardware, firmware, or software, cryptographic key management information, security updates, system/data backups, maintenance information, and malicious code protection updates. Related controls: AC-2, CM-3, CM-5, CM-7, IA-4, IA-5, MA-4, SC-12, SI-3, SI-4, SI-7. |
The organization employs [Assignment: organization-defined out-of-band channels] for the physical delivery or electronic transmission of [Assignment: organization-defined information, information system components, or devices] to [Assignment: organization-defined individuals or information systems]. |
| CCI-002525 |
The organization defines the security safeguards to be employed to ensure only organization-defined individuals or information systems receive organization-defined information, information system components, or devices. |
The organization conducting the inspection/assessment obtains and examine the documented security safeguards to ensure the organization being inspected/assessed defines the security safeguards to be employed to ensure only organization-defined individuals or information systems receive organization-defined information, information system components or devices.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security safeguards to be employed to ensure only organization-defined individuals or information systems receive organization-defined information, information system components or devices.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
Out-Of-Band Channels | Ensure Delivery / Transmission |
SC-37 (1) |
SC-37(1).2 |
Techniques and/or methods employed by organizations to ensure that only designated information systems or individuals receive particular information, system components, or devices include, for example, sending authenticators via courier service but requiring recipients to show some form of government-issued photographic identification as a condition of receipt |
The organization employs [Assignment: organization-defined security safeguards] to ensure that only [Assignment: organization-defined individuals or information systems] receive the [Assignment: organization-defined information, information system components, or devices]. |
| CCI-002526 |
The organization defines the information, information system components, or devices which are to be received only by organization-defined individuals or information systems. |
The organization conducting the inspection/assessment obtains and examines the documented information, information system components or devices to ensure the organization being inspected/assessed defines the information, information system components or devices which are to be received only by organization-defined individuals or information systems.
DoD has determined the information, information system components or devices are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information, information system components or devices which are to be received only by organization-defined individuals or information systems.
DoD has determined the information, information system components or devices are not appropriate to define at the Enterprise level. |
Out-Of-Band Channels | Ensure Delivery / Transmission |
SC-37 (1) |
SC-37(1).3 |
Techniques and/or methods employed by organizations to ensure that only designated information systems or individuals receive particular information, system components, or devices include, for example, sending authenticators via courier service but requiring recipients to show some form of government-issued photographic identification as a condition of receipt |
The organization employs [Assignment: organization-defined security safeguards] to ensure that only [Assignment: organization-defined individuals or information systems] receive the [Assignment: organization-defined information, information system components, or devices]. |
| CCI-002527 |
The organization employs organization-defined security safeguards to ensure only organization-defined individuals or information systems receive the organization-defined information, information system components, or devices. |
The organization conducting the inspection/assessment obtains and examines the audit trail of security safeguard implementation to ensure the organization being inspected/assessed employs security safeguards defined in SC-37 (1), CCI 2525 to ensure only individuals or information systems defined in SC-37 (1), CCI 2523 receive the information, information system components, or devices defined in SC-37 (1), CCI 2526. |
The organization being inspected/assessed implements security safeguards defined in SC-37 (1), CCI 2525 to ensure only individuals or information systems defined in SC-37 (1), CCI 2523 receive the information, information system components, or devices defined in SC-37 (1), CCI 2526.
The organization must maintain an audit trail of security safeguard implementation. |
Out-Of-Band Channels | Ensure Delivery / Transmission |
SC-37 (1) |
SC-37(1).4 |
Techniques and/or methods employed by organizations to ensure that only designated information systems or individuals receive particular information, system components, or devices include, for example, sending authenticators via courier service but requiring recipients to show some form of government-issued photographic identification as a condition of receipt |
The organization employs [Assignment: organization-defined security safeguards] to ensure that only [Assignment: organization-defined individuals or information systems] receive the [Assignment: organization-defined information, information system components, or devices]. |
| CCI-003599 |
The organization defines the individuals or information systems to be the only recipients of organization-defined information, information system components, or devices, by employing organization-defined security safeguards. |
The organization conducting the inspection/assessment obtains and examines the documented information, information system components, or devices to ensure the organization being inspected/assessed defines the individuals or information systems authorized to be recipients of organization-defined information, information system components, or devices, and has employed organization-defined security safeguards. DoD has determined the individuals or information systems are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the individuals or information systems that are the only recipients of organization-defined information, information system components, or devices, and employed organization-defined security safeguards. DoD has determined the individuals or information systems are not appropriate to define at the Enterprise level. |
Out-Of-Band Channels | Ensure Delivery / Transmission |
SC-37 (1) |
|
Techniques and/or methods employed by organizations to ensure that only designated information systems or individuals receive particular information, system components, or devices include, for example, sending authenticators via courier service but requiring recipients to show some form of government-issued photographic identification as a condition of receipt |
The organization employs [Assignment: organization-defined security safeguards] to ensure that only [Assignment: organization-defined individuals or information systems] receive the [Assignment: organization-defined information, information system components, or devices]. |
| CCI-002528 |
The organization defines the operations security safeguards to be employed to protect key organizational information throughout the system development life cycle. |
The organization conducting the inspection/assessment obtains and examines the documented operations security safeguards to ensure the organization being inspected/assessed defines the operations security safeguards to be employed to protect key organizational information throughout the system development life cycle.
DoD has determined the operations security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the operations security safeguards to be employed to protect key organizational information throughout the system development life cycle.
DoD has determined the operations security safeguards are not appropriate to define at the Enterprise level. |
Operations Security |
SC-38 |
SC-38.1 |
Operations security (OPSEC) is a systematic process by which potential adversaries can be denied information about the capabilities and intentions of organizations by identifying, controlling, and protecting generally unclassified information that specifically relates to the planning and execution of sensitive organizational activities. The OPSEC process involves five steps: (i) identification of critical information (e.g., the security categorization process); (ii) analysis of threats; (iii) analysis of vulnerabilities; (iv) assessment of risks; and (v) the application of appropriate countermeasures. OPSEC safeguards are applied to both organizational information systems and the environments in which those systems operate. OPSEC safeguards help to protect the confidentiality of key information including, for example, limiting the sharing of information with suppliers and potential suppliers of information system components, information technology products and services, and with other non-organizational elements and individuals. Information critical to mission/business success includes, for example, user identities, element uses, suppliers, supply chain processes, functional and security requirements, system design specifications, testing protocols, and security control implementation details. Related controls: RA-2, RA-5, SA-12. |
The organization employs [Assignment: organization-defined operations security safeguards] to protect key organizational information throughout the system development life cycle. |
| CCI-002529 |
The organization employs organization-defined operations security safeguards to protect key organizational information throughout the system development life cycle. |
The organization conducting the inspection/assessment obtains and examines the audit trail of security safeguard implementation to ensure the organization being inspected/assessed employs operations security safeguards defined in SC-38, CCI 2528 to protect key organizational information throughout the system development life cycle. |
The organization being inspected/assessed implements operations security safeguards defined in SC-38, CCI 2528 to protect key organizational information throughout the system development life cycle.
The organization must maintain an audit trail of security safeguard implementation. |
Operations Security |
SC-38 |
SC-38.2 |
Operations security (OPSEC) is a systematic process by which potential adversaries can be denied information about the capabilities and intentions of organizations by identifying, controlling, and protecting generally unclassified information that specifically relates to the planning and execution of sensitive organizational activities. The OPSEC process involves five steps: (i) identification of critical information (e.g., the security categorization process); (ii) analysis of threats; (iii) analysis of vulnerabilities; (iv) assessment of risks; and (v) the application of appropriate countermeasures. OPSEC safeguards are applied to both organizational information systems and the environments in which those systems operate. OPSEC safeguards help to protect the confidentiality of key information including, for example, limiting the sharing of information with suppliers and potential suppliers of information system components, information technology products and services, and with other non-organizational elements and individuals. Information critical to mission/business success includes, for example, user identities, element uses, suppliers, supply chain processes, functional and security requirements, system design specifications, testing protocols, and security control implementation details. Related controls: RA-2, RA-5, SA-12. |
The organization employs [Assignment: organization-defined operations security safeguards] to protect key organizational information throughout the system development life cycle. |
| CCI-002530 |
The information system maintains a separate execution domain for each executing process. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to maintain a separate execution domain for each executing process.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2530. |
The organization being inspected/assessed configures the information system to maintain a separate execution domain for each executing process.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2530. |
Process Isolation |
SC-39 |
SC-39.1 |
Information systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each information system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. This capability is available in most commercial operating systems that employ multi-state processor technologies. Related controls: AC-3, AC-4, AC-6, SA-4, SA-5, SA-8, SC-2, SC-3. |
The information system maintains a separate execution domain for each executing process. |
| CCI-002531 |
The information system implements underlying hardware separation mechanisms to facilitate process separation. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement underlying hardware separation mechanisms to facilitate process separation.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2531. |
The organization being inspected/assessed configures the information system to implement underlying hardware separation mechanisms to facilitate process separation.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2531. |
Process Isolation | Hardware Separation |
SC-39 (1) |
SC-39(1).1 |
Hardware-based separation of information system processes is generally less susceptible to compromise than software-based separation, thus providing greater assurance that the separation will be enforced. Underlying hardware separation mechanisms include, for example, hardware memory management. |
The information system implements underlying hardware separation mechanisms to facilitate process separation. |
| CCI-002532 |
The organization defines the multi-threaded processing in which a separate execution domain is maintained by the information system for each thread. |
The organization conducting the inspection/assessment obtains and examines the documented multi-thread processing to ensure the organization being inspected/assessed defines the multi-threaded processing in which a separate execution domain is maintained by the information system for each thread.
DoD has determined the multi-threaded processing is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the multi-threaded processing in which a separate execution domain is maintained by the information system for each thread.
DoD has determined the multi-threaded processing is not appropriate to define at the Enterprise level. |
Process Isolation | Thread Isolation |
SC-39 (2) |
SC-39(2).1 |
|
The information system maintains a separate execution domain for each thread in [Assignment: organization-defined multi-threaded processing]. |
| CCI-002533 |
The information system maintains a separate execution domain for each thread in organization-defined multi-threaded processing. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to maintain a separate execution domain for each thread in multi-threaded processing defined in SC-39 (2), CCI 2532.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2533. |
The organization being inspected/assessed configures the information system to maintain a separate execution domain for each thread in multi-threaded processing defined in SC-39 (2), CCI 2532.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2533. |
Process Isolation | Thread Isolation |
SC-39 (2) |
SC-39(2).2 |
|
The information system maintains a separate execution domain for each thread in [Assignment: organization-defined multi-threaded processing]. |
| CCI-002534 |
The organization defines types of signal parameter attacks or references to sources for such attacks from which the information system protects organization-defined wireless links. |
The organization conducting the inspection/assessment obtains and examines the documented signal parameter attacks or references to sources for such attacks to ensure the organization being inspected/assessed defines types of signal parameter attacks or references to sources for such attacks from which the information system protects organization-defined wireless links.
DoD has determined the signal parameter attacks or references to sources for such attacks are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the types of signal parameter attacks or references to sources for such attacks from which the information system protects organization-defined wireless links.
DoD has determined the signal parameter attacks or references to sources for such attacks are not appropriate to define at the Enterprise level. |
Wireless Link Protection |
SC-40 |
SC-40.1 |
This control applies to internal and external wireless communication links that may be visible to individuals who are not authorized information system users. Adversaries can exploit the signal parameters of wireless links if such links are not adequately protected. There are many ways to exploit the signal parameters of wireless links to gain intelligence, deny service, or to spoof users of organizational information systems. This control reduces the impact of attacks that are unique to wireless systems. If organizations rely on commercial service providers for transmission services as commodity items rather than as fully dedicated services, it may not be possible to implement this control. Related controls: AC-18, SC-5. |
The information system protects external and internal [Assignment: organization-defined wireless links] from [Assignment: organization-defined types of signal parameter attacks or references to sources for such attacks]. |
| CCI-002535 |
The organization defines the external and internal wireless links the information system is to protect from organization-defined types of signal parameter attacks or references to sources for such attacks. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the wireless links as all non-COTS wireless links. |
DoD has defined the wireless links as all non-COTS wireless links. |
Wireless Link Protection |
SC-40 |
SC-40.2 |
This control applies to internal and external wireless communication links that may be visible to individuals who are not authorized information system users. Adversaries can exploit the signal parameters of wireless links if such links are not adequately protected. There are many ways to exploit the signal parameters of wireless links to gain intelligence, deny service, or to spoof users of organizational information systems. This control reduces the impact of attacks that are unique to wireless systems. If organizations rely on commercial service providers for transmission services as commodity items rather than as fully dedicated services, it may not be possible to implement this control. Related controls: AC-18, SC-5. |
The information system protects external and internal [Assignment: organization-defined wireless links] from [Assignment: organization-defined types of signal parameter attacks or references to sources for such attacks]. |
| CCI-002536 |
The information system protects organization-defined external and internal wireless links from organization-defined types of signal parameter attacks or references to sources for such attacks. |
The organization conducting the inspection/assessment obtains and examines design documentation for wireless links to ensure the organization being inspected/assessed protects all non-COTS wireless links from types of signal parameter attacks or references to sources for such attacks defined in SC-40, CCI 2534.
DoD has defined the wireless links as all non-COTS wireless links. |
The organization being inspected/assessed designs the information system to protect all non-COTS wireless links from types of signal parameter attacks or references to sources for such attacks defined in SC-40, CCI 2534.
DoD has defined the wireless links as all non-COTS wireless links. |
Wireless Link Protection |
SC-40 |
SC-40.3 |
This control applies to internal and external wireless communication links that may be visible to individuals who are not authorized information system users. Adversaries can exploit the signal parameters of wireless links if such links are not adequately protected. There are many ways to exploit the signal parameters of wireless links to gain intelligence, deny service, or to spoof users of organizational information systems. This control reduces the impact of attacks that are unique to wireless systems. If organizations rely on commercial service providers for transmission services as commodity items rather than as fully dedicated services, it may not be possible to implement this control. Related controls: AC-18, SC-5. |
The information system protects external and internal [Assignment: organization-defined wireless links] from [Assignment: organization-defined types of signal parameter attacks or references to sources for such attacks]. |
| CCI-002537 |
The organization defines the level of protection against the effects of intentional electromagnetic interference to be achieved by implemented cryptographic mechanisms. |
The organization conducting the inspection/assessment obtains and examines the documented level of protection to ensure the organization being inspected/assessed defines the level of protection against the effects of intentional electromagnetic interference to be achieved by implemented cryptographic mechanisms.
DoD has determined the level of protection is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the level of protection against the effects of intentional electromagnetic interference to be achieved by implemented cryptographic mechanisms.
DoD has determined the level of protection is not appropriate to define at the Enterprise level. |
Wireless Link Protection | Electromagnetic Interference |
SC-40 (1) |
SC-40(1).1 |
This control enhancement protects against intentional jamming that might deny or impair communications by ensuring that wireless spread spectrum waveforms used to provide anti-jam protection are not predictable by unauthorized individuals. The control enhancement may also coincidentally help to mitigate the effects of unintentional jamming due to interference from legitimate transmitters sharing the same spectrum. Mission requirements, projected threats, concept of operations, and applicable legislation, directives, regulations, policies, standards, and guidelines determine levels of wireless link availability and performance/cryptography needed. Related controls: SC-12, SC-13. |
The information system implements cryptographic mechanisms that achieve [Assignment: organization-defined level of protection] against the effects of intentional electromagnetic interference. |
| CCI-002538 |
The information system implements cryptographic mechanisms that achieve an organization-defined level of protection against the effects of intentional electromagnetic interference. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement cryptographic mechanisms that achieve level of protection defined in SC-40 (1), CCI 2537 against the effects of intentional electromagnetic interference.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2538. |
The organization being inspected/assessed configures the information system to implement cryptographic mechanisms that achieve level of protection defined in SC-40 (1), CCI 2537 against the effects of intentional electromagnetic interference.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2538. |
Wireless Link Protection | Electromagnetic Interference |
SC-40 (1) |
SC-40(1).2 |
This control enhancement protects against intentional jamming that might deny or impair communications by ensuring that wireless spread spectrum waveforms used to provide anti-jam protection are not predictable by unauthorized individuals. The control enhancement may also coincidentally help to mitigate the effects of unintentional jamming due to interference from legitimate transmitters sharing the same spectrum. Mission requirements, projected threats, concept of operations, and applicable legislation, directives, regulations, policies, standards, and guidelines determine levels of wireless link availability and performance/cryptography needed. Related controls: SC-12, SC-13. |
The information system implements cryptographic mechanisms that achieve [Assignment: organization-defined level of protection] against the effects of intentional electromagnetic interference. |
| CCI-002539 |
The organization defines the level of reduction the information system is to implement to reduce the detection potential of wireless links. |
The organization conducting the inspection/assessment obtains and examines the documented level of reduction to ensure the organization being inspected/assessed defines the level of reduction the information system is to implement to reduce the detection potential of wireless links.
DoD has determined the level of reduction is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the level of reduction the information system is to implement to reduce the detection potential of wireless links.
DoD has determined the level of reduction is not appropriate to define at the Enterprise level. |
Wireless Link Protection | Reduce Detection Potential |
SC-40 (2) |
SC-40(2).1 |
This control enhancement is needed for covert communications and protecting wireless transmitters from being geo-located by their transmissions. The control enhancement ensures that spread spectrum waveforms used to achieve low probability of detection are not predictable by unauthorized individuals. Mission requirements, projected threats, concept of operations, and applicable legislation, directives, regulations, policies, standards, and guidelines determine the levels to which wireless links should be undetectable. Related controls: SC-12, SC-13. |
The information system implements cryptographic mechanisms to reduce the detection potential of wireless links to [Assignment: organization-defined level of reduction]. |
| CCI-002540 |
The information system implements cryptographic mechanisms to reduce the detection potential of wireless links to an organization-defined level of reduction. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement cryptographic mechanisms to reduce the detection potential of wireless links to the level of reduction defined in SC-40 (2), CCI 2539.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2540. |
The organization being inspected/assessed configures the information system to implement cryptographic mechanisms to reduce the detection potential of wireless links to the level of reduction defined in SC-40 (2), CCI 2539.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2540. |
Wireless Link Protection | Reduce Detection Potential |
SC-40 (2) |
SC-40(2).2 |
This control enhancement is needed for covert communications and protecting wireless transmitters from being geo-located by their transmissions. The control enhancement ensures that spread spectrum waveforms used to achieve low probability of detection are not predictable by unauthorized individuals. Mission requirements, projected threats, concept of operations, and applicable legislation, directives, regulations, policies, standards, and guidelines determine the levels to which wireless links should be undetectable. Related controls: SC-12, SC-13. |
The information system implements cryptographic mechanisms to reduce the detection potential of wireless links to [Assignment: organization-defined level of reduction]. |
| CCI-002541 |
The information system implements cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2541. |
The organization being inspected/assessed configures the information system to implement cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2541. |
Wireless Link Protection | Imitative Or Manipulative Communications Deception |
SC-40 (3) |
SC-40(3).1 |
This control enhancement ensures that the signal parameters of wireless transmissions are not predictable by unauthorized individuals. Such unpredictability reduces the probability of imitative or manipulative communications deception based upon signal parameters alone. Related controls: SC-12, SC-13. |
The information system implements cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters. |
| CCI-002542 |
The organization defines the wireless transmitters that are to have cryptographic mechanisms implemented by the information system to prevent the identification of the wireless transmitters. |
The organization conducting the inspection/assessment obtains and examines the documented wireless transmitters to ensure the organization being inspected/assessed defines the wireless transmitters that are to have cryptographic mechanisms implemented by the information system to prevent the identification of the wireless transmitters.
DoD has determined the wireless transmitters are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the wireless transmitters that are to have cryptographic mechanisms implemented by the information system to prevent the identification of the wireless transmitters.
DoD has determined the wireless transmitters are not appropriate to define at the Enterprise level. |
Wireless Link Protection | Signal Parameter Identification |
SC-40 (4) |
SC-40(4).1 |
Radio fingerprinting techniques identify the unique signal parameters of transmitters to fingerprint such transmitters for purposes of tracking and mission/user identification. This control enhancement protects against the unique identification of wireless transmitters for purposes of intelligence exploitation by ensuring that anti-fingerprinting alterations to signal parameters are not predictable by unauthorized individuals. This control enhancement helps assure mission success when anonymity is required. Related controls: SC-12, SC-13. |
The information system implements cryptographic mechanisms to prevent the identification of [Assignment: organization-defined wireless transmitters] by using the transmitter signal parameters. |
| CCI-002543 |
The information system implements cryptographic mechanisms to prevent the identification of organization-defined wireless transmitters by using the transmitter signal parameters. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement cryptographic mechanisms to prevent the identification of wireless transmitters defined in SC-40 (4), CCI 2542 by using the transmitter signal parameters.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2543. |
The organization being inspected/assessed configures the information system to implement cryptographic mechanisms to prevent the identification of wireless transmitters defined in SC-40 (4), CCI 2542 by using the transmitter signal parameters.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2543. |
Wireless Link Protection | Signal Parameter Identification |
SC-40 (4) |
SC-40(4).2 |
Radio fingerprinting techniques identify the unique signal parameters of transmitters to fingerprint such transmitters for purposes of tracking and mission/user identification. This control enhancement protects against the unique identification of wireless transmitters for purposes of intelligence exploitation by ensuring that anti-fingerprinting alterations to signal parameters are not predictable by unauthorized individuals. This control enhancement helps assure mission success when anonymity is required. Related controls: SC-12, SC-13. |
The information system implements cryptographic mechanisms to prevent the identification of [Assignment: organization-defined wireless transmitters] by using the transmitter signal parameters. |
| CCI-002544 |
The organization defines the information systems or information system components on which organization-defined connection ports or input/output devices are to be physically disabled or removed. |
The organization conducting the inspection/assessment obtains and examines the documented information systems or information system components to ensure the organization being inspected/assessed defines the information systems or information system components on which organization-defined connection ports or input/output devices are to be physically disabled or removed.
DoD has determined the information systems or information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information systems or information system components on which organization-defined connection ports or input/output devices are to be physically disabled or removed.
DoD has determined the information systems or information system components are not appropriate to define at the Enterprise level. |
Port And I/O Device Access |
SC-41 |
SC-41.1 |
Connection ports include, for example, Universal Serial Bus (USB) and Firewire (IEEE 1394). Input/output (I/O) devices include, for example, Compact Disk (CD) and Digital Video Disk (DVD) drives. Physically disabling or removing such connection ports and I/O devices helps prevent exfiltration of information from information systems and the introduction of malicious code into systems from those ports/devices. |
The organization physically disables or removes [Assignment: organization-defined connection ports or input/output devices] on [Assignment: organization-defined information systems or information system components]. |
| CCI-002545 |
The organization defines the connection ports or input/output devices that are to be physically disabled or removed from organization-defined information systems or information system components. |
The organization conducting the inspection/assessment obtains and examines the documented connection ports or input/output devices to ensure the organization being inspected/assessed defines the connection ports or input/output devices that are to be physically disabled or removed from organization-defined information systems or information system components.
DoD has determined the connection ports or input/output devices are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the connection ports or input/output devices that are to be physically disabled or removed from organization-defined information systems or information system components.
DoD has determined the connection ports or input/output devices are not appropriate to define at the Enterprise level. |
Port And I/O Device Access |
SC-41 |
SC-41.2 |
Connection ports include, for example, Universal Serial Bus (USB) and Firewire (IEEE 1394). Input/output (I/O) devices include, for example, Compact Disk (CD) and Digital Video Disk (DVD) drives. Physically disabling or removing such connection ports and I/O devices helps prevent exfiltration of information from information systems and the introduction of malicious code into systems from those ports/devices. |
The organization physically disables or removes [Assignment: organization-defined connection ports or input/output devices] on [Assignment: organization-defined information systems or information system components]. |
| CCI-002546 |
The organization physically disables or removes organization-defined connection ports or input/output devices on organization-defined information systems or information system components. |
The organization conducting the inspection/assessment examines a sampling of devices to ensure the organization being inspected/assessed physically disables or removes connection ports or input/output devices defined in SC-41, CCI 2545 on information systems or information system components defined in SC-41, CCI 2544. |
The organization being inspected/assessed physically disables or removes connection ports or input/output devices defined in SC-41, CCI 2545 on information systems or information system components defined in SC-41, CCI 2544. |
Port And I/O Device Access |
SC-41 |
SC-41.3 |
Connection ports include, for example, Universal Serial Bus (USB) and Firewire (IEEE 1394). Input/output (I/O) devices include, for example, Compact Disk (CD) and Digital Video Disk (DVD) drives. Physically disabling or removing such connection ports and I/O devices helps prevent exfiltration of information from information systems and the introduction of malicious code into systems from those ports/devices. |
The organization physically disables or removes [Assignment: organization-defined connection ports or input/output devices] on [Assignment: organization-defined information systems or information system components]. |
| CCI-002547 |
The organization defines the exceptions where remote activation of sensors is allowed. |
The organization conducting the inspection/assessment obtains and examines the documented exceptions to ensure the organization being inspected/assessed defines the exceptions where remote activation of sensors is allowed.
DoD has determined the exceptions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the exceptions where remote activation of sensors is allowed.
DoD has determined the exceptions are not appropriate to define at the Enterprise level. |
Sensor Capability And Data |
SC-42 |
SC-42.1 |
This control often applies to types of information systems or system components characterized as mobile devices, for example, smart phones, tablets, and E-readers. These systems often include sensors that can collect and record data regarding the environment where the system is in use. Sensors that are embedded within mobile devices include, for example, cameras, microphones, Global Positioning System (GPS) mechanisms, and accelerometers. While the sensors on mobiles devices provide an important function, if activated covertly, such devices can potentially provide a means for adversaries to learn valuable information about individuals and organizations. For example, remotely activating the GPS function on a mobile device could provide an adversary with the ability to track the specific movements of an individual. |
The information system:
a. Prohibits the remote activation of environmental sensing capabilities with the following exceptions: [Assignment: organization-defined exceptions where remote activation of sensors is allowed]; and
b. Provides an explicit indication of sensor use to [Assignment: organization-defined class of users]. |
| CCI-002548 |
The information system prohibits the remote activation of environmental sensing capabilities except for the organization-defined exceptions where remote activation of sensors is allowed. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prohibit the remote activation of environmental sensing capabilities except for the exceptions defined in SC-42, CCI 2547 where remote activation of sensors is allowed.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2548. |
The organization being inspected/assessed configures the information system to prohibit the remote activation of environmental sensing capabilities except for the exceptions defined in SC-42, CCI 2547 where remote activation of sensors is allowed.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2548. |
Sensor Capability And Data |
SC-42 |
SC-42.2 |
This control often applies to types of information systems or system components characterized as mobile devices, for example, smart phones, tablets, and E-readers. These systems often include sensors that can collect and record data regarding the environment where the system is in use. Sensors that are embedded within mobile devices include, for example, cameras, microphones, Global Positioning System (GPS) mechanisms, and accelerometers. While the sensors on mobiles devices provide an important function, if activated covertly, such devices can potentially provide a means for adversaries to learn valuable information about individuals and organizations. For example, remotely activating the GPS function on a mobile device could provide an adversary with the ability to track the specific movements of an individual. |
The information system:
a. Prohibits the remote activation of environmental sensing capabilities with the following exceptions: [Assignment: organization-defined exceptions where remote activation of sensors is allowed]; and
b. Provides an explicit indication of sensor use to [Assignment: organization-defined class of users]. |
| CCI-002549 |
The organization defines the class of users to receive explicit indication of sensor use. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the class of users all users unless documented by exception. |
DoD has defined the class of users all users unless documented by exception. |
Sensor Capability And Data |
SC-42 |
SC-42.3 |
This control often applies to types of information systems or system components characterized as mobile devices, for example, smart phones, tablets, and E-readers. These systems often include sensors that can collect and record data regarding the environment where the system is in use. Sensors that are embedded within mobile devices include, for example, cameras, microphones, Global Positioning System (GPS) mechanisms, and accelerometers. While the sensors on mobiles devices provide an important function, if activated covertly, such devices can potentially provide a means for adversaries to learn valuable information about individuals and organizations. For example, remotely activating the GPS function on a mobile device could provide an adversary with the ability to track the specific movements of an individual. |
The information system:
a. Prohibits the remote activation of environmental sensing capabilities with the following exceptions: [Assignment: organization-defined exceptions where remote activation of sensors is allowed]; and
b. Provides an explicit indication of sensor use to [Assignment: organization-defined class of users]. |
| CCI-002550 |
The information system provides an explicit indication of sensor use to the organization-defined class of users. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide an explicit indication of sensor use to all users unless documented by exception.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2550.
DoD has defined the class of users all users unless documented by exception. |
The organization being inspected/assessed configures the information system to provide an explicit indication of sensor use to all users unless documented by exception.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2550.
DoD has defined the class of users all users unless documented by exception. |
Sensor Capability And Data |
SC-42 |
SC-42.4 |
This control often applies to types of information systems or system components characterized as mobile devices, for example, smart phones, tablets, and E-readers. These systems often include sensors that can collect and record data regarding the environment where the system is in use. Sensors that are embedded within mobile devices include, for example, cameras, microphones, Global Positioning System (GPS) mechanisms, and accelerometers. While the sensors on mobiles devices provide an important function, if activated covertly, such devices can potentially provide a means for adversaries to learn valuable information about individuals and organizations. For example, remotely activating the GPS function on a mobile device could provide an adversary with the ability to track the specific movements of an individual. |
The information system:
a. Prohibits the remote activation of environmental sensing capabilities with the following exceptions: [Assignment: organization-defined exceptions where remote activation of sensors is allowed]; and
b. Provides an explicit indication of sensor use to [Assignment: organization-defined class of users]. |
| CCI-002551 |
The organization defines the sensors to be configured so that collected data or information is reported only to authorized individuals or roles. |
The organization conducting the inspection/assessment obtains and examines the documented sensors to ensure the organization being inspected/assessed defines the sensors to be configured so that collected data or information is reported only to authorized individuals or roles.
DoD has determined the sensors are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the sensors to be configured so that collected data or information is reported only to authorized individuals or roles.
DoD has determined the sensors are not appropriate to define at the Enterprise level. |
Sensor Capability And Data | Reporting To Authorized Individuals Or Roles |
SC-42 (1) |
SC-42(1).1 |
In situations where sensors are activated by authorized individuals (e.g., end users), it is still possible that the data/information collected by the sensors will be sent to unauthorized entities. |
The organization ensures that the information system is configured so that data or information collected by the [Assignment: organization-defined sensors] is only reported to authorized individuals or roles. |
| CCI-002552 |
The organization ensures that the information system is configured so that data or information collected by the organization-defined sensors is only reported to authorized individuals or roles. |
The organization conducting the inspection/assessed obtains and examines the documented process as well as a sampling of devices to ensure the organization being inspected/assessed configures the information system so that data or information collected by the sensors defined in SC-42 (1), CCI 2551 is only reported to authorized individuals or roles. |
The organization being inspected/assessed documents and implements a process to ensure that the information system is configured so that data or information collected by the sensors defined in SC-42 (1), CCI 2551 is only reported to authorized individuals or roles. |
Sensor Capability And Data | Reporting To Authorized Individuals Or Roles |
SC-42 (1) |
SC-42(1).2 |
In situations where sensors are activated by authorized individuals (e.g., end users), it is still possible that the data/information collected by the sensors will be sent to unauthorized entities. |
The organization ensures that the information system is configured so that data or information collected by the [Assignment: organization-defined sensors] is only reported to authorized individuals or roles. |
| CCI-002553 |
The organization defines the measures to be employed to ensure data or information collected by organization-defined sensors is used only for authorized purposes. |
The organization conducting the inspection/assessment obtains and examines the documented measures to ensure the organization being inspected/assessed defines the measures to be employed to ensure data or information collected by sensors defined in SC-42 (2), CCI 2554 is used only for authorized purposes.
DoD has determined the measures are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the measures to be employed to ensure data or information collected by sensors defined in SC-42 (2), CCI 2554 is used only for authorized purposes.
DoD has determined the measures are not appropriate to define at the Enterprise level. |
Sensor Capability And Data | Authorized Use |
SC-42 (2) |
SC-42(2).1 |
Information collected by sensors for a specific authorized purpose potentially could be misused for some unauthorized purpose. For example, GPS sensors that are used to support traffic navigation could be misused to track movements of individuals. Measures to mitigate such activities include, for example, additional training to ensure that authorized parties do not abuse their authority, or (in the case where sensor data/information is maintained by external parties) contractual restrictions on the use of the data/information. |
The organization employs the following measures: [Assignment: organization-defined measures], so that data or information collected by [Assignment: organization-defined sensors] is only used for authorized purposes.
|
| CCI-002554 |
The organization defines the sensors that are to collect data or information for authorized purposes. |
The organization conducting the inspection/assessment obtains and examines the documented sensors to ensure the organization being inspected/assessed defines the sensors that are to collect data or information for authorized purposes.
DoD has determined the sensors are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the sensors that are to collect data or information for authorized purposes.
DoD has determined the sensors are not appropriate to define at the Enterprise level. |
Sensor Capability And Data | Authorized Use |
SC-42 (2) |
SC-42(2).2 |
Information collected by sensors for a specific authorized purpose potentially could be misused for some unauthorized purpose. For example, GPS sensors that are used to support traffic navigation could be misused to track movements of individuals. Measures to mitigate such activities include, for example, additional training to ensure that authorized parties do not abuse their authority, or (in the case where sensor data/information is maintained by external parties) contractual restrictions on the use of the data/information. |
The organization employs the following measures: [Assignment: organization-defined measures], so that data or information collected by [Assignment: organization-defined sensors] is only used for authorized purposes.
|
| CCI-002555 |
The organization employs organization-defined measures, so that data or information collected by organization-defined sensors is only used for authorized purposes. |
The organization conducting the inspection/assessment ensures the measures defined in SC-42 (2), CCI 2553 are employed so that data or information collected by sensors defined in SC-42 (2), CCI 2554 is only used for authorized purposes. |
The organization being inspected/assessed employs measures defined in SC-42 (2), CCI 2553 so that data or information collected by sensors defined in SC-42 (2), CCI 2554 is only used for authorized purposes. |
Sensor Capability And Data | Authorized Use |
SC-42 (2) |
SC-42(2).3 |
Information collected by sensors for a specific authorized purpose potentially could be misused for some unauthorized purpose. For example, GPS sensors that are used to support traffic navigation could be misused to track movements of individuals. Measures to mitigate such activities include, for example, additional training to ensure that authorized parties do not abuse their authority, or (in the case where sensor data/information is maintained by external parties) contractual restrictions on the use of the data/information. |
The organization employs the following measures: [Assignment: organization-defined measures], so that data or information collected by [Assignment: organization-defined sensors] is only used for authorized purposes.
|
| CCI-002556 |
The organization defines the environmental sensing capabilities prohibited on devices used in organization-defined facilities, areas, or systems. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the environmental sensing capabilties as environmental sensing capabilities such as the recording audio or imagery (still or video) or transmitting information (i.e., cell phones, two way radios). |
DoD has defined the environmental sensing capabilties as environmental sensing capabilities such as the recording audio or imagery (still or video) or transmitting information (i.e., cell phones, two way radios). |
Sensor Capability And Data | Prohibit Use Of Devices |
SC-42 (3) |
SC-42(3).1 |
For example, organizations may prohibit individuals from bringing cell phones or digital cameras into certain facilities or specific controlled areas within facilities where classified information is stored or sensitive conversations are taking place. |
The organization prohibits the use of devices possessing [Assignment: organization-defined environmental sensing capabilities] in [Assignment: organization-defined facilities, areas, or systems].
|
| CCI-002557 |
The organization defines the facilities, areas, or systems where devices processing organization-defined environmental sensing capabilities are prohibited. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the facilities, areas, and systems as spaces where Classified information is stored, processed, displayed, or discussed. |
DoD has defined the facilities, areas, and systems as spaces where Classified information is stored, processed, displayed, or discussed. |
Sensor Capability And Data | Prohibit Use Of Devices |
SC-42 (3) |
SC-42(3).2 |
For example, organizations may prohibit individuals from bringing cell phones or digital cameras into certain facilities or specific controlled areas within facilities where classified information is stored or sensitive conversations are taking place. |
The organization prohibits the use of devices possessing [Assignment: organization-defined environmental sensing capabilities] in [Assignment: organization-defined facilities, areas, or systems].
|
| CCI-002558 |
The organization prohibits the use of devices possessing organization-defined environmental sensing capabilities in organization-defined facilities, areas, or systems. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed prohibits the use of devices possessing environmental sensing capabilities such as the recording audio or imagery (still or video) or transmitting information (i.e., cell phones, two way radios) in spaces where Classified information is stored, processed, displayed, or discussed.
DoD has defined the environmental sensing capabilties as environmental sensing capabilities such as the recording audio or imagery (still or video) or transmitting information (i.e., cell phones, two way radios).
DoD has defined the facilities, areas, and systems as spaces where Classified information is stored, processed, displayed, or discussed. |
The organization being inspected/assessed documents and implements a process to prohibit the use of devices possessing environmental sensing capabilities such as the recording audio or imagery (still or video) or transmitting information (i.e., cell phones, two way radios) in spaces where Classified information is stored, processed, displayed, or discussed.
DoD has defined the environmental sensing capabilties as environmental sensing capabilities such as the recording audio or imagery (still or video) or transmitting information (i.e., cell phones, two way radios).
DoD has defined the facilities, areas, and systems as spaces where Classified information is stored, processed, displayed, or discussed. |
Sensor Capability And Data | Prohibit Use Of Devices |
SC-42 (3) |
SC-42(3).3 |
For example, organizations may prohibit individuals from bringing cell phones or digital cameras into certain facilities or specific controlled areas within facilities where classified information is stored or sensitive conversations are taking place. |
The organization prohibits the use of devices possessing [Assignment: organization-defined environmental sensing capabilities] in [Assignment: organization-defined facilities, areas, or systems].
|
| CCI-002559 |
The organization defines the information system components for which usage restrictions and implementation guidance are to be established. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the information system components as all information system components (through the use of an acceptable use agreement). |
DoD has defined the information system components as all information system components (through the use of an acceptable use agreement). |
Usage Restrictions |
SC-43 |
SC-43.1 |
Information system components include hardware, software, or firmware components (e.g., Voice Over Internet Protocol, mobile code, digital copiers, printers, scanners, optical devices, wireless technologies, mobile devices). Related controls: CM-6, SC-7. |
The organization:
a. Establishes usage restrictions and implementation guidance for [Assignment: organization-defined information system components] based on the potential to cause damage to the information system if used maliciously; and
b. Authorizes, monitors, and controls the use of such components within the information system. |
| CCI-002560 |
The organization establishes usage restrictions and implementation guidance for organization-defined information system components based on the potential to cause damage to the information system if used maliciously. |
The organization conducting the inspection/assessment obtains and examines implementation guidance and usage restrictions and verifies that the organization has implemented them for all information system components (through the use of an acceptable use agreement).
DoD has defined the information system components as all information system components (through the use of an acceptable use agreement).
|
The organization being inspected/assessed develops and implements usage restrictions and implementation guidance for all information system components (through the use of an acceptable use agreement).
DoD has defined the information system components as all information system components (through the use of an acceptable use agreement). |
Usage Restrictions |
SC-43 |
SC-43.2 |
Information system components include hardware, software, or firmware components (e.g., Voice Over Internet Protocol, mobile code, digital copiers, printers, scanners, optical devices, wireless technologies, mobile devices). Related controls: CM-6, SC-7. |
The organization:
a. Establishes usage restrictions and implementation guidance for [Assignment: organization-defined information system components] based on the potential to cause damage to the information system if used maliciously; and
b. Authorizes, monitors, and controls the use of such components within the information system. |
| CCI-002561 |
The organization authorizes the use of organization-defined information system components which have the potential to cause damage to the information system if used maliciously. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of authorizations to ensure the organization being inspected/assessed authorizes the use of all information system components (through the use of an acceptable use agreement) which have the potential to cause damage to the information system if used maliciously.
DoD has defined the information system components as all information system components (through the use of an acceptable use agreement). |
The organization being inspected/assessed documents and implements a process to authorize the use of all information system components (through the use of an acceptable use agreement) which have the potential to cause damage to the information system if used maliciously.
The organization must maintain an audit trail of authorizations.
DoD has defined the information system components as all information system components (through the use of an acceptable use agreement). |
Usage Restrictions |
SC-43 |
SC-43.3 |
Information system components include hardware, software, or firmware components (e.g., Voice Over Internet Protocol, mobile code, digital copiers, printers, scanners, optical devices, wireless technologies, mobile devices). Related controls: CM-6, SC-7. |
The organization:
a. Establishes usage restrictions and implementation guidance for [Assignment: organization-defined information system components] based on the potential to cause damage to the information system if used maliciously; and
b. Authorizes, monitors, and controls the use of such components within the information system. |
| CCI-002562 |
The organization monitors the use of organization-defined information system components which have the potential to cause damage to the information system if used maliciously. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of monitoring to ensure the organization being inspected/assessed monitors the use of all information system components (through the use of an acceptable use agreement).
DoD has defined the information system components as all information system components (through the use of an acceptable use agreement). |
The organization being inspected/assessed documents and implements a process to monitor the use of all information system components (through the use of an acceptable use agreement) which have the potential to cause damage to the information system if used maliciously.
The organization must maintain an audit trail of monitoring.
DoD has defined the information system components as all information system components (through the use of an acceptable use agreement). |
Usage Restrictions |
SC-43 |
SC-43.4 |
Information system components include hardware, software, or firmware components (e.g., Voice Over Internet Protocol, mobile code, digital copiers, printers, scanners, optical devices, wireless technologies, mobile devices). Related controls: CM-6, SC-7. |
The organization:
a. Establishes usage restrictions and implementation guidance for [Assignment: organization-defined information system components] based on the potential to cause damage to the information system if used maliciously; and
b. Authorizes, monitors, and controls the use of such components within the information system. |
| CCI-002563 |
The organization controls the use of organization-defined information system components which have the potential to cause damage to the information system if used maliciously. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed controls the use of all information system components (through the use of an acceptable use agreement).
DoD has defined the information system components as all information system components (through the use of an acceptable use agreement). |
The organization being inspected/assessed documents and implements a process to control the use of all information system components (through the use of an acceptable use agreement) which have the potential to cause damage to the information system if used maliciously.
DoD has defined the information system components as all information system components (through the use of an acceptable use agreement).
|
Usage Restrictions |
SC-43 |
SC-43.5 |
Information system components include hardware, software, or firmware components (e.g., Voice Over Internet Protocol, mobile code, digital copiers, printers, scanners, optical devices, wireless technologies, mobile devices). Related controls: CM-6, SC-7. |
The organization:
a. Establishes usage restrictions and implementation guidance for [Assignment: organization-defined information system components] based on the potential to cause damage to the information system if used maliciously; and
b. Authorizes, monitors, and controls the use of such components within the information system. |
| CCI-002564 |
The organization defines the information system, system component, or location where a detonation chamber (i.e., dynamic execution environments) capability is employed. |
The organization conducting the inspection/assessment obtains and examines the documented information system, system components, or location to ensure the organization being inspected/assessed defines the information system, system components, or location where a detonation chamber (i.e., dynamic execution environments) capability is employed.
DoD has determined the defines the information system, system components, or location are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system, system components, or location where a detonation chamber (i.e., dynamic execution environments) capability is employed.
DoD has determined the defines the information system, system components, or location are not appropriate to define at the Enterprise level. |
Detonation Chambers |
SC-44 |
SC-44.1 |
Detonation chambers, also known as dynamic execution environments, allow organizations to open email attachments, execute untrusted or suspicious applications, and execute Universal Resource Locator (URL) requests in the safety of an isolated environment or virtualized sandbox. These protected and isolated execution environments provide a means of determining whether the associated attachments/applications contain malicious code. While related to the concept of deception nets, the control is not intended to maintain a long-term environment in which adversaries can operate and their actions can be observed. Rather, it is intended to quickly identify malicious code and reduce the likelihood that the code is propagated to user environments of operation (or prevent such propagation completely). Related controls: SC-7, SC-25, SC-26, SC-30. |
The organization employs a detonation chamber capability within [Assignment: organization-defined information system, system component, or location]. |
| CCI-002565 |
The organization employs a detonation chamber (i.e., dynamic execution environments) capability within an organization-defined information system, system component, or location. |
The organization conducting the inspection/assessment obtains and examines the documented detonation chamber to ensure the organization being inspected/assessed employs a detonation chamber (i.e., dynamic execution environments, sandbox) capability within an information system, system component, or location defined in SC-44, CCI 2564. |
The organization being inspected/assessed implements a detonation chamber (i.e., dynamic execution environments, sandbox) capability within an information system, system component, or location defined in SC-44, CCI 2564.
The organization must maintain an audit trail of detonation chamber implementation. |
Detonation Chambers |
SC-44 |
SC-44.2 |
Detonation chambers, also known as dynamic execution environments, allow organizations to open email attachments, execute untrusted or suspicious applications, and execute Universal Resource Locator (URL) requests in the safety of an isolated environment or virtualized sandbox. These protected and isolated execution environments provide a means of determining whether the associated attachments/applications contain malicious code. While related to the concept of deception nets, the control is not intended to maintain a long-term environment in which adversaries can operate and their actions can be observed. Rather, it is intended to quickly identify malicious code and reduce the likelihood that the code is propagated to user environments of operation (or prevent such propagation completely). Related controls: SC-7, SC-25, SC-26, SC-30. |
The organization employs a detonation chamber capability within [Assignment: organization-defined information system, system component, or location]. |
| CCI-002601 |
The organization defines the personnel or roles to whom the system and information integrity policy and procedures are to be disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as all appointed information assurance personnel. |
DoD has defined the personnel or roles as all appointed information assurance personnel. |
System And Information Integrity Policy And Procedures |
SI-1 |
SI-1.1 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SI family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and
b. Reviews and updates the current:
1. System and information integrity policy [Assignment: organization-defined frequency]; and
2. System and information integrity procedures [Assignment: organization-defined frequency]. |
| CCI-002602 |
The organization tests firmware updates related to flaw remediation for effectiveness before installation. |
The organization conducting the inspection/assessment obtains and examines the documented process and test results to ensure the organization being inspected/assessed tests firmware updates related to flaw remediation for effectiveness before installation. |
The organization being inspected/assessed documents and implements a process to test firmware updates related to flaw remediation for effectiveness before installation.
If the firmware update is being provided by a vendor who has documented the effectiveness of the update in fixing the affected IAVM/CVE, further testing by the organization may not be required. |
Flaw Remediation |
SI-2 |
SI-2.6 |
Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures. Related controls: CA-2, CA-7, CM-3, CM-5, CM-8, MA-2, IR-4, RA-5, SA-10, SA-11, SI-11. |
The organization:
a. Identifies, reports, and corrects information system flaws;
b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
c. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
d. Incorporates flaw remediation into the organizational configuration management process. |
| CCI-002603 |
The organization tests firmware updates related to flaw remediation for potential side effects before installation. |
The organization conducting the inspection/assessment obtains and examines the documented process and test results to ensure the organization being inspected/assessed tests firmware updates related to flaw remediation for potential side effects before installation. |
The organization being inspected/assessed documents and implements a process for regression testing IAW CM-4 to identify any potential side effects before installation of software updates. |
Flaw Remediation |
SI-2 |
SI-2.7 |
Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures. Related controls: CA-2, CA-7, CM-3, CM-5, CM-8, MA-2, IR-4, RA-5, SA-10, SA-11, SI-11. |
The organization:
a. Identifies, reports, and corrects information system flaws;
b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
c. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
d. Incorporates flaw remediation into the organizational configuration management process. |
| CCI-002604 |
The organization defines the time period following the release of updates within which security-related software updates are to be installed. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 30 days |
DoD has defined the time period as 30 days. |
Flaw Remediation |
SI-2 |
SI-2.8 |
Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures. Related controls: CA-2, CA-7, CM-3, CM-5, CM-8, MA-2, IR-4, RA-5, SA-10, SA-11, SI-11. |
The organization:
a. Identifies, reports, and corrects information system flaws;
b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
c. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
d. Incorporates flaw remediation into the organizational configuration management process. |
| CCI-002605 |
The organization installs security-relevant software updates within an organization-defined time period of the release of the updates. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to install security-relevant software updates within 30 days of the release of the updates.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2605.
DoD has defined the time period as 30 days. |
The organization being inspected/assessed configures the information system to install security-relevant software updates within 30 days of the release of the updates
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2605.
DoD has defined the time period as 30 days. |
Flaw Remediation |
SI-2 |
SI-2.9 |
Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures. Related controls: CA-2, CA-7, CM-3, CM-5, CM-8, MA-2, IR-4, RA-5, SA-10, SA-11, SI-11. |
The organization:
a. Identifies, reports, and corrects information system flaws;
b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
c. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
d. Incorporates flaw remediation into the organizational configuration management process. |
| CCI-002606 |
The organization defines the time period following the release of updates within which security-related firmware updates are to be installed. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 30 days |
DoD has defined the time period as 30 days. |
Flaw Remediation |
SI-2 |
SI-2.10 |
Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures. Related controls: CA-2, CA-7, CM-3, CM-5, CM-8, MA-2, IR-4, RA-5, SA-10, SA-11, SI-11. |
The organization:
a. Identifies, reports, and corrects information system flaws;
b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
c. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
d. Incorporates flaw remediation into the organizational configuration management process. |
| CCI-002607 |
The organization installs security-relevant firmware updates within an organization-defined time period of the release of the updates. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to install security-relevant firmware updates within 30 days of the release of the updates.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2607.
DoD has defined the time period as 30 days. |
The organization being inspected/assessed configures the information system to install security-relevant firmware updates within 30 days of the release of the updates.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2607.
DoD has defined the time period as 30 days. |
Flaw Remediation |
SI-2 |
SI-2.11 |
Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures. Related controls: CA-2, CA-7, CM-3, CM-5, CM-8, MA-2, IR-4, RA-5, SA-10, SA-11, SI-11. |
The organization:
a. Identifies, reports, and corrects information system flaws;
b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
c. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
d. Incorporates flaw remediation into the organizational configuration management process. |
| CCI-002608 |
The organization establishes organization-defined benchmarks for the time taken to apply corrective actions after flaw identification. |
The organization conducting the inspection/assessment obtains and examines records of corrective actions taken to ensure the organization being inspected/assessed implements benchmarks for the time taken to apply corrective actions after flaw identification IAW the period directed by an authorative source (e.g. IAVM, CTOs, DTMs, STIGs).
DoD has defined the benchmarks as within the time period directed by an authorative source (e.g. IAVM, CTOs, DTMs, STIGs). |
The organization being inspected/assessed implements benchmarks for the time taken to apply corrective actions after flaw identification IAW the period directed by an authorative source (e.g. IAVM, CTOs, DTMs, STIGs).
DoD has defined the benchmarks as within the time period directed by an authorative source (e.g. IAVM, CTOs, DTMs, STIGs). |
Flaw Remediation | Time To Remediate Flaws / Benchmarks For Corrective Actions |
SI-2 (3) |
SI-2(3).3 |
This control enhancement requires organizations to determine the current time it takes on the average to correct information system flaws after such flaws have been identified, and subsequently establish organizational benchmarks (i.e., time frames) for taking corrective actions. Benchmarks can be established by type of flaw and/or severity of the potential vulnerability if the flaw can be exploited. |
The organization:
(a) Measures the time between flaw identification and flaw remediation; and
(b) Establishes [Assignment: organization-defined benchmarks] for taking corrective actions. |
| CCI-002609 |
The organization defines the information system components on which organization-defined security-relevant software updates will be automatically installed. |
The organization conducting the inspection/assessment obtains and examines the documented information system components to ensure the organization being inspected/assessed defines the information system components on which organization-defined security-relevant software updates will be automatically installed.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system components on which organization-defined security-relevant software updates will be automatically installed.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
Flaw Remediation | Automatic Software / Firmware Updates |
SI-2 (5) |
SI-2(5).1 |
Due to information system integrity and availability concerns, organizations give careful consideration to the methodology used to carry out automatic updates. Organizations must balance the need to ensure that the updates are installed as soon as possible with the need to maintain configuration management and with any mission or operational impacts that automatic updates might impose. |
The organization installs [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined information system components]. |
| CCI-002610 |
The organization defines the information system components on which organization-defined security-relevant firmware updates will be automatically installed. |
The organization conducting the inspection/assessment obtains and examines the documented information system components to ensure the organization being inspected/assessed defines the information system components on which organization-defined security-relevant firmware updates will be automatically installed.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system components on which organization-defined security-relevant firmware updates will be automatically installed.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
Flaw Remediation | Automatic Software / Firmware Updates |
SI-2 (5) |
SI-2(5).2 |
Due to information system integrity and availability concerns, organizations give careful consideration to the methodology used to carry out automatic updates. Organizations must balance the need to ensure that the updates are installed as soon as possible with the need to maintain configuration management and with any mission or operational impacts that automatic updates might impose. |
The organization installs [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined information system components]. |
| CCI-002611 |
The organization defines the security-relevant software updates to be automatically installed on organization-defined information system components. |
The organization conducting the inspection/assessment obtains and examines the documented security-relevant software updates to ensure the organization being inspected/assessed defines the security-relevant software updates to be automatically installed on organization-defined information system components.
DoD has determined the security-relevant software updates are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security-relevant software updates to be automatically installed on organization-defined information system components.
DoD has determined the security-relevant software updates are not appropriate to define at the Enterprise level. |
Flaw Remediation | Automatic Software / Firmware Updates |
SI-2 (5) |
SI-2(5).3 |
Due to information system integrity and availability concerns, organizations give careful consideration to the methodology used to carry out automatic updates. Organizations must balance the need to ensure that the updates are installed as soon as possible with the need to maintain configuration management and with any mission or operational impacts that automatic updates might impose. |
The organization installs [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined information system components]. |
| CCI-002612 |
The organization defines the security-relevant firmware updates to be automatically installed on organization-defined information system components. |
The organization conducting the inspection/assessment obtains and examines the documented security-relevant firmware updates to ensure the organization being inspected/assessed defines the security-relevant firmware updates to be automatically installed on organization-defined information system components.
DoD has determined the security-relevant firmware updates are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security-relevant firmware updates to be automatically installed on organization-defined information system components.
DoD has determined the security-relevant firmware updates are not appropriate to define at the Enterprise level. |
Flaw Remediation | Automatic Software / Firmware Updates |
SI-2 (5) |
SI-2(5).4 |
Due to information system integrity and availability concerns, organizations give careful consideration to the methodology used to carry out automatic updates. Organizations must balance the need to ensure that the updates are installed as soon as possible with the need to maintain configuration management and with any mission or operational impacts that automatic updates might impose. |
The organization installs [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined information system components]. |
| CCI-002613 |
The organization installs organization-defined security-relevant software updates automatically to organization-defined information system components. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to install security-relevant software updates defined in SI-2 (5), CCI 2611 automatically to information system components defined in SI-2 (5), CCI 2609.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2613. |
The organization being inspected/assessed configures the information system to install security-relevant software updates defined in SI-2 (5), CCI 2611 automatically to information system components defined in SI-2 (5), CCI 2609.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2613. |
Flaw Remediation | Automatic Software / Firmware Updates |
SI-2 (5) |
SI-2(5).5 |
Due to information system integrity and availability concerns, organizations give careful consideration to the methodology used to carry out automatic updates. Organizations must balance the need to ensure that the updates are installed as soon as possible with the need to maintain configuration management and with any mission or operational impacts that automatic updates might impose. |
The organization installs [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined information system components]. |
| CCI-002614 |
The organization installs organization-defined security-relevant firmware updates automatically to organization-defined information system components. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to install security-relevant firmware updates defined in SI-2 (5), CCI 2612 automatically to information system components defined in SI-2 (5), CCI 2610.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2614. |
The organization being inspected/assessed configures the information system to install security-relevant firmware updates defined in SI-2 (5), CCI 2612 automatically to information system components defined in SI-2 (5), CCI 2610.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2614. |
Flaw Remediation | Automatic Software / Firmware Updates |
SI-2 (5) |
SI-2(5).6 |
Due to information system integrity and availability concerns, organizations give careful consideration to the methodology used to carry out automatic updates. Organizations must balance the need to ensure that the updates are installed as soon as possible with the need to maintain configuration management and with any mission or operational impacts that automatic updates might impose. |
The organization installs [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined information system components]. |
| CCI-002615 |
The organization defines the software components to be removed (e.g., previous versions) after updated versions have been installed. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the software components as all upgraded/replaced software components that are no longer required for operation. |
DoD has defined the software components as all upgraded/replaced software components that are no longer required for operation. |
Flaw Remediation | Removal Of Previous Versions Of Software / Firmware |
SI-2 (6) |
SI-2(6).1 |
Previous versions of software and/or firmware components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software and/or firmware automatically from the information system. |
The organization removes [Assignment: organization-defined software and firmware components] after updated versions have been installed. |
| CCI-002616 |
The organization defines the firmware components to be removed (e.g., previous versions) after updated versions have been installed. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the firmware components as all upgraded/replaced firmware components that are no longer required for operation. |
DoD has defined the firmware components as all upgraded/replaced firmware components that are no longer required for operation. |
Flaw Remediation | Removal Of Previous Versions Of Software / Firmware |
SI-2 (6) |
SI-2(6).2 |
Previous versions of software and/or firmware components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software and/or firmware automatically from the information system. |
The organization removes [Assignment: organization-defined software and firmware components] after updated versions have been installed. |
| CCI-002617 |
The organization removes organization-defined software components (e.g., previous versions) after updated versions have been installed. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to remove all upgraded/replaced software components that are no longer required for operation (e.g., previous versions) after updated versions have been installed.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2617.
DoD has defined the software components as all upgraded/replaced software components that are no longer required for operation. |
The organization being inspected/assessed configures the information system to remove all upgraded/replaced software components that are no longer required for operation (e.g., previous versions) after updated versions have been installed.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2617.
DoD has defined the software components as all upgraded/replaced software components that are no longer required for operation. |
Flaw Remediation | Removal Of Previous Versions Of Software / Firmware |
SI-2 (6) |
SI-2(6).3 |
Previous versions of software and/or firmware components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software and/or firmware automatically from the information system. |
The organization removes [Assignment: organization-defined software and firmware components] after updated versions have been installed. |
| CCI-002618 |
The organization removes organization-defined firmware components (e.g., previous versions) after updated versions have been installed. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to remove all upgraded/replaced firmware components that are no longer required for operation (e.g., previous versions) after updated versions have been installed.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2618.
DoD has defined the firmware components as all upgraded/replaced firmware components that are no longer required for operation. |
The organization being inspected/assessed configures the information system to remove all upgraded/replaced firmware components that are no longer required for operation e.g., previous versions) after updated versions have been installed.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2618.
DoD has defined the firmware components as all upgraded/replaced firmware components that are no longer required for operation. |
Flaw Remediation | Removal Of Previous Versions Of Software / Firmware |
SI-2 (6) |
SI-2(6).4 |
Previous versions of software and/or firmware components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software and/or firmware automatically from the information system. |
The organization removes [Assignment: organization-defined software and firmware components] after updated versions have been installed. |
| CCI-002619 |
The organization employs malicious code protection mechanisms at information system entry points to detect malicious code. |
The organization conducting the inspection/assessment examines the information system architecture as well as the organization's documentation of information system entry points and verifies that malicious code protection mechanisms are implemented. |
The organization being inspected/assessed identifies and documents the information system entry points and implements malicious code protection mechanisms at those entry points to detect malicious code.
Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. |
Malicious Code Protection |
SI-3 |
SI-3.1 |
Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13, SC-7, SC-26, SC-44, SI-2, SI-4, SI-7. |
The organization:
a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;
c. Configures malicious code protection mechanisms to:
1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and
2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and
d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. |
| CCI-002620 |
The organization employs malicious code protection mechanisms at information system exit points to detect malicious code. |
The organization conducting the inspection/assessment examines the information system architecture as well as the organization's documentation of information system exit points and verifies that malicious code protection mechanisms are implemented. |
The organization being inspected/assessed identifies and documents the information system exit points and implements malicious code protection mechanisms at those exit points to detect malicious code.
Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. |
Malicious Code Protection |
SI-3 |
SI-3.2 |
Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13, SC-7, SC-26, SC-44, SI-2, SI-4, SI-7. |
The organization:
a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;
c. Configures malicious code protection mechanisms to:
1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and
2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and
d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. |
| CCI-002621 |
The organization employs malicious code protection mechanisms at information system entry points to eradicate malicious code. |
The organization conducting the inspection/assessment examines the information system architecture as well as the organization's documentation of information system entry points and verifies that malicious code protection mechanisms are implemented to eradicate malicious code. |
The organization being inspected/assessed configures the malicious code protection mechanisms identified in SI-3, CCI 2619 to eradicate malicious code. |
Malicious Code Protection |
SI-3 |
SI-3.3 |
Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13, SC-7, SC-26, SC-44, SI-2, SI-4, SI-7. |
The organization:
a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;
c. Configures malicious code protection mechanisms to:
1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and
2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and
d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. |
| CCI-002622 |
The organization employs malicious code protection mechanisms at information system exit points to eradicate malicious code. |
The organization conducting the inspection/assessment examines the information system architecture as well as the organization's documentation of information system exit points and verifies that malicious code protection mechanisms are implemented to eradicate malicious code. |
The organization being inspected/assessed configures the malicious code protection mechanisms identified in SI-3, CCI 2620 to eradicate malicious code. |
Malicious Code Protection |
SI-3 |
SI-3.4 |
Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13, SC-7, SC-26, SC-44, SI-2, SI-4, SI-7. |
The organization:
a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;
c. Configures malicious code protection mechanisms to:
1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and
2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and
d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. |
| CCI-002623 |
The organization defines the frequency for performing periodic scans of the information system for malicious code. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 7 days. |
DoD has defined the frequency as every 7 days. |
Malicious Code Protection |
SI-3 |
SI-3.6 |
Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13, SC-7, SC-26, SC-44, SI-2, SI-4, SI-7. |
The organization:
a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;
c. Configures malicious code protection mechanisms to:
1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and
2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and
d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. |
| CCI-002624 |
The organization configures malicious code protection mechanisms to perform real-time scans of files from external sources at network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures malicious code protection mechanisms to perform real-time scans of files from external sources at network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2624. |
The organization being inspected/assessed configures the malicious code protection mechanisms to perform real-time scans of files from external sources at network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2624. |
Malicious Code Protection |
SI-3 |
SI-3.7 |
Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13, SC-7, SC-26, SC-44, SI-2, SI-4, SI-7. |
The organization:
a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;
c. Configures malicious code protection mechanisms to:
1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and
2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and
d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. |
| CCI-002625 |
The organization, when testing malicious code protection mechanisms, verifies the detection of the test case occurs. |
The organization conducting the inspection/assessment obtains and examines the audit trail of test cases and successful or failed detection to ensure the organization being inspected/assessed verifies the detection of the test case occurs when testing malicious code protection mechanisms. |
The organization being inspected/assessed verifies the detection of the test case occurs when testing malicious code protection mechanisms.
The organization must maintain an audit trail of test cases and successful or failed detection. |
Malicious Code Protection | Testing / Verification |
SI-3 (6) |
SI-3(6).3 |
Related controls: CA-2, CA-7, RA-5. |
The organization:
(a) Tests malicious code protection mechanisms [Assignment: organization-defined frequency] by introducing a known benign, non-spreading test case into the information system; and
(b) Verifies that both detection of the test case and associated incident reporting occur. |
| CCI-002626 |
The organization, when testing malicious code protection mechanisms, verifies the incident reporting of the test case occurs. |
The organization conducting the inspection/assessment obtains and examines the audit trail of test cases and success or failure to ensure the organization being inspected/assessed verifies the incident reporting of the test case occurs when testing malicious code protection mechanisms. |
The organization being inspected/assessed verifies the incident reporting of the test case occurs when testing malicious code protection mechanisms.
The organization must maintain an audit trail of test cases and success or failure. |
Malicious Code Protection | Testing / Verification |
SI-3 (6) |
SI-3(6).4 |
Related controls: CA-2, CA-7, RA-5. |
The organization:
(a) Tests malicious code protection mechanisms [Assignment: organization-defined frequency] by introducing a known benign, non-spreading test case into the information system; and
(b) Verifies that both detection of the test case and associated incident reporting occur. |
| CCI-002627 |
The information system implements nonsignature-based malicious code detection mechanisms. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement nonsignature-based malicious code detection mechanisms.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2627. |
The organization being inspected/assessed configures the information system to implement nonsignature-based malicious code detection mechanisms.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2627.
Nonsignature-based detection mechanisms include, for example, the use of heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide safeguards against malicious code for which signatures do not yet exist or for which existing signatures may not be effective. |
Malicious Code Protection | Nonsignature-Based Detection |
SI-3 (7) |
SI-3(7).1 |
Nonsignature-based detection mechanisms include, for example, the use of heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide safeguards against malicious code for which signatures do not yet exist or for which existing signatures may not be effective. This includes polymorphic malicious code (i.e., code that changes signatures when it replicates). This control enhancement does not preclude the use of signature-based detection mechanisms. |
The information system implements nonsignature-based malicious code detection mechanisms. |
| CCI-002628 |
The organization defines the unauthorized operating system commands that are to be detected through the kernel application programming interface by organization-defined information system hardware components. |
The organization conducting the inspection/assessment obtains and examines the documented unauthorized operating system commands to ensure the organization being inspected/assessed defines the unauthorized operating system commands that are to be detected through the kernel application programming interface by organization-defined information system hardware components.
DoD has determined the unauthorized operating system commands are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the unauthorized operating system commands that are to be detected through the kernel application programming interface by organization-defined information system hardware components.
DoD has determined the unauthorized operating system commands are not appropriate to define at the Enterprise level. |
Malicious Code Protection | Detect Unauthorized Commands |
SI-3 (8) |
SI-3(8).1 |
This control enhancement can also be applied to critical interfaces other than kernel-based interfaces, including for example, interfaces with virtual machines and privileged applications. Unauthorized operating system commands include, for example, commands for kernel functions from information system processes that are not trusted to initiate such commands, or commands for kernel functions that are suspicious even though commands of that type are reasonable for processes to initiate. Organizations can define the malicious commands to be detected by a combination of command types, command classes, or specific instances of commands. Organizations can define hardware components by specific component, component type, location in the network, or combination therein. Organizations may select different actions for different types/classes/specific instances of potentially malicious commands. Related control: AU-6. |
The information system detects [Assignment: organization-defined unauthorized operating system commands] through the kernel application programming interface at [Assignment: organization defined information system hardware components] and [Selection (one or more): issues a warning; audits the command execution; prevents the execution of the command].
|
| CCI-002629 |
The organization defines the information system hardware components that are to detect organization-defined unauthorized operating system commands through the kernel programming application interface. |
The organization conducting the inspection/assessment obtains and examines the documented information system hardware components to ensure the organization being inspected/assessed defines the information system hardware components that are to detect organization-defined unauthorized operating system commands through the kernel application interface.
DoD has determined the information system hardware components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system hardware components that are to detect organization-defined unauthorized operating system commands through the kernel application interface.
DoD has determined the information system hardware components are not appropriate to define at the Enterprise level. |
Malicious Code Protection | Detect Unauthorized Commands |
SI-3 (8) |
SI-3(8).2 |
This control enhancement can also be applied to critical interfaces other than kernel-based interfaces, including for example, interfaces with virtual machines and privileged applications. Unauthorized operating system commands include, for example, commands for kernel functions from information system processes that are not trusted to initiate such commands, or commands for kernel functions that are suspicious even though commands of that type are reasonable for processes to initiate. Organizations can define the malicious commands to be detected by a combination of command types, command classes, or specific instances of commands. Organizations can define hardware components by specific component, component type, location in the network, or combination therein. Organizations may select different actions for different types/classes/specific instances of potentially malicious commands. Related control: AU-6. |
The information system detects [Assignment: organization-defined unauthorized operating system commands] through the kernel application programming interface at [Assignment: organization defined information system hardware components] and [Selection (one or more): issues a warning; audits the command execution; prevents the execution of the command].
|
| CCI-002630 |
The information system detects organization-defined unauthorized operating system commands through the kernel application programming interface at organization-defined information system hardware components. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to detect unauthorized operating system commands defined in SI-3 (8), CCI 2628 through the kernel application programming interface at information system hardware components defined in SI-3 (8), CCI 2629.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2630. |
The organization being inspected/assessed configures the information system to detect unauthorized operating system commands defined in SI-3 (8), CCI 2628 through the kernel application programming interface at information system hardware components defined in SI-3 (8), CCI 2629.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2630. |
Malicious Code Protection | Detect Unauthorized Commands |
SI-3 (8) |
SI-3(8).3 |
This control enhancement can also be applied to critical interfaces other than kernel-based interfaces, including for example, interfaces with virtual machines and privileged applications. Unauthorized operating system commands include, for example, commands for kernel functions from information system processes that are not trusted to initiate such commands, or commands for kernel functions that are suspicious even though commands of that type are reasonable for processes to initiate. Organizations can define the malicious commands to be detected by a combination of command types, command classes, or specific instances of commands. Organizations can define hardware components by specific component, component type, location in the network, or combination therein. Organizations may select different actions for different types/classes/specific instances of potentially malicious commands. Related control: AU-6. |
The information system detects [Assignment: organization-defined unauthorized operating system commands] through the kernel application programming interface at [Assignment: organization defined information system hardware components] and [Selection (one or more): issues a warning; audits the command execution; prevents the execution of the command].
|
| CCI-002631 |
The information system issues a warning, audits the command execution, or prevents the execution of the command when organization-defined unauthorized operating system commands are detected. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to issue a warning, audits the command execution, or prevents the execution of the command when unauthorized operating system commands defined in SI-3 (8), CCI 2628 are detected.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2631. |
The organization being inspected/assessed configures the information system to issue a warning, audits the command execution, or prevents the execution of the command when unauthorized operating system commands defined in SI-3 (8), CCI 2628 are detected.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2631. |
Malicious Code Protection | Detect Unauthorized Commands |
SI-3 (8) |
SI-3(8).4 |
This control enhancement can also be applied to critical interfaces other than kernel-based interfaces, including for example, interfaces with virtual machines and privileged applications. Unauthorized operating system commands include, for example, commands for kernel functions from information system processes that are not trusted to initiate such commands, or commands for kernel functions that are suspicious even though commands of that type are reasonable for processes to initiate. Organizations can define the malicious commands to be detected by a combination of command types, command classes, or specific instances of commands. Organizations can define hardware components by specific component, component type, location in the network, or combination therein. Organizations may select different actions for different types/classes/specific instances of potentially malicious commands. Related control: AU-6. |
The information system detects [Assignment: organization-defined unauthorized operating system commands] through the kernel application programming interface at [Assignment: organization defined information system hardware components] and [Selection (one or more): issues a warning; audits the command execution; prevents the execution of the command].
|
| CCI-002632 |
The organization defines the remote commands that are to be authenticated using organization-defined safeguards for malicious code protection. |
The organization conducting the inspection/assessment obtains and examines the documented remote commands to ensure the organization being inspected/assessed defines the remote commands that are to be authenticated using organization-defined safeguards for malicious code protection.
DoD has determined the remote commands are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the remote commands that are to be authenticated using organization-defined safeguards for malicious code protection.
DoD has determined the remote commands are not appropriate to define at the Enterprise level. |
Malicious Code Protection | Authenticate Remote Commands |
SI-3 (9) |
SI-3(9).1 |
This control enhancement protects against unauthorized commands and replay of authorized commands. This capability is important for those remote information systems whose loss, malfunction, misdirection, or exploitation would have immediate and/or serious consequences (e.g., injury or death, property damage, loss of high-valued assets or sensitive information, or failure of important missions/business functions). Authentication safeguards for remote commands help to ensure that information systems accept and execute in the order intended, only authorized commands, and that unauthorized commands are rejected. Cryptographic mechanisms can be employed, for example, to authenticate remote commands. Related controls: SC-12, SC-13, SC-23. |
The information system implements [Assignment: organization-defined security safeguards] to authenticate [Assignment: organization-defined remote commands]. |
| CCI-002633 |
The organization defines the security safeguards to be implemented to authenticate organization-defined remote commands for malicious code protection. |
The organization conducting the inspection/assessment obtains and examines the documented security safeguards to ensure the organization being inspected/assessed defines the security safeguards to be implemented to authenticate organization-defined remote commands for malicious code protection.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security safeguards to be implemented to authenticate organization-defined remote commands for malicious code protection.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
Malicious Code Protection | Authenticate Remote Commands |
SI-3 (9) |
SI-3(9).2 |
This control enhancement protects against unauthorized commands and replay of authorized commands. This capability is important for those remote information systems whose loss, malfunction, misdirection, or exploitation would have immediate and/or serious consequences (e.g., injury or death, property damage, loss of high-valued assets or sensitive information, or failure of important missions/business functions). Authentication safeguards for remote commands help to ensure that information systems accept and execute in the order intended, only authorized commands, and that unauthorized commands are rejected. Cryptographic mechanisms can be employed, for example, to authenticate remote commands. Related controls: SC-12, SC-13, SC-23. |
The information system implements [Assignment: organization-defined security safeguards] to authenticate [Assignment: organization-defined remote commands]. |
| CCI-002634 |
The organization defines the tools to be employed to analyze the characteristics and behavior of malicious code. |
The organization conducting the inspection/assessment obtains and examines the documented tools to ensure the organization being inspected/assessed defines the tools to be employed to analyze the characteristics and behavior of malicious code.
DoD has determined the tools are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the tools to be employed to analyze the characteristics and behavior of malicious code.
DoD has determined the tools are not appropriate to define at the Enterprise level. |
Malicious Code Protection | Malicious Code Analysis |
SI-3 (10) |
SI-3(10).1 |
The application of selected malicious code analysis tools and techniques provides organizations with a more in-depth understanding of adversary tradecraft (i.e., tactics, techniques, and procedures) and the functionality and purpose of specific instances of malicious code. Understanding the characteristics of malicious code facilitates more effective organizational responses to current and future threats. Organizations can conduct malicious code analyses by using reverse engineering techniques or by monitoring the behavior of executing code. |
The organization:
(a) Employs [Assignment: organization-defined tools and techniques] to analyze the characteristics and behavior of malicious code; and
(b) Incorporates the results from malicious code analysis into organizational incident response and flaw remediation processes. |
| CCI-002635 |
The organization defines the techniques to be employed to analyze the characteristics and behavior of malicious code. |
The organization conducting the inspection/assessment obtains and examines the documented techniques to ensure the organization being inspected/assessed defines the techniques to be employed to analyze the characteristics and behavior of malicious code.
DoD has determined the techniques are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the techniques to be employed to analyze the characteristics and behavior of malicious code.
DoD has determined the techniques are not appropriate to define at the Enterprise level. |
Malicious Code Protection | Malicious Code Analysis |
SI-3 (10) |
SI-3(10).2 |
The application of selected malicious code analysis tools and techniques provides organizations with a more in-depth understanding of adversary tradecraft (i.e., tactics, techniques, and procedures) and the functionality and purpose of specific instances of malicious code. Understanding the characteristics of malicious code facilitates more effective organizational responses to current and future threats. Organizations can conduct malicious code analyses by using reverse engineering techniques or by monitoring the behavior of executing code. |
The organization:
(a) Employs [Assignment: organization-defined tools and techniques] to analyze the characteristics and behavior of malicious code; and
(b) Incorporates the results from malicious code analysis into organizational incident response and flaw remediation processes. |
| CCI-002636 |
The organization employs organization-defined tools to analyze the characteristics and behavior of malicious code. |
The organization conducting the inspection/assessment obtains and examines the documented tools to ensure the organization being inspected/assessed employs tools defined in SI-3 (10), CCI 2634 to analyze the characteristics and behavior of malicious code. |
The organization being inspected/assessed documents and implements tools defined in SI-3 (10), CCI 2634 to analyze the characteristics and behavior of malicious code. |
Malicious Code Protection | Malicious Code Analysis |
SI-3 (10) |
SI-3(10).3 |
The application of selected malicious code analysis tools and techniques provides organizations with a more in-depth understanding of adversary tradecraft (i.e., tactics, techniques, and procedures) and the functionality and purpose of specific instances of malicious code. Understanding the characteristics of malicious code facilitates more effective organizational responses to current and future threats. Organizations can conduct malicious code analyses by using reverse engineering techniques or by monitoring the behavior of executing code. |
The organization:
(a) Employs [Assignment: organization-defined tools and techniques] to analyze the characteristics and behavior of malicious code; and
(b) Incorporates the results from malicious code analysis into organizational incident response and flaw remediation processes. |
| CCI-002637 |
The information system implements organization-defined security safeguards to authenticate organization-defined remote commands for malicious code protection. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement security safeguards defined in SI-3 (9), CCI 2633 to authenticate remote commands for malicious code protection defined in SI-3 (9), CCI 2632.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2637. |
The organization being inspected/assessed configures the information system to implement security safeguards defined in SI-3 (9), CCI 2633 to authenticate remote commands for malicious code protection defined in SI-3 (9), CCI 2632.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2637. |
Malicious Code Protection | Authenticate Remote Commands |
SI-3 (9) |
SI-3(9).3 |
This control enhancement protects against unauthorized commands and replay of authorized commands. This capability is important for those remote information systems whose loss, malfunction, misdirection, or exploitation would have immediate and/or serious consequences (e.g., injury or death, property damage, loss of high-valued assets or sensitive information, or failure of important missions/business functions). Authentication safeguards for remote commands help to ensure that information systems accept and execute in the order intended, only authorized commands, and that unauthorized commands are rejected. Cryptographic mechanisms can be employed, for example, to authenticate remote commands. Related controls: SC-12, SC-13, SC-23. |
The information system implements [Assignment: organization-defined security safeguards] to authenticate [Assignment: organization-defined remote commands]. |
| CCI-002638 |
The organization employs organization-defined techniques to analyze the characteristics and behavior of malicious code. |
The organization conducting the inspection/assessment obtains and examines the documented techniques to ensure the organization being inspected/assessed employs techniques defined in SI-3 (10), CCI 2635 to analyze the characteristics and behavior of malicious code. |
The organization being inspected/assessed documents and implements techniques defined in SI-3 (10), CCI 2635 to analyze the characteristics and behavior of malicious code. |
Malicious Code Protection | Malicious Code Analysis |
SI-3 (10) |
SI-3(10).4 |
The application of selected malicious code analysis tools and techniques provides organizations with a more in-depth understanding of adversary tradecraft (i.e., tactics, techniques, and procedures) and the functionality and purpose of specific instances of malicious code. Understanding the characteristics of malicious code facilitates more effective organizational responses to current and future threats. Organizations can conduct malicious code analyses by using reverse engineering techniques or by monitoring the behavior of executing code. |
The organization:
(a) Employs [Assignment: organization-defined tools and techniques] to analyze the characteristics and behavior of malicious code; and
(b) Incorporates the results from malicious code analysis into organizational incident response and flaw remediation processes. |
| CCI-002639 |
The organization incorporates the results from malicious code analysis into organizational incident response processes. |
The organization conducting the inspection/assessment obtains and examines the organizational incident response processes to ensure the organization being inspected/assessed incorporates the results from malicious code analysis into organizational incident response processes. |
The organization being inspected/assessed incorporates the results from malicious code analysis into organizational incident response processes. |
Malicious Code Protection | Malicious Code Analysis |
SI-3 (10) |
SI-3(10).5 |
The application of selected malicious code analysis tools and techniques provides organizations with a more in-depth understanding of adversary tradecraft (i.e., tactics, techniques, and procedures) and the functionality and purpose of specific instances of malicious code. Understanding the characteristics of malicious code facilitates more effective organizational responses to current and future threats. Organizations can conduct malicious code analyses by using reverse engineering techniques or by monitoring the behavior of executing code. |
The organization:
(a) Employs [Assignment: organization-defined tools and techniques] to analyze the characteristics and behavior of malicious code; and
(b) Incorporates the results from malicious code analysis into organizational incident response and flaw remediation processes. |
| CCI-002640 |
The organization incorporates the results from malicious code analysis into organizational flaw remediation processes. |
The organization conducting the inspection/assessment obtains and examines the flaw remediation processes to ensure the organization being inspected/assessed incorporates the results from malicious code analysis into organizational flaw remediation processes. |
The organization being inspected/assessed incorporates the results from malicious code analysis into organizational flaw remediation processes. |
Malicious Code Protection | Malicious Code Analysis |
SI-3 (10) |
SI-3(10).6 |
The application of selected malicious code analysis tools and techniques provides organizations with a more in-depth understanding of adversary tradecraft (i.e., tactics, techniques, and procedures) and the functionality and purpose of specific instances of malicious code. Understanding the characteristics of malicious code facilitates more effective organizational responses to current and future threats. Organizations can conduct malicious code analyses by using reverse engineering techniques or by monitoring the behavior of executing code. |
The organization:
(a) Employs [Assignment: organization-defined tools and techniques] to analyze the characteristics and behavior of malicious code; and
(b) Incorporates the results from malicious code analysis into organizational incident response and flaw remediation processes. |
| CCI-002641 |
The organization monitors the information system to detect attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of monitoring to ensure the organization being inspected/assessed monitors the information system to detect attacks and indicators of potential attacks in accordance with sensor placement and monitoring requirements within CJCSI 6510.01F. |
The organization being inspected/assessed documents and implements a process to monitor the information system to detect attacks and indicators of potential attacks in accordance with sensor placement and monitoring requirements within CJCSI 6510.01F.
The organization must maintain an audit trail of monitoring.
DoD has defined the monitoring objectives as sensor placement and monitoring requirements within CJCSI 6510.01F. |
Information System Monitoring |
SI-4 |
SI-4.2 |
Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Related controls: AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, CA-7, IR-4, PE-3, RA-5, SC-7, SC-26, SC-35, SI-3, SI-7. |
The organization:
a. Monitors the information system to detect:
1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];
c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;
f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and
g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. |
| CCI-002642 |
The organization monitors the information system to detect unauthorized local connections. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of monitoring to ensure the organization being inspected/assessed monitors the information system to detect unauthorized local connections. |
The organization being inspected/assessed documents and implements a process to monitor the information system to detect unauthorized local connections.
The organization must maintain an audit trail of monitoring. |
Information System Monitoring |
SI-4 |
SI-4.3 |
Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Related controls: AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, CA-7, IR-4, PE-3, RA-5, SC-7, SC-26, SC-35, SI-3, SI-7. |
The organization:
a. Monitors the information system to detect:
1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];
c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;
f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and
g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. |
| CCI-002643 |
The organization monitors the information system to detect unauthorized network connections. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of monitoring to ensure the organization being inspected/assessed monitors the information system to detect unauthorized network connections. |
The organization being inspected/assessed documents and implements a process to monitor the information system to detect unauthorized network connections.
The organization must maintain an audit trail of monitoring. |
Information System Monitoring |
SI-4 |
SI-4.4 |
Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Related controls: AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, CA-7, IR-4, PE-3, RA-5, SC-7, SC-26, SC-35, SI-3, SI-7. |
The organization:
a. Monitors the information system to detect:
1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];
c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;
f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and
g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. |
| CCI-002644 |
The organization monitors the information system to detect unauthorized remote connections. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of monitoring to ensure the organization being inspected/assessed monitors the information system to detect unauthorized remote connections. |
The organization being inspected/assessed documents and implements a process to monitor information system to detect unauthorized remote connections.
The organization must maintain an audit trail of monitoring. |
Information System Monitoring |
SI-4 |
SI-4.5 |
Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Related controls: AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, CA-7, IR-4, PE-3, RA-5, SC-7, SC-26, SC-35, SI-3, SI-7. |
The organization:
a. Monitors the information system to detect:
1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];
c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;
f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and
g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. |
| CCI-002645 |
The organization defines the techniques and methods to be used to identify unauthorized use of the information system. |
The organization conducting the inspection/assessment obtains and examines the documented techniques to ensure the organization being inspected/assessed defines the techniques and methods to be used to identify unauthorized use of the information system.
DoD has determined the techniques and methods are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the techniques and methods to be used to identify unauthorized use of the information system.
DoD has determined the techniques and methods are not appropriate to define at the Enterprise level. |
Information System Monitoring |
SI-4 |
SI-4.6 |
Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Related controls: AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, CA-7, IR-4, PE-3, RA-5, SC-7, SC-26, SC-35, SI-3, SI-7. |
The organization:
a. Monitors the information system to detect:
1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];
c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;
f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and
g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. |
| CCI-002646 |
The organization identifies unauthorized use of the information system through organization-defined techniques and methods. |
The organization conducting the inspection/assessment obtains and examines the audit trail of identified instances of unauthorized use to ensure the organization being inspected/assessed identifies unauthorized use of the information system through techniques and methods defined in SI-4, CCI 2645. |
The organization being inspected/assessed identifies unauthorized use of the information system through techniques and methods defined in SI-4, CCI 2645.
The organization must maintain an audit trail of identified instances of unauthorized use. |
Information System Monitoring |
SI-4 |
SI-4.7 |
Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Related controls: AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, CA-7, IR-4, PE-3, RA-5, SC-7, SC-26, SC-35, SI-3, SI-7. |
The organization:
a. Monitors the information system to detect:
1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];
c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;
f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and
g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. |
| CCI-002647 |
The organization protects information obtained from intrusion-monitoring tools from unauthorized access. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed protects information obtained from intrusion-monitoring tools from unauthorized access. |
The organization being inspected/assessed documents and implements a process to protect information obtained from intrusion-monitoring tools from unauthorized access. |
Information System Monitoring |
SI-4 |
SI-4.10 |
Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Related controls: AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, CA-7, IR-4, PE-3, RA-5, SC-7, SC-26, SC-35, SI-3, SI-7. |
The organization:
a. Monitors the information system to detect:
1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];
c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;
f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and
g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. |
| CCI-002648 |
The organization protects information obtained from intrusion-monitoring tools from unauthorized modification. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed protects information obtained from intrusion-monitoring tools from unauthorized modification. |
The organization being inspected/assessed documents and implements a process to protect information obtained from intrusion-monitoring tools from unauthorized modification. |
Information System Monitoring |
SI-4 |
SI-4.11 |
Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Related controls: AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, CA-7, IR-4, PE-3, RA-5, SC-7, SC-26, SC-35, SI-3, SI-7. |
The organization:
a. Monitors the information system to detect:
1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];
c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;
f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and
g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. |
| CCI-002649 |
The organization protects information obtained from intrusion-monitoring tools from unauthorized deletion. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed protects information obtained from intrusion-monitoring tools from unauthorized deletion. |
The organization being inspected/assessed documents and implements a process to protect information obtained from intrusion-monitoring tools from unauthorized deletion. |
Information System Monitoring |
SI-4 |
SI-4.12 |
Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Related controls: AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, CA-7, IR-4, PE-3, RA-5, SC-7, SC-26, SC-35, SI-3, SI-7. |
The organization:
a. Monitors the information system to detect:
1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];
c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;
f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and
g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. |
| CCI-002650 |
The organization defines the information system monitoring information that is to be provided the organization-defined personnel or roles. |
The organization conducting the inspection/assessment obtains and examines the documented information system monitoring information to ensure the organization being inspected/assessed defines the information system monitoring information that is to be provided the organization-defined personnel or roles.
DoD has determined the information system monitoring information is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system monitoring information that is to be provided the organization-defined personnel or roles.
DoD has determined the information system monitoring information is not appropriate to define at the Enterprise level. |
Information System Monitoring |
SI-4 |
SI-4.15 |
Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Related controls: AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, CA-7, IR-4, PE-3, RA-5, SC-7, SC-26, SC-35, SI-3, SI-7. |
The organization:
a. Monitors the information system to detect:
1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];
c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;
f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and
g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. |
| CCI-002651 |
The organization defines the personnel or roles that are to be provided organization-defined information system monitoring information. |
The organization conducting the inspection/assessment obtains and examines the documented personnel or roles to ensure the organization being inspected/assessed defines the personnel or roles that are to be provided organization-defined information system monitoring information.
DoD has determined the personnel or roles are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the personnel or roles that are to be provided organization-defined information system monitoring information.
DoD has determined the personnel or roles are not appropriate to define at the Enterprise level. |
Information System Monitoring |
SI-4 |
SI-4.16 |
Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Related controls: AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, CA-7, IR-4, PE-3, RA-5, SC-7, SC-26, SC-35, SI-3, SI-7. |
The organization:
a. Monitors the information system to detect:
1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];
c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;
f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and
g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. |
| CCI-002652 |
The organization defines the frequency at which the organization will provide the organization-defined information system monitoring information to organization-defined personnel or roles. |
The organization conducting the inspection/assessment obtains and examines the documented frequency to ensure the organization being inspected/assessed defines the frequency at which the organization will provide the organization-defined information system monitoring information to organization-defined personnel or roles.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the frequency at which the organization will provide the organization-defined information system monitoring information to organization-defined personnel or roles
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
Information System Monitoring |
SI-4 |
SI-4.17 |
Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Related controls: AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, CA-7, IR-4, PE-3, RA-5, SC-7, SC-26, SC-35, SI-3, SI-7. |
The organization:
a. Monitors the information system to detect:
1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];
c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;
f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and
g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. |
| CCI-002653 |
The organization provides organization-defined information system monitoring information to organization-defined personnel or roles as needed or per organization-defined frequency. |
|
|
|
|
|
|
|
| CCI-002654 |
The organization provides organization-defined information system monitoring information to organization-defined personnel or roles as needed or per organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit trail of when information is provided to ensure the organization being inspected/assessed provides information system monitoring information defined in SI-4, CCI 2650 to personnel or roles defined in SI-4, CCI 2651 as needed or per the frequency defined in SI-4, CCI 2652. |
The organization being inspected/assessed provides information system monitoring information defined in SI-4, CCI 2650 to personnel or roles defined in SI-4, CCI 2651 as needed or per the frequency defined in SI-4, CCI 2652.
The organization must maintain an audit trail of when information is provided. |
Information System Monitoring |
SI-4 |
SI-4.18 |
Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Related controls: AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, CA-7, IR-4, PE-3, RA-5, SC-7, SC-26, SC-35, SI-3, SI-7. |
The organization:
a. Monitors the information system to detect:
1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];
c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;
f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and
g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. |
| CCI-002655 |
The organization connects individual intrusion detection tools into an information system-wide intrusion detection system. |
The organization conducting the inspection/assessment examines the information system-wide intrusion detection system architecture and individuals tools to ensure the organization being inspected/assessed connects individual intrusion detection tools into an information system-wide intrusion detection system. |
The organization being inspected/assessed connects individual intrusion detection tools into an information system-wide intrusion detection system. |
Information System Monitoring | System-Wide Intrusion Detection System |
SI-4 (1) |
SI-4(1).1 |
|
The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system. |
| CCI-002656 |
The organization configures individual intrusion detection tools into an information system-wide intrusion detection system. |
The organization conducting the inspection/assessment examines the information system-wide intrusion detection system to ensure the organization being inspected/assessed configures individual intrusion detection tools into an information system-wide intrusion detection system.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2656. |
The organization being inspected/assessed configures individual intrusion detection tools into an information system-wide intrusion detection system.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2656. |
Information System Monitoring | System-Wide Intrusion Detection System |
SI-4 (1) |
SI-4(1).2 |
|
The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system. |
| CCI-002657 |
The organization employs automated tools to integrate intrusion detection tools into access control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated tools to ensure the organization being inspected/assessed employs automated tools to integrate intrusion detection tools into access control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination.
The organization being inspected/assessed may be required to demonstrate use of their automated tools. |
The organization being inspected/assessed documents and implements automated tools to integrate intrusion detection tools into access control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination. |
Information System Monitoring | Automated Tool Integration |
SI-4 (3) |
SI-4(3).1 |
|
The organization employs automated tools to integrate intrusion detection tools into access control and flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination. |
| CCI-002658 |
The organization employs automated tools to integrate intrusion detection tools into flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated tools to ensure the organization being inspected/assessed employs automated tools to integrate intrusion detection tools into flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination.
The organization being inspected/assessed may be required to demonstrate use of their automated tools. |
The organization being inspected/assessed documents and implements automated tools to integrate intrusion detection tools into flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination. |
Information System Monitoring | Automated Tool Integration |
SI-4 (3) |
SI-4(3).2 |
|
The organization employs automated tools to integrate intrusion detection tools into access control and flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination. |
| CCI-002659 |
The organization defines the frequency on which it will monitor inbound communications for unusual or unauthorized activities or conditions. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as continuously. |
DoD has defined the frequency as continuously. |
Information System Monitoring | Inbound And Outbound Communications Traffic |
SI-4 (4) |
SI-4(4).1 |
Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components. |
The information system monitors inbound and outbound communications traffic [Assignment: organization-defined frequency] for unusual or unauthorized activities or conditions. |
| CCI-002660 |
The organization defines the frequency on which it will monitor outbound communications for unusual or unauthorized activities or conditions. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as continuously. |
DoD has defined the frequency as continuously. |
Information System Monitoring | Inbound And Outbound Communications Traffic |
SI-4 (4) |
SI-4(4).2 |
Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components. |
The information system monitors inbound and outbound communications traffic [Assignment: organization-defined frequency] for unusual or unauthorized activities or conditions. |
| CCI-002661 |
The information system monitors inbound communications traffic per organization-defined frequency for unusual or unauthorized activities or conditions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to monitor inbound communications traffic continuously for unusual or unauthorized activities or conditions.
DoD has defined the frequency as continuously. |
The organization being inspected/assessed configures the information system to monitor inbound communications traffic continuously for unusual or unauthorized activities or conditions.
DoD has defined the frequency as continuously. |
Information System Monitoring | Inbound And Outbound Communications Traffic |
SI-4 (4) |
SI-4(4).3 |
Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components. |
The information system monitors inbound and outbound communications traffic [Assignment: organization-defined frequency] for unusual or unauthorized activities or conditions. |
| CCI-002662 |
The information system monitors outbound communications traffic per organization-defined frequency for unusual or unauthorized activities or conditions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to monitor outbound communications traffic continuously for unusual or unauthorized activities or conditions.
DoD has defined the frequency as continuously. |
The organization being inspected/assessed configures the information system to monitor outbound communications traffic continuously for unusual or unauthorized activities or conditions.
DoD has defined the frequency as continuously. |
Information System Monitoring | Inbound And Outbound Communications Traffic |
SI-4 (4) |
SI-4(4).4 |
Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components. |
The information system monitors inbound and outbound communications traffic [Assignment: organization-defined frequency] for unusual or unauthorized activities or conditions. |
| CCI-002663 |
The organization defines the personnel or roles to receive information system alerts when organization-defined indicators of compromise or potential compromise occur. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as at a minimum, the ISSM and ISSO.
|
DoD has defined the personnel or roles as at a minimum, the ISSM and ISSO. |
Information System Monitoring | System-Generated Alerts |
SI-4 (5) |
SI-4(5).2 |
Alerts may be generated from a variety of sources, including, for example, audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the notification list can include, for example, system administrators, mission/business owners, system owners, or information system security officers. Related controls: AU-5, PE-6. |
The information system alerts [Assignment: organization-defined personnel or roles] when the following indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators]. |
| CCI-002664 |
The information system alerts organization-defined personnel or roles when organization-defined compromise indicators reflect the occurrence of a compromise or a potential compromise. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to alert at a minimum, the ISSM and ISSO when real time intrusion detection and when there are threats identified by authoritative sources (e.g. CTOs) and IAW incident categories I, II, IV, & VII within CJCSM 6510.01B reflect the occurrence of a compromise or a potential compromise.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2664.
DoD has defined the personnel or roles as at a minimum, the ISSM and ISSO.
DoD has defined the compromise indicators as real time intrusion detection and when there are threats identified by authoritative sources (e.g. CTOs) and IAW incident categories I, II, IV, & VII within CJCSM 6510.01B. |
The organization being inspected/assessed configures the information system to alert at a minimum, the ISSM and ISSO when real time intrusion detection and when there are threats identified by authoritative sources (e.g. CTOs) and IAW incident categories I, II, IV, & VII within CJCSM 6510.01B reflect the occurrence of a compromise or a potential compromise.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2664.
DoD has defined the personnel or roles as at a minimum, the ISSM and ISSO.
DoD has defined the compromise indicators as real time intrusion detection and when there are threats identified by authoritative sources (e.g. CTOs) and IAW incident categories I, II, IV, & VII within CJCSM 6510.01B. |
Information System Monitoring | System-Generated Alerts |
SI-4 (5) |
SI-4(5).3 |
Alerts may be generated from a variety of sources, including, for example, audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the notification list can include, for example, system administrators, mission/business owners, system owners, or information system security officers. Related controls: AU-5, PE-6. |
The information system alerts [Assignment: organization-defined personnel or roles] when the following indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators]. |
| CCI-002665 |
The organization defines the encrypted communications traffic that is to be visible to organization-defined information system monitoring tools. |
The organization conducting the inspection/assessment obtains and examines the documented encrypted traffic to ensure the organization being inspected/assessed defines the encrypted communications traffic that are to be visible to organization-defined information system monitoring tools.
DoD has determined the encrypted traffic is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the encrypted communications traffic that are to be visible to organization-defined information system monitoring tools.
DoD has determined the encrypted traffic is not appropriate to define at the Enterprise level. |
Information System Monitoring | Visibility Of Encrypted Communications |
SI-4 (10) |
SI-4(10).1 |
Organizations balance the potentially conflicting needs for encrypting communications traffic and for having insight into such traffic from a monitoring perspective. For some organizations, the need to ensure the confidentiality of communications traffic is paramount; for others, mission-assurance is of greater concern. Organizations determine whether the visibility requirement applies to internal encrypted traffic, encrypted traffic intended for external destinations, or a subset of the traffic types. |
The organization makes provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined information system monitoring tools]. |
| CCI-002666 |
The organization defines the information system monitoring tools that will have visibility into organization-defined encrypted communications traffic. |
The organization conducting the inspection/assessment obtains and examines the documented information system monitoring tools to ensure the organization being inspected/assessed defines the information system monitoring tools that will have visibility into organization-defined encrypted communications traffic.
DoD has determined the information system monitoring tools are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system monitoring tools that will have visibility into organization-defined encrypted communications traffic.
DoD has determined the information system monitoring tools are not appropriate to define at the Enterprise level. |
Information System Monitoring | Visibility Of Encrypted Communications |
SI-4 (10) |
SI-4(10).2 |
Organizations balance the potentially conflicting needs for encrypting communications traffic and for having insight into such traffic from a monitoring perspective. For some organizations, the need to ensure the confidentiality of communications traffic is paramount; for others, mission-assurance is of greater concern. Organizations determine whether the visibility requirement applies to internal encrypted traffic, encrypted traffic intended for external destinations, or a subset of the traffic types. |
The organization makes provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined information system monitoring tools]. |
| CCI-002667 |
The organization makes provisions so that organization-defined encrypted communications traffic is visible to organization-defined information system monitoring tools. |
The organization conducting the inspection/assessment examines the information system architecture to verify that the encrypted communications traffic is visible to information system monitoring tools defined in SI-4 (10), CCI 2666. |
The organization being inspected/assessed makes provisions so that encrypted communications traffic defined in SI-4 (10), CCI 2665 is visible to information system monitoring tools defined in SI-4 (10), CCI 2666. |
Information System Monitoring | Visibility Of Encrypted Communications |
SI-4 (10) |
SI-4(10).3 |
Organizations balance the potentially conflicting needs for encrypting communications traffic and for having insight into such traffic from a monitoring perspective. For some organizations, the need to ensure the confidentiality of communications traffic is paramount; for others, mission-assurance is of greater concern. Organizations determine whether the visibility requirement applies to internal encrypted traffic, encrypted traffic intended for external destinations, or a subset of the traffic types. |
The organization makes provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined information system monitoring tools]. |
| CCI-002668 |
The organization defines the interior points within the information system (e.g., subnetworks, subsystems) where outbound communications will be analyzed to discover anomalies. |
The organization conducting the inspection/assessment obtains and examines the documented interior points to ensure the organization being inspected/assessed defines the interior points within the information system (e.g., subnetworks, subsystems) where outbound communications will be analyzed to discover anomalies.
DoD has determined the interior points are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the interior points within the information system (e.g., subnetworks, subsystems) where outbound communications will be analyzed to discover anomalies.
DoD has determined the interior points are not appropriate to define at the Enterprise level. |
Information System Monitoring | Analyze Communications Traffic Anomalies |
SI-4 (11) |
SI-4(11).3 |
Anomalies within organizational information systems include, for example, large file transfers, long-time persistent connections, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses. |
The organization analyzes outbound communications traffic at the external boundary of the information system and selected [Assignment: organization-defined interior points within the system (e.g., subnetworks, subsystems)] to discover anomalies. |
| CCI-002669 |
The organization uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and false negatives. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as audit logs of tuning events to ensure the organization being inspected/assessed uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and false negatives. |
The organization being inspected/assessed documents and implements a process to use the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and false negatives.
The organization must maintain an audit log of tuning events. |
Information System Monitoring | Analyze Traffic / Event Patterns |
SI-4 (13) |
SI-4(13).3 |
|
The organization:
(a) Analyzes communications traffic/event patterns for the information system;
(b) Develops profiles representing common traffic patterns and/or events; and
(c) Uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and the number of false negatives. |
| CCI-002670 |
The organization defines the interior points within the system (e.g., subsystems, subnetworks) where outbound communications will be analyzed to detect covert exfiltration of information. |
The organization conducting the inspection/assessment obtains and examines the documented interior points to ensure the organization being inspected/assessed defines the interior points within the system (e.g., subsystems, subnetworks) where outbound communications will be analyzed to detect covert exfiltration of information.
DoD has determined the interior points are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the interior points within the system (e.g., subsystems, subnetworks) where outbound communications will be analyzed to detect covert exfiltration of information.
DoD has determined the interior points are not appropriate to define at the Enterprise level. |
Information System Monitoring | Analyze Traffic / Covert Exfiltration |
SI-4 (18) |
SI-4(18).1 |
Covert means that can be used for the unauthorized exfiltration of organizational information include, for example, steganography. |
The organization analyzes outbound communications traffic at the external boundary of the information system (i.e., system perimeter) and at [Assignment: organization-defined interior
points within the system (e.g., subsystems, subnetworks)] to detect covert exfiltration of information. |
| CCI-002671 |
The organization analyzes outbound communications traffic at the external boundary of the information system (i.e., system perimeter) to detect covert exfiltration of information. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of analysis to ensure the organization being inspected/assessed analyzes outbound communications traffic at the external boundary of the information system (i.e., system perimeter) to detect covert exfiltration of information. |
The organization being inspected/assessed documents and implements a process to analyze outbound communications traffic at the external boundary of the information system (i.e., system perimeter) to detect covert exfiltration of information.
The organization must maintain a record of the analysis. |
Information System Monitoring | Analyze Traffic / Covert Exfiltration |
SI-4 (18) |
SI-4(18).2 |
Covert means that can be used for the unauthorized exfiltration of organizational information include, for example, steganography. |
The organization analyzes outbound communications traffic at the external boundary of the information system (i.e., system perimeter) and at [Assignment: organization-defined interior
points within the system (e.g., subsystems, subnetworks)] to detect covert exfiltration of information. |
| CCI-002672 |
The organization analyzes outbound communications traffic at organization-defined interior points within the system (e.g., subsystems, subnetworks) to detect covert exfiltration of information. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of analysis to ensure the organization being inspected/assessed analyzes outbound communications traffic at interior points defined in SI-4 (18), CCI 2670 within the system (e.g., subsystems, subnetworks) to detect covert exfiltration of information. |
The organization being inspected/assessed documents and implements a process to analyze outbound communications traffic at interior points defined in SI-4 (18), CCI 2670 within the system (e.g., subsystems, subnetworks) to detect covert exfiltration of information.
The organization must maintain a record of the analysis. |
Information System Monitoring | Analyze Traffic / Covert Exfiltration |
SI-4 (18) |
SI-4(18).3 |
Covert means that can be used for the unauthorized exfiltration of organizational information include, for example, steganography. |
The organization analyzes outbound communications traffic at the external boundary of the information system (i.e., system perimeter) and at [Assignment: organization-defined interior
points within the system (e.g., subsystems, subnetworks)] to detect covert exfiltration of information. |
| CCI-002673 |
The organization defines the additional monitoring to be implemented for individuals identified as posing an increased level of risk. |
The organization conducting the inspection/assessment obtains and examines the documented additional monitoring to ensure the organization being inspected/assessed defines the additional monitoring to be implemented for individuals identified as posing an increased level of risk.
DoD has determined the additional monitoring is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the additional monitoring to be implemented for individuals identified as posing an increased level of risk.
DoD has determined the additional monitoring is not appropriate to define at the Enterprise level. |
Information System Monitoring | Individuals Posing Greater Risk |
SI-4 (19) |
SI-4(19).1 |
Indications of increased risk from individuals can be obtained from a variety of sources including, for example, human resource records, intelligence agencies, law enforcement organizations, and/or other credible sources. The monitoring of individuals is closely coordinated with management, legal, security, and human resources officials within organizations conducting such monitoring and complies with federal legislation, Executive Orders, policies, directives, regulations, and standards. |
The organization implements [Assignment: organization-defined additional monitoring] of individuals who have been identified by [Assignment: organization-defined sources] as posing an increased level of risk. |
| CCI-002674 |
The organization defines the sources that may be used to identify individuals who pose an increased level of risk. |
The organization conducting the inspection/assessment obtains and examines the documented sources to ensure the organization being inspected/assessed defines the sources that may be used to identify individuals who pose an increased level of risk.
DoD has determined the sources are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the sources that may be used to identify individuals who pose an increased level of risk.
DoD has determined the sources are not appropriate to define at the Enterprise level. |
Information System Monitoring | Individuals Posing Greater Risk |
SI-4 (19) |
SI-4(19).2 |
Indications of increased risk from individuals can be obtained from a variety of sources including, for example, human resource records, intelligence agencies, law enforcement organizations, and/or other credible sources. The monitoring of individuals is closely coordinated with management, legal, security, and human resources officials within organizations conducting such monitoring and complies with federal legislation, Executive Orders, policies, directives, regulations, and standards. |
The organization implements [Assignment: organization-defined additional monitoring] of individuals who have been identified by [Assignment: organization-defined sources] as posing an increased level of risk. |
| CCI-002675 |
The organization implements organization-defined additional monitoring of individuals who have been identified by organization-defined sources as posing an increased level of risk. |
The organization conducting the inspection/assessment obtains and examines the audit trail of additional monitoring to ensure the organization being inspected/assessed implements additional monitoring defined in SI-4 (19), CCI 2673 of individuals who have been identified by sources defined in SI-4 (19), CCI 2674 as posing an increased level of risk. |
The organization being inspected/assessed implements additional monitoring defined in SI-4 (19), CCI 2673 of individuals who have been identified by sources defined in SI-4 (19), CCI 2674 as posing an increased level of risk.
The organization must maintain an audit trail of additional monitoring. |
Information System Monitoring | Individuals Posing Greater Risk |
SI-4 (19) |
SI-4(19).3 |
Indications of increased risk from individuals can be obtained from a variety of sources including, for example, human resource records, intelligence agencies, law enforcement organizations, and/or other credible sources. The monitoring of individuals is closely coordinated with management, legal, security, and human resources officials within organizations conducting such monitoring and complies with federal legislation, Executive Orders, policies, directives, regulations, and standards. |
The organization implements [Assignment: organization-defined additional monitoring] of individuals who have been identified by [Assignment: organization-defined sources] as posing an increased level of risk. |
| CCI-002676 |
The organization defines additional monitoring to be implemented for privileged users. |
The organization conducting the inspection/assessment obtains and examines the documented additional monitoring to ensure the organization being inspected/assessed defines additional monitoring to be implemented for privileged users.
DoD has determined the additional monitoring is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents additional monitoring to be implemented for privileged users.
DoD has determined the additional monitoring is not appropriate to define at the Enterprise level. |
Information System Monitoring | Privileged User |
SI-4 (20) |
SI-4(20).1 |
|
The organization implements [Assignment: organization-defined additional monitoring] of privileged users. |
| CCI-002677 |
The organization implements organization-defined additional monitoring of privileged users. |
The organization conducting the inspection/assessment obtains and examines the audit trail of additional monitoring to ensure the organization being inspected/assessed implements additional monitoring defined in SI-4 (20), CCI 2676 of privileged users. |
The organization being inspected/assessed implements additional monitoring defined in SI-4 (20), CCI 2676 of privileged users.
The organization must maintain an audit trail of additional monitoring. |
Information System Monitoring | Privileged User |
SI-4 (20) |
SI-4(20).2 |
|
The organization implements [Assignment: organization-defined additional monitoring] of privileged users. |
| CCI-002678 |
The organization defines additional monitoring to be implemented for individuals during an organization-defined probationary period. |
The organization conducting the inspection/assessment obtains and examines the documented additional monitoring to ensure the organization being inspected/assessed defines additional monitoring to be implemented for individuals during an organization-defined probationary period.
DoD has determined the additional monitoring is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents additional monitoring to be implemented for individuals during an organization-defined probationary period.
DoD has determined the additional monitoring is not appropriate to define at the Enterprise level. |
Information System Monitoring | Probationary Periods |
SI-4 (21) |
SI-4(21).1 |
|
The organization implements [Assignment: organization-defined additional monitoring] of individuals during [Assignment: organization-defined probationary period]. |
| CCI-002679 |
The organization defines the probationary period during which additional monitoring will be implemented for individuals. |
The organization conducting the inspection/assessment obtains and examines the documented probationary period to ensure the organization being inspected/assessed defines the probationary period during which additional monitoring will be implemented for individuals.
DoD has determined the probationary period is not appropriate to define at the Enterprise level. |
The organization defines and documents the probationary period during which additional monitoring will be implemented for individuals.
DoD has determined the probationary period is not appropriate to define at the Enterprise level. |
Information System Monitoring | Probationary Periods |
SI-4 (21) |
SI-4(21).2 |
|
The organization implements [Assignment: organization-defined additional monitoring] of individuals during [Assignment: organization-defined probationary period]. |
| CCI-002680 |
The organization implements organization-defined additional monitoring of individuals during an organization-defined probationary period. |
The organization conducting the inspection/assessment obtains and examines the audit trail of additional monitoring to ensure the organization being inspected/assessed implements additional monitoring defined in SI-4 (21), CCI 2678 of individuals during the probationary period defined in SI-4 (21), CCI 2679. |
The organization being inspected/assessed implements additional monitoring defined in SI-4 (21), CCI 2678 of individuals during the probationary period defined in SI-4 (21), CCI 2679.
The organization must maintain an audit trail of additional monitoring. |
Information System Monitoring | Probationary Periods |
SI-4 (21) |
SI-4(21).3 |
|
The organization implements [Assignment: organization-defined additional monitoring] of individuals during [Assignment: organization-defined probationary period]. |
| CCI-002681 |
The organization defines the authorization or approval process for network services. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
Information System Monitoring | Unauthorized Network Services |
SI-4 (22) |
SI-4(22).1 |
Unauthorized or unapproved network services include, for example, services in service-oriented architectures that lack organizational verification or validation and therefore may be unreliable or serve as malicious rogues for valid services. Related controls: AC-6, CM-7, SA-5, SA-9. |
The information system detects network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes] and [Selection (one or more): audits; alerts [Assignment: organization-defined personnel and/or roles]]. |
| CCI-002682 |
The organization defines the personnel or roles to be alerted when unauthorized or unapproved network services are detected. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
Information System Monitoring | Unauthorized Network Services |
SI-4 (22) |
SI-4(22).2 |
Unauthorized or unapproved network services include, for example, services in service-oriented architectures that lack organizational verification or validation and therefore may be unreliable or serve as malicious rogues for valid services. Related controls: AC-6, CM-7, SA-5, SA-9. |
The information system detects network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes] and [Selection (one or more): audits; alerts [Assignment: organization-defined personnel and/or roles]]. |
| CCI-002683 |
The information system detects network services that have not been authorized or approved by the organization-defined authorization or approval processes. |
The organization conducting the inspection/assessment obtains and examines the documented process, and examines the implemented detection mechanisms to ensure the organization being inspected/assessed implements a process to detect network services that have not been authorized or approved by at a minimum, the ISSO and ISSM.
For network service detection mechanisms that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2683.
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
The organization being inspected/assessed documents and implements a process to detect network services that have not been authorized or approved by at a minimum, the ISSO and ISSM.
For network service detection mechanisms that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2683.
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
Information System Monitoring | Unauthorized Network Services |
SI-4 (22) |
SI-4(22).3 |
Unauthorized or unapproved network services include, for example, services in service-oriented architectures that lack organizational verification or validation and therefore may be unreliable or serve as malicious rogues for valid services. Related controls: AC-6, CM-7, SA-5, SA-9. |
The information system detects network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes] and [Selection (one or more): audits; alerts [Assignment: organization-defined personnel and/or roles]]. |
| CCI-002684 |
The information system audits and/or alerts organization-defined personnel when unauthorized network services are detected. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to audit and/or alert at a minimum, the ISSO and ISSM when unauthorized network services are detected.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2684.
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
The organization being inspected/assessed configures the information system to audit and/or alert at a minimum, the ISSO and ISSM when unauthorized network services are detected.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2684.
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
Information System Monitoring | Unauthorized Network Services |
SI-4 (22) |
SI-4(22).4 |
Unauthorized or unapproved network services include, for example, services in service-oriented architectures that lack organizational verification or validation and therefore may be unreliable or serve as malicious rogues for valid services. Related controls: AC-6, CM-7, SA-5, SA-9. |
The information system detects network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes] and [Selection (one or more): audits; alerts [Assignment: organization-defined personnel and/or roles]]. |
| CCI-002685 |
The organization defines the host-based monitoring mechanisms to be implemented at organization-defined information system components. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the host-based monitoring mechanisms as HBSS. |
DoD has defined the host-based monitoring mechanisms as HBSS. |
Information System Monitoring | Host-Based Devices |
SI-4 (23) |
SI-4(23).1 |
Information system components where host-based monitoring can be implemented include, for example, servers, workstations, and mobile devices. Organizations consider employing host-based monitoring mechanisms from multiple information technology product developers. |
The organization implements [Assignment: organization-defined host-based monitoring mechanisms] at [Assignment: organization-defined information system components]. |
| CCI-002686 |
The organization defines the information system components at which organization-defined host-based monitoring mechanisms are to be implemented. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the information system components as all components. |
DoD has defined the information system components as all components. |
Information System Monitoring | Host-Based Devices |
SI-4 (23) |
SI-4(23).2 |
Information system components where host-based monitoring can be implemented include, for example, servers, workstations, and mobile devices. Organizations consider employing host-based monitoring mechanisms from multiple information technology product developers. |
The organization implements [Assignment: organization-defined host-based monitoring mechanisms] at [Assignment: organization-defined information system components]. |
| CCI-002687 |
The organization implements organization-defined host-based monitoring mechanisms at organization-defined information system components. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of HBSS to ensure the organization being inspected/assessed implements HBSS at all components.
The organization being inspected/assessed may be required to demonstrate use of HBSS.
DoD has defined the host-based monitoring mechanisms as HBSS.
DoD has defined the information system components as all components. |
The organization being inspected/assessed documents and implements HBSS at all components.
DoD has defined the host-based monitoring mechanisms as HBSS.
DoD has defined the information system components as all components. |
Information System Monitoring | Host-Based Devices |
SI-4 (23) |
SI-4(23).3 |
Information system components where host-based monitoring can be implemented include, for example, servers, workstations, and mobile devices. Organizations consider employing host-based monitoring mechanisms from multiple information technology product developers. |
The organization implements [Assignment: organization-defined host-based monitoring mechanisms] at [Assignment: organization-defined information system components]. |
| CCI-002688 |
The information system discovers indicators of compromise. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to discover indicators of compromise.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2688. |
The organization being inspected/assessed configures the information system to discover indicators of compromise.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2688. |
Information System Monitoring | Indicators Of Compromise |
SI-4 (24) |
SI-4(24).1 |
Indicators of compromise (IOC) are forensic artifacts from intrusions that are identified on organizational information systems (at the host or network level). IOCs provide organizations with valuable information on objects or information systems that have been compromised. IOCs for the discovery of compromised hosts can include for example, the creation of registry key values. IOCs for network traffic include, for example, Universal Resource Locator (URL) or protocol elements that indicate malware command and control servers. The rapid distribution and adoption of IOCs can improve information security by reducing the time that information systems and organizations are vulnerable to the same exploit or attack. |
The information system discovers, collects, distributes, and uses indicators of compromise. |
| CCI-002689 |
The information system collects indicators of compromise. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to collect indicators of compromise.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2689. |
The organization being inspected/assessed configures the information system to collect indicators of compromise.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2689. |
Information System Monitoring | Indicators Of Compromise |
SI-4 (24) |
SI-4(24).2 |
Indicators of compromise (IOC) are forensic artifacts from intrusions that are identified on organizational information systems (at the host or network level). IOCs provide organizations with valuable information on objects or information systems that have been compromised. IOCs for the discovery of compromised hosts can include for example, the creation of registry key values. IOCs for network traffic include, for example, Universal Resource Locator (URL) or protocol elements that indicate malware command and control servers. The rapid distribution and adoption of IOCs can improve information security by reducing the time that information systems and organizations are vulnerable to the same exploit or attack. |
The information system discovers, collects, distributes, and uses indicators of compromise. |
| CCI-002690 |
The information system distributes indicators of compromise. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to distribute indicators of compromise.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2690. |
The organization being inspected/assessed configures the information system to distribute indicators of compromise.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2690. |
Information System Monitoring | Indicators Of Compromise |
SI-4 (24) |
SI-4(24).3 |
Indicators of compromise (IOC) are forensic artifacts from intrusions that are identified on organizational information systems (at the host or network level). IOCs provide organizations with valuable information on objects or information systems that have been compromised. IOCs for the discovery of compromised hosts can include for example, the creation of registry key values. IOCs for network traffic include, for example, Universal Resource Locator (URL) or protocol elements that indicate malware command and control servers. The rapid distribution and adoption of IOCs can improve information security by reducing the time that information systems and organizations are vulnerable to the same exploit or attack. |
The information system discovers, collects, distributes, and uses indicators of compromise. |
| CCI-002691 |
The information system uses indicators of compromise. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to use indicators of compromise to react to known indicators and prevent future exploitation of them.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2691. |
The organization being inspected/assessed configures the information system to use indicators of compromise to react to known indicators and prevent future exploitation of them.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2691. |
Information System Monitoring | Indicators Of Compromise |
SI-4 (24) |
SI-4(24).4 |
Indicators of compromise (IOC) are forensic artifacts from intrusions that are identified on organizational information systems (at the host or network level). IOCs provide organizations with valuable information on objects or information systems that have been compromised. IOCs for the discovery of compromised hosts can include for example, the creation of registry key values. IOCs for network traffic include, for example, Universal Resource Locator (URL) or protocol elements that indicate malware command and control servers. The rapid distribution and adoption of IOCs can improve information security by reducing the time that information systems and organizations are vulnerable to the same exploit or attack. |
The information system discovers, collects, distributes, and uses indicators of compromise. |
| CCI-002692 |
The organization defines the external organizations from which it receives information system security alerts, advisories, and directives. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the external organizations as at a minimum, USCYBERCOM. |
DoD has defined the external organizations as at a minimum, USCYBERCOM. |
Security Alerts, Advisories, And Directives |
SI-5 |
SI-5.2 |
The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission/business partners, supply chain partners, external service providers, and other peer/supporting organizations. Related control: SI-2. |
The organization:
a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;
b. Generates internal security alerts, advisories, and directives as deemed necessary;
c. Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel (identified by name and/or by role)];
[Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and
d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. |
| CCI-002693 |
The organization defines the elements within the organization to whom the organization will disseminate security alerts, advisories, and directives. |
DoD has determined the elements are not applicable as elements are not selected as recipients of security alerts, advisories and directives. |
DoD has determined the elements are not applicable as elements are not selected as recipients of security alerts, advisories and directives. |
Security Alerts, Advisories, And Directives |
SI-5 |
SI-5.6 |
The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission/business partners, supply chain partners, external service providers, and other peer/supporting organizations. Related control: SI-2. |
The organization:
a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;
b. Generates internal security alerts, advisories, and directives as deemed necessary;
c. Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel (identified by name and/or by role)];
[Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and
d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. |
| CCI-002694 |
The organization defines the external organizations to which the organization will disseminate security alerts, advisories, and directives. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the external organizations as CNDSP Tier 1 for vetting. The CNDSP Tier 1 will pass the information to the accredited Tier 2 CNDSPs. Tier 2 CNDSPs are responsible for ensuring all Tier 3 entities receive the information. Tier 3 organizations will ensure all local Op Centers/LAN shops receive information (i.e. Component IT System and Security Personnel) (e.g. ISSM, ISSOs, and system administrators). |
DoD has defined the external organizations as CNDSP Tier 1 for vetting. The CNDSP Tier 1 will pass the information to the accredited Tier 2 CNDSPs. Tier 2 CNDSPs are responsible for ensuring all Tier 3 entities receive the information. Tier 3 organizations will ensure all local Op Centers/LAN shops receive information (i.e. Component IT System and Security Personnel) (e.g. ISSM, ISSOs, and system administrators). |
Security Alerts, Advisories, And Directives |
SI-5 |
SI-5.7 |
The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission/business partners, supply chain partners, external service providers, and other peer/supporting organizations. Related control: SI-2. |
The organization:
a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;
b. Generates internal security alerts, advisories, and directives as deemed necessary;
c. Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel (identified by name and/or by role)];
[Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and
d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. |
| CCI-002695 |
The organization defines the security functions that require verification of correct operation. |
The organization conducting the inspection/assessment obtains and examines the documented security functions to ensure the organization being inspected/assessed defines the security functions that require verification of correct operation.
DoD has determined the security functions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security functions that require verification of correct operation.
DoD has determined the security functions are not appropriate to define at the Enterprise level. |
Security Function Verification |
SI-6 |
SI-6.1 |
Transitional states for information systems include, for example, system startup, restart, shutdown, and abort. Notifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and/or hardware indications such as lights. Related controls: CA-7, CM-6. |
The information system:
a. Verifies the correct operation of [Assignment: organization-defined security functions];
b. Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]];
c. Notifies [Assignment: organization-defined personnel or roles] of failed security verification tests; and
d. [Selection (one or more): shuts the information system down; restarts the information system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered. |
| CCI-002696 |
The information system verifies correct operation of organization-defined security functions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to verify correct operation of security functions defined in SI-6, CCI 2695.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2696. |
The organization being inspected/assessed configures the information system to verify correct operation of security functions defined in SI-6, CCI 2695.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2696. |
Security Function Verification |
SI-6 |
SI-6.2 |
Transitional states for information systems include, for example, system startup, restart, shutdown, and abort. Notifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and/or hardware indications such as lights. Related controls: CA-7, CM-6. |
The information system:
a. Verifies the correct operation of [Assignment: organization-defined security functions];
b. Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]];
c. Notifies [Assignment: organization-defined personnel or roles] of failed security verification tests; and
d. [Selection (one or more): shuts the information system down; restarts the information system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered. |
| CCI-002697 |
The organization defines the frequency at which it will verify correct operation of organization-defined security functions. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as 30 days. |
DoD has defined the frequency as 30 days. |
Security Function Verification |
SI-6 |
SI-6.3 |
Transitional states for information systems include, for example, system startup, restart, shutdown, and abort. Notifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and/or hardware indications such as lights. Related controls: CA-7, CM-6. |
The information system:
a. Verifies the correct operation of [Assignment: organization-defined security functions];
b. Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]];
c. Notifies [Assignment: organization-defined personnel or roles] of failed security verification tests; and
d. [Selection (one or more): shuts the information system down; restarts the information system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered. |
| CCI-002698 |
The organization defines the system transitional states when the information system will verify correct operation of organization-defined security functions. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the system transitional states as upon system startup, and/or restart, upon command by user with appropriate privileges. |
DoD has defined the system transitional states as upon system startup, and/or restart, upon command by user with appropriate privileges. |
Security Function Verification |
SI-6 |
SI-6.4 |
Transitional states for information systems include, for example, system startup, restart, shutdown, and abort. Notifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and/or hardware indications such as lights. Related controls: CA-7, CM-6. |
The information system:
a. Verifies the correct operation of [Assignment: organization-defined security functions];
b. Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]];
c. Notifies [Assignment: organization-defined personnel or roles] of failed security verification tests; and
d. [Selection (one or more): shuts the information system down; restarts the information system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered. |
| CCI-002699 |
The information system performs verification of the correct operation of organization-defined security functions: when the system is in an organization-defined transitional state; upon command by a user with appropriate privileges; and/or on an organization-defined frequency. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to perform verification of the correct operation of security functions defined in SI-6, CCI 1294: when the system is in a transitional state defined in SI-6, CCI 2698; upon command by a user with appropriate privileges; and/or 30 days.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2699.
DoD has defined the frequency as 30 days. |
The organization being inspected/assessed configures the information system to perform verification of the correct operation of security functions defined in SI-6, CCI 1294: when the system is in a transitional state defined in SI-6, CCI 2698; upon command by a user with appropriate privileges; and/or 30 days.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2699.
DoD has defined the frequency as 30 days. |
Security Function Verification |
SI-6 |
SI-6.5 |
Transitional states for information systems include, for example, system startup, restart, shutdown, and abort. Notifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and/or hardware indications such as lights. Related controls: CA-7, CM-6. |
The information system:
a. Verifies the correct operation of [Assignment: organization-defined security functions];
b. Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]];
c. Notifies [Assignment: organization-defined personnel or roles] of failed security verification tests; and
d. [Selection (one or more): shuts the information system down; restarts the information system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered. |
| CCI-002700 |
The organization defines the personnel or roles to be notified when security verification tests fail. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as the ISSO and ISSM. |
DoD has defined the personnel or roles as the ISSO and ISSM. |
Security Function Verification |
SI-6 |
SI-6.7 |
Transitional states for information systems include, for example, system startup, restart, shutdown, and abort. Notifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and/or hardware indications such as lights. Related controls: CA-7, CM-6. |
The information system:
a. Verifies the correct operation of [Assignment: organization-defined security functions];
b. Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]];
c. Notifies [Assignment: organization-defined personnel or roles] of failed security verification tests; and
d. [Selection (one or more): shuts the information system down; restarts the information system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered. |
| CCI-002701 |
The organization defines alternative action(s) to be taken when the information system discovers anomalies in the operation of organization-defined security functions. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the alternative action(s) as notifies system administrator. |
DoD has defined the alternative action(s) as notifies system administrator. |
Security Function Verification |
SI-6 |
SI-6.8 |
Transitional states for information systems include, for example, system startup, restart, shutdown, and abort. Notifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and/or hardware indications such as lights. Related controls: CA-7, CM-6. |
The information system:
a. Verifies the correct operation of [Assignment: organization-defined security functions];
b. Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]];
c. Notifies [Assignment: organization-defined personnel or roles] of failed security verification tests; and
d. [Selection (one or more): shuts the information system down; restarts the information system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered. |
| CCI-002702 |
The information system shuts the information system down, restarts the information system, and/or initiates organization-defined alternative action(s) when anomalies in the operation of the organization-defined security functions are discovered. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to shut the information system down, restarts the information system, and/or notifies system administrator when anomalies in the operation of the security functions defined in SI-6, CCI 2695 are discovered.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2702.
DoD has defined the alternative action(s) as notifies system administrator. |
The organization being inspected/assessed configures the information system to shut the information system down, restarts the information system, and/or notifies system administrator when anomalies in the operation of the security functions defined in SI-6, CCI 2695 are discovered.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2702.
DoD has defined the alternative action(s) as notifies system administrator. |
Security Function Verification |
SI-6 |
SI-6.9 |
Transitional states for information systems include, for example, system startup, restart, shutdown, and abort. Notifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and/or hardware indications such as lights. Related controls: CA-7, CM-6. |
The information system:
a. Verifies the correct operation of [Assignment: organization-defined security functions];
b. Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]];
c. Notifies [Assignment: organization-defined personnel or roles] of failed security verification tests; and
d. [Selection (one or more): shuts the information system down; restarts the information system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered. |
| CCI-002703 |
The organization defines the software, firmware, and information which will be subjected to integrity verification tools to detect unauthorized changes. |
The organization conducting the inspection/assessment obtains and examines the documented software, firmware, and information to ensure the organization being inspected/assessed defines the software, firmware, and information which will be subjected to integrity verification tools to detect unauthorized changes.
DoD has determined the software, firmware, and information are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the software, firmware, and information which will be subjected to integrity verification tools to detect unauthorized changes.
DoD has determined the software, firmware, and information are not appropriate to define at the Enterprise level. |
Software, Firmware, And Information Integrity |
SI-7 |
SI-7.1 |
Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity (e.g., tampering). Software includes, for example, operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes, for example, the Basic Input Output System (BIOS). Information includes metadata such as security attributes associated with information. State-of-the-practice integrity-checking mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and associated tools can automatically monitor the integrity of information systems and hosted applications. Related controls: SA-12, SC-8, SC-13, SI-3. |
The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information]. |
| CCI-002704 |
The organization employs integrity verification tools to detect unauthorized changes to organization-defined software, firmware, and information. |
The organization conducting the inspection/assessment obtains and examines the hardware/software lists and any other documentation applicable to integrity verification tools to ensure the organization being inspected/assessed employs integrity verification tools to detect unauthorized changes to software, firmware, and information defined in SI-7, CCI 2703. |
The organization being inspected/assessed designs the information system to employ integrity verification tools to detect unauthorized changes to software, firmware, and information defined in SI-7, CCI 2703. |
Software, Firmware, And Information Integrity |
SI-7 |
SI-7.2 |
Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity (e.g., tampering). Software includes, for example, operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes, for example, the Basic Input Output System (BIOS). Information includes metadata such as security attributes associated with information. State-of-the-practice integrity-checking mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and associated tools can automatically monitor the integrity of information systems and hosted applications. Related controls: SA-12, SC-8, SC-13, SI-3. |
The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information]. |
| CCI-002705 |
The organization defines the software on which integrity checks will be performed. |
The organization conducting the inspection/assessment obtains and examines the documented software to ensure the organization being inspected/assessed defines the firmware on which integrity checks will be performed.
DoD has determined the software is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the software on which integrity checks will be performed.
DoD has determined the software is not appropriate to define at the Enterprise level. |
Software, Firmware, And Information Integrity | Integrity Checks |
SI-7 (1) |
SI-7(1).1 |
Security-relevant events include, for example, the identification of a new threat to which organizational information systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include, for example, system startup, restart, shutdown, and abort. |
The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]]. |
| CCI-002706 |
The organization defines the firmware on which integrity checks will be performed. |
The organization conducting the inspection/assessment obtains and examines the documented firmware to ensure the organization being inspected/assessed defines the firmware on which integrity checks will be performed.
DoD has determined the firmware is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the firmware on which integrity checks will be performed.
DoD has determined the firmware is not appropriate to define at the Enterprise level. |
Software, Firmware, And Information Integrity | Integrity Checks |
SI-7 (1) |
SI-7(1).2 |
Security-relevant events include, for example, the identification of a new threat to which organizational information systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include, for example, system startup, restart, shutdown, and abort. |
The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]]. |
| CCI-002707 |
The organization defines the information on which integrity checks will be performed. |
The organization conducting the inspection/assessment obtains and examines the documented information to ensure the organization being inspected/assessed defines the information on which integrity checks will be performed.
DoD has determined the information is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information on which integrity checks will be performed.
DoD has determined the information is not appropriate to define at the Enterprise level. |
Software, Firmware, And Information Integrity | Integrity Checks |
SI-7 (1) |
SI-7(1).3 |
Security-relevant events include, for example, the identification of a new threat to which organizational information systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include, for example, system startup, restart, shutdown, and abort. |
The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]]. |
| CCI-002708 |
The organization defines the transitional state or security-relevant events when the information system will perform integrity checks on software, firmware, and information. |
The organization conducting the inspection/assessment obtains and examines the documented transitional state or security-relevant event to ensure the organization being inspected/assessed defines the transitional state or security-relevant events when the information system will perform integrity checks on software, firmware and information.
DoD has determined the transitional state or security-relevant events are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the transitional state or security-relevant events when the information system will perform integrity checks on software, firmware and information.
DoD has determined the transitional state or security-relevant events are not appropriate to define at the Enterprise level. |
Software, Firmware, And Information Integrity | Integrity Checks |
SI-7 (1) |
SI-7(1).4 |
Security-relevant events include, for example, the identification of a new threat to which organizational information systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include, for example, system startup, restart, shutdown, and abort. |
The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]]. |
| CCI-002709 |
The organization defines the frequency at which it will perform integrity checks of software, firmware, and information. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Software, Firmware, And Information Integrity | Integrity Checks |
SI-7 (1) |
SI-7(1).5 |
Security-relevant events include, for example, the identification of a new threat to which organizational information systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include, for example, system startup, restart, shutdown, and abort. |
The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]]. |
| CCI-002710 |
The information system performs an integrity check of organization-defined software at startup, at organization-defined transitional states or security-relevant events, or on an organization-defined frequency. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to perform an integrity check of software defined in SI-7 (1), CCI 2705 at startup, at transitional states or security-relevant events defined in SI-7 (1), CCI 2708, or annually.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2710.
DoD has defined the frequency as annually. |
The organization being inspected/assessed configures the information system to perform an integrity check of software defined in SI-7 (1), CCI 2705 at startup, at transitional states or security-relevant events defined in SI-7 (1), CCI 2708, or annually.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2710.
DoD has defined the frequency as annually. |
Software, Firmware, And Information Integrity | Integrity Checks |
SI-7 (1) |
SI-7(1).6 |
Security-relevant events include, for example, the identification of a new threat to which organizational information systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include, for example, system startup, restart, shutdown, and abort. |
The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]]. |
| CCI-002711 |
The information system performs an integrity check of organization-defined firmware at startup, at organization-defined transitional states or security-relevant events, or on an organization-defined frequency. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to perform an integrity check of firmware defined in SI-7 (1), CCI 2706 at startup, at transitional states or security-relevant events defined in SI-7 (1), CCI 2708, or annually.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2711.
DoD has defined the frequency as annually. |
The organization being inspected/assessed configures the information system to perform an integrity check of firmware defined in SI-7 (1), CCI 2706 at startup, at transitional states or security-relevant events defined in SI-7 (1), CCI 2708, or annually.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2711.
DoD has defined the frequency as annually. |
Software, Firmware, And Information Integrity | Integrity Checks |
SI-7 (1) |
SI-7(1).7 |
Security-relevant events include, for example, the identification of a new threat to which organizational information systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include, for example, system startup, restart, shutdown, and abort. |
The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]]. |
| CCI-002712 |
The information system performs an integrity check of organization-defined information at startup, at organization-defined transitional states or security-relevant events, or on an organization-defined frequency. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to perform an integrity check of information defined in SI-7 (1), CCI 2707 at startup, at transitional states or security-relevant events defined in SI-7 (1), CCI 2708, or annually.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2712.
DoD has defined the frequency as annually. |
The organization being inspected/assessed configures the information system to perform an integrity check of information defined in SI-7 (1), CCI 2707 at startup, at transitional states or security-relevant events defined in SI-7 (1), CCI 2708, or annually.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2712.
DoD has defined the frequency as annually. |
Software, Firmware, And Information Integrity | Integrity Checks |
SI-7 (1) |
SI-7(1).8 |
Security-relevant events include, for example, the identification of a new threat to which organizational information systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include, for example, system startup, restart, shutdown, and abort. |
The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]]. |
| CCI-002713 |
The organization defines the personnel or roles to be notified when discrepancies are discovered during integrity verification. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
Software, Firmware, And Information Integrity | Automated Notifications Of Integrity Violations |
SI-7 (2) |
SI-7(2).2 |
The use of automated tools to report integrity violations and to notify organizational personnel in a timely matter is an essential precursor to effective risk response. Personnel having an interest in integrity violations include, for example, mission/business owners, information system owners, systems administrators, software developers, systems integrators, and information security officers. |
The organization employs automated tools that provide notification to [Assignment: organization-defined personnel or roles] upon discovering discrepancies during integrity verification. |
| CCI-002714 |
The organization defines the security safeguards that are to be employed when integrity violations are discovered. |
The organization conducting the inspection/assessment obtains and examines the documented security safeguards to ensure the organization being inspected/assessed defines the security safeguards that are to be employed when integrity violations are discovered.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security safeguards that are to be employed when integrity violations are discovered.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
Software, Firmware, And Information Integrity | Automated Response To Integrity Violations |
SI-7 (5) |
SI-7(5).1 |
Organizations may define different integrity checking and anomaly responses: (i) by type of information (e.g., firmware, software, user data); (ii) by specific information (e.g., boot firmware, boot firmware for a specific types of machines); or (iii) a combination of both. Automatic implementation of specific safeguards within organizational information systems includes, for example, reversing the changes, halting the information system, or triggering audit alerts when unauthorized modifications to critical security files occur. |
The information system automatically [Selection (one or more): shuts the information system down; restarts the information system; implements [Assignment: organization-defined security safeguards]] when integrity violations are discovered. |
| CCI-002715 |
The information system automatically shuts the information system down, restarts the information system, and/or implements organization-defined security safeguards when integrity violations are discovered. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to automatically shut the information system down, restart the information system, and/or implement security safeguards defined in SI-7 (5), CCI 2714 when integrity violations are discovered.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2715. |
The organization being inspected/assessed configures the information system to automatically shut the information system down, restart the information system, and/or implement security safeguards defined in SI-7 (5), CCI 2714 when integrity violations are discovered.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2715. |
Software, Firmware, And Information Integrity | Automated Response To Integrity Violations |
SI-7 (5) |
SI-7(5).2 |
Organizations may define different integrity checking and anomaly responses: (i) by type of information (e.g., firmware, software, user data); (ii) by specific information (e.g., boot firmware, boot firmware for a specific types of machines); or (iii) a combination of both. Automatic implementation of specific safeguards within organizational information systems includes, for example, reversing the changes, halting the information system, or triggering audit alerts when unauthorized modifications to critical security files occur. |
The information system automatically [Selection (one or more): shuts the information system down; restarts the information system; implements [Assignment: organization-defined security safeguards]] when integrity violations are discovered. |
| CCI-002716 |
The information system implements cryptographic mechanisms to detect unauthorized changes to software. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement FIPS-approved cryptographic mechanisms to detect unauthorized changes to software.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2716. |
The organization being inspected/assessed configures the information system to implement FIPS-approved cryptographic mechanisms to detect unauthorized changes to software.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2716. |
Software, Firmware, And Information Integrity | Cryptographic Protection |
SI-7 (6) |
SI-7(6).1 |
Cryptographic mechanisms used for the protection of integrity include, for example, digital signatures and the computation and application of signed hashes using asymmetric cryptography, protecting the confidentiality of the key used to generate the hash, and using the public key to verify the hash information. Related control: SC-13. |
The information system implements cryptographic mechanisms to detect unauthorized changes to software, firmware, and information. |
| CCI-002717 |
The information system implements cryptographic mechanisms to detect unauthorized changes to firmware. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement FIPS-approved cryptographic mechanisms to detect unauthorized changes to firmware.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2717. |
The organization being inspected/assessed configures the information system to implement FIPS-approved cryptographic mechanisms to detect unauthorized changes to firmware.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2717. |
Software, Firmware, And Information Integrity | Cryptographic Protection |
SI-7 (6) |
SI-7(6).2 |
Cryptographic mechanisms used for the protection of integrity include, for example, digital signatures and the computation and application of signed hashes using asymmetric cryptography, protecting the confidentiality of the key used to generate the hash, and using the public key to verify the hash information. Related control: SC-13. |
The information system implements cryptographic mechanisms to detect unauthorized changes to software, firmware, and information. |
| CCI-002718 |
The information system implements cryptographic mechanisms to detect unauthorized changes to information. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement FIPS-approved cryptographic mechanisms to detect unauthorized changes to information.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2718. |
The organization being inspected/assessed configures the information system to implement FIPS-approved cryptographic mechanisms to detect unauthorized changes to information.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2718. |
Software, Firmware, And Information Integrity | Cryptographic Protection |
SI-7 (6) |
SI-7(6).3 |
Cryptographic mechanisms used for the protection of integrity include, for example, digital signatures and the computation and application of signed hashes using asymmetric cryptography, protecting the confidentiality of the key used to generate the hash, and using the public key to verify the hash information. Related control: SC-13. |
The information system implements cryptographic mechanisms to detect unauthorized changes to software, firmware, and information. |
| CCI-002719 |
The organization defines the unauthorized security-relevant changes to the information system that are to be incorporated into the organizational incident response capability. |
The organization conducting the inspection/assessment obtains and examines the documented security-relevant changes to the information to ensure the organization being inspected/assessed defines the unauthorized security-relevant changes to the information system that are to be incorporated into the organizational incident response capability.
DoD has determined the security-relevant changes to the information are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the unauthorized security-relevant changes to the information system that are to be incorporated into the organizational incident response capability.
DoD has determined the security-relevant changes to the information are not appropriate to define at the Enterprise level. |
Software, Firmware, And Information Integrity | Integration Of Detection And Response |
SI-7 (7) |
SI-7(7).1 |
This control enhancement helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important both for being able to identify and discern adversary actions over an extended period of time and for possible legal actions. Security-relevant changes include, for example, unauthorized changes to established configuration settings or unauthorized elevation of information system privileges. Related controls: IR-4, IR-5, SI-4. |
The organization incorporates the detection of unauthorized [Assignment: organization-defined security-relevant changes to the information system] into the organizational incident response capability. |
| CCI-002720 |
The organization incorporates the detection of unauthorized organization-defined security-relevant changes to the information system into the organizational incident response capability. |
The organization conducting the inspection/assessment examines the organizational incident response capability to ensure the organization being inspected/assessed incorporates the detection of unauthorized security-relevant changes to the information system defined in SI-7 (7), CCI 2719. |
The organization being inspected/assessed incorporates the detection of unauthorized security-relevant changes to the information system defined in SI-7 (7), CCI 2719 into the organizational incident response capability. |
Software, Firmware, And Information Integrity | Integration Of Detection And Response |
SI-7 (7) |
SI-7(7).2 |
This control enhancement helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important both for being able to identify and discern adversary actions over an extended period of time and for possible legal actions. Security-relevant changes include, for example, unauthorized changes to established configuration settings or unauthorized elevation of information system privileges. Related controls: IR-4, IR-5, SI-4. |
The organization incorporates the detection of unauthorized [Assignment: organization-defined security-relevant changes to the information system] into the organizational incident response capability. |
| CCI-002721 |
The organization defines the personnel or roles that are to be alerted by the information system when it detects a potential integrity violation. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
Software, Firmware, And Information Integrity | Auditing Capability For Significant Events |
SI-7 (8) |
SI-7(8).1 |
Organizations select response actions based on types of software, specific software, or information for which there are potential integrity violations. Related controls: AU-2, AU-6, AU-12. |
The information system, upon detection of a potential integrity violation, provides the capability to audit the event and initiates the following actions: [Selection (one or more): generates an audit record; alerts current user; alerts [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined other actions]]. |
| CCI-002722 |
The organization defines other actions that can be taken when the information system detects a potential integrity violation. |
The organization conducting the inspection/assessment obtains and examines the documented other actions to ensure the organization being inspected/assessed defines other actions that can be taken when the information system detects a potential integrity violation.
DoD has determined the other actions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents other actions that can be taken when the information system detects a potential integrity violation.
DoD has determined the other actions are not appropriate to define at the Enterprise level. |
Software, Firmware, And Information Integrity | Auditing Capability For Significant Events |
SI-7 (8) |
SI-7(8).2 |
Organizations select response actions based on types of software, specific software, or information for which there are potential integrity violations. Related controls: AU-2, AU-6, AU-12. |
The information system, upon detection of a potential integrity violation, provides the capability to audit the event and initiates the following actions: [Selection (one or more): generates an audit record; alerts current user; alerts [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined other actions]]. |
| CCI-002723 |
The information system, upon detection of a potential integrity violation, provides the capability to audit the event. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide the capability to audit the event upon detection of a potential integrity violation.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2723. |
The organization being inspected/assessed configures the information system to provide the capability to audit the event upon detection of a potential integrity violation.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2723. |
Software, Firmware, And Information Integrity | Auditing Capability For Significant Events |
SI-7 (8) |
SI-7(8).3 |
Organizations select response actions based on types of software, specific software, or information for which there are potential integrity violations. Related controls: AU-2, AU-6, AU-12. |
The information system, upon detection of a potential integrity violation, provides the capability to audit the event and initiates the following actions: [Selection (one or more): generates an audit record; alerts current user; alerts [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined other actions]]. |
| CCI-002724 |
The information system, upon detection of a potential integrity violation, initiates one or more of the following actions: generates an audit record; alerts the current user; alerts organization-defined personnel or roles; and/or organization-defined other actions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to initiate one or more of following actions: generates an audit record; alerts current user; alerts at a minimum, the ISSO and ISSM; and/or other actions defined in SI-7 (8), CCI 2722 upon detection of a potential integrity violation.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2724.
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
The organization being inspected/assessed configures the information system to initiate one or more of following actions: generates an audit record; alerts current user; alerts at a minimum, the ISSO and ISSM; and/or other actions defined in SI-7 (8), CCI 2722 upon detection of a potential integrity violation.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2724.
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
Software, Firmware, And Information Integrity | Auditing Capability For Significant Events |
SI-7 (8) |
SI-7(8).4 |
Organizations select response actions based on types of software, specific software, or information for which there are potential integrity violations. Related controls: AU-2, AU-6, AU-12. |
The information system, upon detection of a potential integrity violation, provides the capability to audit the event and initiates the following actions: [Selection (one or more): generates an audit record; alerts current user; alerts [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined other actions]]. |
| CCI-002725 |
The organization defines the devices which will have the integrity of the boot process verified. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the devices as all devices capable of verification of the boot process. |
DoD has defined the devices as all devices capable of verification of the boot process. |
Software, Firmware, And Information Integrity | Verify Boot Process |
SI-7 (9) |
SI-7(9).1 |
Ensuring the integrity of boot processes is critical to starting devices in known/trustworthy states. Integrity verification mechanisms provide organizational personnel with assurance that only trusted code is executed during boot processes. |
The information system verifies the integrity of the boot process of [Assignment: organization-defined devices]. |
| CCI-002726 |
The information system verifies the integrity of the boot process of organization-defined devices. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to verify the integrity of the boot process of all devices capable of verification of the boot process.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2726.
DoD has defined the devices as all devices capable of verification of the boot process. |
The organization being inspected/assessed configures the information system to verify the integrity of the boot process of all devices capable of verification of the boot process.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2726.
DoD has defined the devices as all devices capable of verification of the boot process. |
Software, Firmware, And Information Integrity | Verify Boot Process |
SI-7 (9) |
SI-7(9).2 |
Ensuring the integrity of boot processes is critical to starting devices in known/trustworthy states. Integrity verification mechanisms provide organizational personnel with assurance that only trusted code is executed during boot processes. |
The information system verifies the integrity of the boot process of [Assignment: organization-defined devices]. |
| CCI-002727 |
The organization defines the security safeguards to be implemented to protect the integrity of the boot firmware in organization-defined devices. |
The organization conducting the inspection/assessment obtains and examines the documented security safeguards to ensure the organization being inspected/assessed defines the security safeguards to be implemented to protect the integrity of the boot firmware in organization-defined devices.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security safeguards to be implemented to protect the integrity of the boot firmware in organization-defined devices.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
Software, Firmware, And Information Integrity | Protection Of Boot Firmware |
SI-7 (10) |
SI-7(10).1 |
Unauthorized modifications to boot firmware may be indicative of a sophisticated, targeted cyber attack. These types of cyber attacks can result in a permanent denial of service (e.g., if the firmware is corrupted) or a persistent malicious code presence (e.g., if code is embedded within the firmware). Devices can protect the integrity of the boot firmware in organizational information systems by: (i) verifying the integrity and authenticity of all updates to the boot firmware prior to applying changes to the boot devices; and (ii) preventing unauthorized processes from modifying the boot firmware. |
The information system implements [Assignment: organization-defined security safeguards] to protect the integrity of boot firmware in [Assignment: organization-defined devices]. |
| CCI-002728 |
The organization defines the devices on which organization-defined security safeguards will be implemented to protect the integrity of the boot firmware. |
The organization conducting the inspection/assessment obtains and examines the documented devices to ensure the organization being inspected/assessed defines the devices on which organization-defined security safeguards will be implemented to protect the integrity of the boot firmware.
DoD has determined the devices are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the devices on which organization-defined security safeguards will be implemented to protect the integrity of the boot firmware.
DoD has determined the devices are not appropriate to define at the Enterprise level. |
Software, Firmware, And Information Integrity | Protection Of Boot Firmware |
SI-7 (10) |
SI-7(10).2 |
Unauthorized modifications to boot firmware may be indicative of a sophisticated, targeted cyber attack. These types of cyber attacks can result in a permanent denial of service (e.g., if the firmware is corrupted) or a persistent malicious code presence (e.g., if code is embedded within the firmware). Devices can protect the integrity of the boot firmware in organizational information systems by: (i) verifying the integrity and authenticity of all updates to the boot firmware prior to applying changes to the boot devices; and (ii) preventing unauthorized processes from modifying the boot firmware. |
The information system implements [Assignment: organization-defined security safeguards] to protect the integrity of boot firmware in [Assignment: organization-defined devices]. |
| CCI-002729 |
The information system implements organization-defined security safeguards to protect the integrity of boot firmware in organization-defined devices. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement security safeguards defined in SI-7 (10), CCI 2727 to protect the integrity of boot firmware in devices defined in SI-7 (10), CCI 2728.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2729. |
The organization being inspected/assessed configures the information system to implement security safeguards defined in SI-7 (10), CCI 2727 to protect the integrity of boot firmware in devices defined in SI-7 (10), CCI 2728.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2729. |
Software, Firmware, And Information Integrity | Protection Of Boot Firmware |
SI-7 (10) |
SI-7(10).3 |
Unauthorized modifications to boot firmware may be indicative of a sophisticated, targeted cyber attack. These types of cyber attacks can result in a permanent denial of service (e.g., if the firmware is corrupted) or a persistent malicious code presence (e.g., if code is embedded within the firmware). Devices can protect the integrity of the boot firmware in organizational information systems by: (i) verifying the integrity and authenticity of all updates to the boot firmware prior to applying changes to the boot devices; and (ii) preventing unauthorized processes from modifying the boot firmware. |
The information system implements [Assignment: organization-defined security safeguards] to protect the integrity of boot firmware in [Assignment: organization-defined devices]. |
| CCI-002730 |
The organization defines the user-installed software that is to be executed in a confined physical or virtual machine environment with limited privileges. |
The organization conducting the inspection/assessment obtains and examines the documented user-installed software to ensure the organization being inspected/assessed defines the user-installed software that is to be executed in a confined physical or virtual machine environment with limited privileges.
DoD has determined the user-installed software is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the user-installed software that is to be executed in a confined physical or virtual machine environment with limited privileges.
DoD has determined the user-installed software is not appropriate to define at the Enterprise level. |
Software, Firmware, And Information Integrity | Confined Environments With Limited Privileges |
SI-7 (11) |
SI-7(11).1 |
Organizations identify software that may be of greater concern with regard to origin or potential for containing malicious code. For this type of software, user installations occur in confined environments of operation to limit or contain damage from malicious code that may be executed. |
The organization requires that [Assignment: organization-defined user-installed software] execute in a confined physical or virtual machine environment with limited privileges. |
| CCI-002731 |
The organization requires that organization-defined user-installed software execute in a confined physical or virtual machine environment with limited privileges. |
The organization conducting the inspection/assessment examines the information system to ensure that software defined in SI-7 (11), CCI 2730 executes in a confined physical or virtual machine environment with limited privileges. |
The organization being inspected/assessed requires that user-installed software defined in SI-7 (11), CCI 2730 execute in a confined physical or virtual machine environment with limited privileges. |
Software, Firmware, And Information Integrity | Confined Environments With Limited Privileges |
SI-7 (11) |
SI-7(11).2 |
Organizations identify software that may be of greater concern with regard to origin or potential for containing malicious code. For this type of software, user installations occur in confined environments of operation to limit or contain damage from malicious code that may be executed. |
The organization requires that [Assignment: organization-defined user-installed software] execute in a confined physical or virtual machine environment with limited privileges. |
| CCI-002732 |
The organization defines the user-installed software that is to have its integrity verified prior to execution. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the user-installed software as all user installed software (NOTE: the key is the term "user installed."). |
DoD has defined the user-installed software as all user installed software (NOTE: the key is the term "user installed."). |
Software, Firmware, And Information Integrity | Integrity Verification |
SI-7 (12) |
SI-7(12).1 |
Organizations verify the integrity of user-installed software prior to execution to reduce the likelihood of executing malicious code or code that contains errors from unauthorized modifications. Organizations consider the practicality of approaches to verifying software integrity including, for example, availability of checksums of adequate trustworthiness from software developers or vendors. |
The organization requires that the integrity of [Assignment: organization-defined user-installed software] be verified prior to execution. |
| CCI-002733 |
The organization requires that the integrity of organization-defined user-installed software be verified prior to execution. |
The organization conducting the inspection/assessment examines the information system to ensure that all user installed software (NOTE: the key is the term "user installed.") is verified prior to execution.
DoD has defined the user-installed software as all user installed software (NOTE: the key is the term "user installed."). |
The organization being inspected/assessed requires that the integrity of all user installed software (NOTE: the key is the term "user installed.") be verified prior to execution.
DoD has defined the user-installed software as all user installed software (NOTE: the key is the term "user installed."). |
Software, Firmware, And Information Integrity | Integrity Verification |
SI-7 (12) |
SI-7(12).2 |
Organizations verify the integrity of user-installed software prior to execution to reduce the likelihood of executing malicious code or code that contains errors from unauthorized modifications. Organizations consider the practicality of approaches to verifying software integrity including, for example, availability of checksums of adequate trustworthiness from software developers or vendors. |
The organization requires that the integrity of [Assignment: organization-defined user-installed software] be verified prior to execution. |
| CCI-002734 |
The organization defines the personnel or roles which have the authority to explicitly approve binary or machine-executable code. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined has personnel or roles as the ISSO or ISSM. |
DoD has defined has personnel or roles as the ISSO or ISSM. |
Software, Firmware, And Information Integrity | Code Execution In Protected Environments |
SI-7 (13) |
SI-7(13).1 |
This control enhancement applies to all sources of binary or machine-executable code including, for example, commercial software/firmware and open source software. |
The organization allows execution of binary or machine-executable code obtained from sources with limited or no warranty and without the provision of source code only in confined physical or virtual machine environments and with the explicit approval of [Assignment: organization-defined personnel or roles]. |
| CCI-002735 |
The organization allows execution of binary or machine-executable code obtained from sources with limited or no warranty and without the provision of source code only in confined physical or virtual machine environments. |
The organization conducting the inspection/assessment obtains and examines the software list and examines the information system to ensure the organization being inspected/assessed allows execution of binary or machine-executable code obtained from sources without vendor support or with no warranty and without the provision of source code only in confined physical or virtual machine environments. |
The organization being inspected/assessed allows execution of binary or machine-executable code obtained from sources without vendor support or with no warranty and without the provision of source code only in confined physical or virtual machine environments. |
Software, Firmware, And Information Integrity | Code Execution In Protected Environments |
SI-7 (13) |
SI-7(13).2 |
This control enhancement applies to all sources of binary or machine-executable code including, for example, commercial software/firmware and open source software. |
The organization allows execution of binary or machine-executable code obtained from sources with limited or no warranty and without the provision of source code only in confined physical or virtual machine environments and with the explicit approval of [Assignment: organization-defined personnel or roles]. |
| CCI-002736 |
The organization allows execution of binary or machine-executable code obtained from sources with limited or no warranty and without the provision of source code only with the explicit approval of organization-defined personnel or roles. |
The organization conducting the inspection/assessment obtains and examines the software list and examines the information system to ensure the organization being inspected/assessed allows execution of binary or machine-executable code obtained from sources without vendor support or with no warranty and without the provision of source code only with the explicit approval of the ISSO or ISSM.
DoD has defined has personnel or roles as the ISSO or ISSM. |
The organization being inspected/assessed allows execution of binary or machine-executable code obtained from sources without vendor support or with no warranty and without the provision of source code only with the explicit approval of the ISSO or ISSM.
DoD has defined has personnel or roles as the ISSO or ISSM. |
Software, Firmware, And Information Integrity | Code Execution In Protected Environments |
SI-7 (13) |
SI-7(13).3 |
This control enhancement applies to all sources of binary or machine-executable code including, for example, commercial software/firmware and open source software. |
The organization allows execution of binary or machine-executable code obtained from sources with limited or no warranty and without the provision of source code only in confined physical or virtual machine environments and with the explicit approval of [Assignment: organization-defined personnel or roles]. |
| CCI-002737 |
The organization prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code. |
The organization conducting the inspection/assessment obtains and examines the software list and examines the information system to ensure the organization being inspected/assessed prohibits the use of binary or machine-executable code obtained from sources without vendor support or with no warranty and without the provision of source code. |
The organization being inspected/assessed prohibits the use of binary or machine-executable code obtained from sources without vendor support or with no warranty and without the provision of source code. |
Software, Firmware, And Information Integrity | Binary Or Machine Executable Code |
SI-7 (14) |
SI-7(14).1 |
This control enhancement applies to all sources of binary or machine-executable code including, for example, commercial software/firmware and open source software. Organizations assess software products without accompanying source code from sources with limited or no warranty for potential security impacts. The assessments address the fact that these types of software products may be very difficult to review, repair, or extend, given that organizations, in most cases, do not have access to the original source code, and there may be no owners who could make such repairs on behalf of organizations. Related control: SA-5. |
The organization:
(a) Prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code; and
(b) Provides exceptions to the source code requirement only for compelling mission/operational requirements and with the approval of the authorizing official. |
| CCI-002738 |
The organization provides exceptions to the source code requirement only for compelling mission/operational requirements and with the approval of the authorizing official. |
The organization conducting the inspection/assessment obtains and examines the documented exceptions to the source code requirement to ensure the organization being inspected/assessed provides justification and approval of the authorizing official for all exceptions to the source code requirement. |
The organization being inspected/assessed documents and provides exceptions to the source code requirement only for compelling mission/operational requirements and with the approval of the authorizing official. |
Software, Firmware, And Information Integrity | Binary Or Machine Executable Code |
SI-7 (14) |
SI-7(14).2 |
This control enhancement applies to all sources of binary or machine-executable code including, for example, commercial software/firmware and open source software. Organizations assess software products without accompanying source code from sources with limited or no warranty for potential security impacts. The assessments address the fact that these types of software products may be very difficult to review, repair, or extend, given that organizations, in most cases, do not have access to the original source code, and there may be no owners who could make such repairs on behalf of organizations. Related control: SA-5. |
The organization:
(a) Prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code; and
(b) Provides exceptions to the source code requirement only for compelling mission/operational requirements and with the approval of the authorizing official. |
| CCI-002739 |
The organization defines the software or firmware components on which cryptographic mechanisms are to be implemented to support authentication prior to installation. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the software or firmware components as all software and firmware from vendors/sources that provide cryptographic mechanisms to enable the validation of code authenticity and integrity. |
DoD has defined the software or firmware components as all software and firmware from vendors/sources that provide cryptographic mechanisms to enable the validation of code authenticity and integrity. |
Software, Firmware, And Information Integrity | Code Authentication |
SI-7 (15) |
SI-7(15).1 |
Cryptographic authentication includes, for example, verifying that software or firmware components have been digitally signed using certificates recognized and approved by organizations. Code signing is an effective method to protect against malicious code. |
The information system implements cryptographic mechanisms to authenticate [Assignment: organization-defined software or firmware components] prior to installation. |
| CCI-002740 |
The information system implements cryptographic mechanisms to authenticate organization-defined software or firmware components prior to installation. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement cryptographic mechanisms to authenticate all software and firmware from vendors/sources that provide cryptographic mechanisms to enable the validation of code authenticity and integrity prior to installation.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2740.
DoD has defined the software or firmware components as all software and firmware from vendors/sources that provide cryptographic mechanisms to enable the validation of code authenticity and integrity. |
The organization being inspected/assessed configures the information system to implement cryptographic mechanisms to authenticate all software and firmware from vendors/sources that provide cryptographic mechanisms to enable the validation of code authenticity and integrity prior to installation.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2740.
DoD has defined the software or firmware components as all software and firmware from vendors/sources that provide cryptographic mechanisms to enable the validation of code authenticity and integrity. |
Software, Firmware, And Information Integrity | Code Authentication |
SI-7 (15) |
SI-7(15).2 |
Cryptographic authentication includes, for example, verifying that software or firmware components have been digitally signed using certificates recognized and approved by organizations. Code signing is an effective method to protect against malicious code. |
The information system implements cryptographic mechanisms to authenticate [Assignment: organization-defined software or firmware components] prior to installation. |
| CCI-002741 |
The organization employs spam protection mechanisms at information system entry points to detect and take action on unsolicited messages. |
The organization conducting the inspection/assessment obtains and examines the hardware/software list to ensure the organization being inspected/assessed implements spam protection mechanisms at information system entry points to detect and take action on unsolicited messages.
The organization may be required to demonstrate the use of the identified spam protection mechanisms. |
The organization being inspected/assessed implements spam protection mechanisms at information system entry points to detect and take action on unsolicited messages. |
Spam Protection |
SI-8 |
SI-8.1 |
Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, mobile devices, and notebook/laptop computers. Spam can be transported by different means including, for example, electronic mail, electronic mail attachments, and web accesses. Spam protection mechanisms include, for example, signature definitions. Related controls: AT-2, AT-3, SC-5, SC-7, SI-3. |
The organization:
a. Employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and
b. Updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures. |
| CCI-002742 |
The organization employs spam protection mechanisms at information system exit points to detect and take action on unsolicited messages. |
The organization conducting the inspection/assessment obtains and examines the hardware/software list to ensure the organization being inspected/assessed implements spam protection mechanisms at information system exit points to detect and take action on unsolicited messages.
The organization may be required to demonstrate the use of the identified spam protection mechanisms. |
The organization being inspected/assessed implements spam protection mechanisms at information system exit points to detect and take action on unsolicited messages. |
Spam Protection |
SI-8 |
SI-8.2 |
Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, mobile devices, and notebook/laptop computers. Spam can be transported by different means including, for example, electronic mail, electronic mail attachments, and web accesses. Spam protection mechanisms include, for example, signature definitions. Related controls: AT-2, AT-3, SC-5, SC-7, SI-3. |
The organization:
a. Employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and
b. Updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures. |
| CCI-002743 |
The information system implements spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2743. |
The organization being inspected/assessed configures the information system to implement spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2743. |
Spam Protection | Continuous Learning Capability |
SI-8 (3) |
SI-8(3).1 |
Learning mechanisms include, for example, Bayesian filters that respond to user inputs identifying specific traffic as spam or legitimate by updating algorithm parameters and thereby more accurately separating types of traffic. |
The information system implements spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic. |
| CCI-002744 |
The organization defines the inputs on which the information system is to conduct validity checks. |
The organization conducting the DoD has defined the information inputs as all inputs except those identified specifically by the organization. |
The organization being inspected/assessed defines and documents specific inputs which do not require validity checks.
DoD has defined the information inputs as all inputs except those identified specifically by the organization. |
Information Input Validation |
SI-10 |
SI-10.2 |
Checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Software applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the tainted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation helps to ensure accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks. |
The information system checks the validity of [Assignment: organization-defined information inputs]. |
| CCI-002745 |
The organization defines the inputs for which the information system provides a manual override capability for input validation. |
The organization conducting the inspection/assessment obtains and examines the documented inputs to ensure the organization being inspected/assessed defines the inputs for which the information system provides a manual override capability for input validation.
DoD has determined the inputs are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the inputs for which the information system provides a manual override capability for input validation.
DoD has determined the inputs are not appropriate to define at the Enterprise level. |
Information Input Validation | Manual Override Capability |
SI-10 (1) |
SI-10(1).1 |
Related controls: CM-3, CM-5. |
The information system:
(a) Provides a manual override capability for input validation of [Assignment: organization-defined inputs];
(b) Restricts the use of the manual override capability to only [Assignment: organization-defined authorized individuals]; and
(c) Audits the use of the manual override capability. |
| CCI-002746 |
The information system provides a manual override capability for input validation of organization-defined inputs. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide a manual override capability for input validation of inputs defined in SI-10 (1), CCI 2745.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2746. |
The organization being inspected/assessed configures the information system to provide a manual override capability for input validation of inputs defined in SI-10 (1), CCI 2745.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2746. |
Information Input Validation | Manual Override Capability |
SI-10 (1) |
SI-10(1).2 |
Related controls: CM-3, CM-5. |
The information system:
(a) Provides a manual override capability for input validation of [Assignment: organization-defined inputs];
(b) Restricts the use of the manual override capability to only [Assignment: organization-defined authorized individuals]; and
(c) Audits the use of the manual override capability. |
| CCI-002747 |
The organization defines the individuals who have the authorization to use the manual override capability for input validation. |
The organization conducting the inspection/assessment obtains and examines the documented authorized individuals to ensure the organization being inspected/assessed defines the authorized individuals who have the capability to use the manual override capability for input validation.
DoD has determined the authorized individuals are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the authorized individuals who have the capability to use the manual override capability for input validation.
DoD has determined the authorized individuals are not appropriate to define at the Enterprise level. |
Information Input Validation | Manual Override Capability |
SI-10 (1) |
SI-10(1).3 |
Related controls: CM-3, CM-5. |
The information system:
(a) Provides a manual override capability for input validation of [Assignment: organization-defined inputs];
(b) Restricts the use of the manual override capability to only [Assignment: organization-defined authorized individuals]; and
(c) Audits the use of the manual override capability. |
| CCI-002748 |
The information system restricts the use of the manual override capability to only organization-defined authorized individuals. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to restrict the use of the manual override capability to only the authorized individuals defined in SI-10 (1), CCI 2747.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2748. |
The organization being inspected/assessed configures the information system to restrict the use of the manual override capability to only the authorized individuals defined in SI-10 (1), CCI 2747.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2748. |
Information Input Validation | Manual Override Capability |
SI-10 (1) |
SI-10(1).4 |
Related controls: CM-3, CM-5. |
The information system:
(a) Provides a manual override capability for input validation of [Assignment: organization-defined inputs];
(b) Restricts the use of the manual override capability to only [Assignment: organization-defined authorized individuals]; and
(c) Audits the use of the manual override capability. |
| CCI-002749 |
The information system audits the use of the manual override capability. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to audit the use of the manual override capability.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2749. |
The organization being inspected/assessed configures the information system to audit the use of the manual override capability.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2749. |
Information Input Validation | Manual Override Capability |
SI-10 (1) |
SI-10(1).5 |
Related controls: CM-3, CM-5. |
The information system:
(a) Provides a manual override capability for input validation of [Assignment: organization-defined inputs];
(b) Restricts the use of the manual override capability to only [Assignment: organization-defined authorized individuals]; and
(c) Audits the use of the manual override capability. |
| CCI-002750 |
The organization defines the time period within which input validation errors are to be reviewed. |
The organization conducting the inspection/assessment obtains and examines the documented time period to ensure the organization being inspected/assessed defines the time period within which input validation errors are reviewed.
DoD has determined the time period is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the time period within which input validation errors are reviewed.
DoD has determined the time period is not appropriate to define at the Enterprise level. |
Information Input Validation | Review / Resolution Of Errors |
SI-10 (2) |
SI-10(2).1 |
Resolution of input validation errors includes, for example, correcting systemic causes of errors and resubmitting transactions with corrected input. |
The organization ensures that input validation errors are reviewed and resolved within [Assignment: organization-defined time period]. |
| CCI-002751 |
The organization defines the time period within which input validation errors are to be resolved. |
The organization conducting the inspection/assessment obtains and examines the documented time period to ensure the organization being inspected/assessed defines the time period within which input validation errors are resolved.
DoD has determined the time period is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the time period within which input validation errors are resolved.
DoD has determined the time period is not appropriate to define at the Enterprise level. |
Information Input Validation | Review / Resolution Of Errors |
SI-10 (2) |
SI-10(2).2 |
Resolution of input validation errors includes, for example, correcting systemic causes of errors and resubmitting transactions with corrected input. |
The organization ensures that input validation errors are reviewed and resolved within [Assignment: organization-defined time period]. |
| CCI-002752 |
The organization ensures that input validation errors are reviewed within an organization-defined time period. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the records of review to ensure the organization being inspected/assessed reviews input validation errors within the time period defined in SI-10 (2), CCI 2750. |
The organization being inspected/assessed documents and implements a process to review input validation errors within the time period defined in SI-10 (2), CCI 2750.
The organization must maintain records of review. |
Information Input Validation | Review / Resolution Of Errors |
SI-10 (2) |
SI-10(2).3 |
Resolution of input validation errors includes, for example, correcting systemic causes of errors and resubmitting transactions with corrected input. |
The organization ensures that input validation errors are reviewed and resolved within [Assignment: organization-defined time period]. |
| CCI-002753 |
The organization ensures that input validation errors are resolved within an organization-defined time period. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the records of resolution to ensure the organization being inspected/assessed resolves input validation errors within the time period defined in SI-10 (2), CCI 2751. |
The organization being inspected/assessed documents and implements a process to resolve input validation errors within the time period defined in SI-10 (2), CCI 2751.
The organization must maintain records of resolution. |
Information Input Validation | Review / Resolution Of Errors |
SI-10 (2) |
SI-10(2).4 |
Resolution of input validation errors includes, for example, correcting systemic causes of errors and resubmitting transactions with corrected input. |
The organization ensures that input validation errors are reviewed and resolved within [Assignment: organization-defined time period]. |
| CCI-002754 |
The information system behaves in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received. |
The organization conducting the inspection/assessment obtains and examines the documented behavior to ensure the organization being inspected/assessed documents proper behavior that reflects organizational and system objectives for when invalid inputs are received.
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to behave in the documented manner when invalid inputs are received.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2754. |
The organization being inspected/assessed documents proper behavior that reflects organizational and system objectives for when invalid inputs are received.
The organization being inspected/assessed configures the information system to behave in the documented manner when invalid inputs are received.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2754. |
Information Input Validation | Predictable Behavior |
SI-10 (3) |
SI-10(3).1 |
A common vulnerability in organizational information systems is unpredictable behavior when invalid inputs are received. This control enhancement ensures that there is predictable behavior in the face of invalid inputs by specifying information system responses that facilitate transitioning the system to known states without adverse, unintended side effects. |
The information system behaves in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received. |
| CCI-002755 |
The organization accounts for timing interactions among information system components in determining appropriate responses for invalid inputs. |
The organization conducting the inspection/assessment obtains and examines system design artifacts to ensure the organization being inspected/assessed accounts for timing interactions among information system components in determining appropriate responses for invalid inputs. |
The organization being inspected/assessed designs the information system to account for timing interactions among information system components in determining appropriate responses for invalid inputs. |
Information Input Validation | Review / Timing Interactions |
SI-10 (4) |
SI-10(4).1 |
In addressing invalid information system inputs received across protocol interfaces, timing interfaces become relevant, where one protocol needs to consider the impact of the error response on other protocols within the protocol stack. For example, 802.11 standard wireless network protocols do not interact well with Transmission Control Protocols (TCP) when packets are dropped (which could be due to invalid packet input). TCP assumes packet losses are due to congestion, while packets lost over 802.11 links are typically dropped due to collisions or noise on the link. If TCP makes a congestion response, it takes precisely the wrong action in response to a collision event. Adversaries may be able to use apparently acceptable individual behaviors of the protocols in concert to achieve adverse effects through suitable construction of invalid input. |
The organization accounts for timing interactions among information system components in determining appropriate responses for invalid inputs. |
| CCI-002756 |
The organization defines the trusted sources to which the usage of information inputs will be restricted (e.g., whitelisting). |
The organization conducting the inspection/assessment obtains and examines the documented trusted sources to ensure the organization being inspected/assessed defines the trusted sources to which the usage of information inputs will be restricted (e.g., whitelisting).
DoD has determined the trusted sources are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the trusted sources to which the usage of information inputs will be restricted (e.g., whitelisting).
DoD has determined the trusted sources are not appropriate to define at the Enterprise level. |
Information Input Validation | Restrict Inputs To Trusted Sources And Approved Formats |
SI-10 (5) |
SI-10(5).1 |
This control enhancement applies the concept of whitelisting to information inputs. Specifying known trusted sources for information inputs and acceptable formats for such inputs can reduce the probability of malicious activity. |
The organization restricts the use of information inputs to [Assignment: organization-defined trusted sources] and/or [Assignment: organization-defined formats]. |
| CCI-002757 |
The organization defines the acceptable formats to which information inputs are restricted. |
The organization conducting the inspection/assessment obtains and examines the documented acceptable formats to ensure the organization being inspected/assessed defines the acceptable formats to which information inputs are restricted.
DoD has determined the acceptable formats are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the acceptable formats to which information inputs are restricted.
DoD has determined the acceptable formats are not appropriate to define at the Enterprise level. |
Information Input Validation | Restrict Inputs To Trusted Sources And Approved Formats |
SI-10 (5) |
SI-10(5).2 |
This control enhancement applies the concept of whitelisting to information inputs. Specifying known trusted sources for information inputs and acceptable formats for such inputs can reduce the probability of malicious activity. |
The organization restricts the use of information inputs to [Assignment: organization-defined trusted sources] and/or [Assignment: organization-defined formats]. |
| CCI-002758 |
The organization restricts the use of information inputs to organization-defined trusted sources and/or organization-defined formats. |
The organization conducting the inspection/assessment obtains and examines system design artifacts to ensure the organization being inspected/assessed restricts the use of information inputs to trusted sources defined in SI-10 (5), CCI 2756 and/or formats defined in SI-10 (5), CCI 2757. |
The organization being inspected/assessed designs the information system to restrict the use of information inputs to trusted sources defined in SI-10 (5), CCI 2756 and/or formats defined in SI-10 (5), CCI 2757. |
Information Input Validation | Restrict Inputs To Trusted Sources And Approved Formats |
SI-10 (5) |
SI-10(5).3 |
This control enhancement applies the concept of whitelisting to information inputs. Specifying known trusted sources for information inputs and acceptable formats for such inputs can reduce the probability of malicious activity. |
The organization restricts the use of information inputs to [Assignment: organization-defined trusted sources] and/or [Assignment: organization-defined formats]. |
| CCI-002759 |
The organization defines the personnel or roles to whom error messages are to be revealed. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as the ISSO, ISSM, and SCA. |
DoD has defined the personnel or roles as the ISSO, ISSM, and SCA. |
Error Handling |
SI-11 |
SI-11.3 |
Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information such as account numbers, social security numbers, and credit card numbers. In addition, error messages may provide a covert channel for transmitting information. Related controls: AU-2, AU-3, SC-31. |
The information system:
a. Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and
b. Reveals error messages only to [Assignment: organization-defined personnel or roles]. |
| CCI-002760 |
The organization determines mean time to failure (MTTF) for organization-defined information system components in specific environments of operation. |
The organization conducting the inspection/assessment obtains and examines documented mean time to failure (MTTF) to ensure the organization being inspected/assessed has determined the mean time to failure (MTTF) for any component within a system requiring high availability in specific environments of operation.
DoD has defined the system components as any component within a system requiring high availability. |
The organization being inspected/assessed determines through testing or research and documents the mean time to failure (MTTF) for any component within a system requiring high availability in specific environments of operation.
DoD has defined the system components as any component within a system requiring high availability. |
Predictable Failure Prevention |
SI-13 |
SI-13.1 |
While MTTF is primarily a reliability issue, this control addresses potential failures of specific information system components that provide security capability. Failure rates reflect installation-specific consideration, not industry-average. Organizations define criteria for substitution of information system components based on MTTF value with consideration for resulting potential harm from component failures. Transfer of responsibilities between active and standby components does not compromise safety, operational readiness, or security capability (e.g., preservation of state variables). Standby components remain available at all times except for maintenance issues or recovery failures in progress. Related controls: CP-2, CP-10, MA-6. |
The organization:
a. Determines mean time to failure (MTTF) for [Assignment: organization-defined information system components] in specific environments of operation; and
b. Provides substitute information system components and a means to exchange active and standby components at [Assignment: organization-defined MTTF substitution criteria]. |
| CCI-002761 |
The organization defines the system components in specific environments of operation for which the mean time to failure (MTTF) is to be determined. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the system components as any component within a system requiring high availability. |
DoD has defined the system components as any component within a system requiring high availability. |
Predictable Failure Prevention |
SI-13 |
SI-13.2 |
While MTTF is primarily a reliability issue, this control addresses potential failures of specific information system components that provide security capability. Failure rates reflect installation-specific consideration, not industry-average. Organizations define criteria for substitution of information system components based on MTTF value with consideration for resulting potential harm from component failures. Transfer of responsibilities between active and standby components does not compromise safety, operational readiness, or security capability (e.g., preservation of state variables). Standby components remain available at all times except for maintenance issues or recovery failures in progress. Related controls: CP-2, CP-10, MA-6. |
The organization:
a. Determines mean time to failure (MTTF) for [Assignment: organization-defined information system components] in specific environments of operation; and
b. Provides substitute information system components and a means to exchange active and standby components at [Assignment: organization-defined MTTF substitution criteria]. |
| CCI-002762 |
The organization defines the mean time to failure (MTTF) substitution criteria to be employed as a means to determine the need to exchange active and standby components. |
The organization conducting the inspection/assessment obtains and examines the documented mean time to failure to ensure the organization being inspected/assessed defines the mean time to failure substitution criteria to be employed as a means to determine the need to exchange active and standby components.
DoD has determined the mean time to failure is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the mean time to failure substitution criteria to be employed as a means to determine the need to exchange active and standby components.
DoD has determined the mean time to failure is not appropriate to define at the Enterprise level. |
Predictable Failure Prevention |
SI-13 |
SI-13.4 |
While MTTF is primarily a reliability issue, this control addresses potential failures of specific information system components that provide security capability. Failure rates reflect installation-specific consideration, not industry-average. Organizations define criteria for substitution of information system components based on MTTF value with consideration for resulting potential harm from component failures. Transfer of responsibilities between active and standby components does not compromise safety, operational readiness, or security capability (e.g., preservation of state variables). Standby components remain available at all times except for maintenance issues or recovery failures in progress. Related controls: CP-2, CP-10, MA-6. |
The organization:
a. Determines mean time to failure (MTTF) for [Assignment: organization-defined information system components] in specific environments of operation; and
b. Provides substitute information system components and a means to exchange active and standby components at [Assignment: organization-defined MTTF substitution criteria]. |
| CCI-002763 |
The organization provides a means to exchange active and standby components in accordance with the organization-defined mean time to failure (MTTF) substitution criteria. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed provides a means to exchange active and standby components in accordance with the mean time to failure substitution criteria defined in SI-13, CCI 2762. |
The organization being inspected/assessed documents and implements a process to exchange active and standby components in accordance with the mean time to failure substitution criteria defined in SI-13, CCI 2762. |
Predictable Failure Prevention |
SI-13 |
SI-13.5 |
While MTTF is primarily a reliability issue, this control addresses potential failures of specific information system components that provide security capability. Failure rates reflect installation-specific consideration, not industry-average. Organizations define criteria for substitution of information system components based on MTTF value with consideration for resulting potential harm from component failures. Transfer of responsibilities between active and standby components does not compromise safety, operational readiness, or security capability (e.g., preservation of state variables). Standby components remain available at all times except for maintenance issues or recovery failures in progress. Related controls: CP-2, CP-10, MA-6. |
The organization:
a. Determines mean time to failure (MTTF) for [Assignment: organization-defined information system components] in specific environments of operation; and
b. Provides substitute information system components and a means to exchange active and standby components at [Assignment: organization-defined MTTF substitution criteria]. |
| CCI-002764 |
The organization defines non-persistent information system components and services to be implemented. |
The organization conducting the inspection/assessment obtains and examines the documented information system components and services to ensure the organization being inspected/assessed defines non-persistent information system components and services to be implemented.
DoD has determined the information system components and services are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents non-persistent information system components and services to be implemented.
DoD has determined the information system components and services are not appropriate to define at the Enterprise level. |
Non-Persistence |
SI-14 |
SI-14.1 |
This control mitigates risk from advanced persistent threats (APTs) by significantly reducing the targeting capability of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete cyber attacks. By implementing the concept of non-persistence for selected information system components, organizations can provide a known state computing resource for a specific period of time that does not give adversaries sufficient time on target to exploit vulnerabilities in organizational information systems and the environments in which those systems operate. Since the advanced persistent threat is a high-end threat with regard to capability, intent, and targeting, organizations assume that over an extended period of time, a percentage of cyber attacks will be successful. Non-persistent information system components and services are activated as required using protected information and terminated periodically or upon the end of sessions. Non-persistence increases the work factor of adversaries in attempting to compromise or breach organizational information systems.
Non-persistent system components can be implemented, for example, by periodically re-imaging components or by using a variety of common virtualization techniques. Non-persistent services can be implemented using virtualization techniques as part of virtual machines or as new instances of processes on physical machines (either persistent or non-persistent).The benefit of periodic refreshes of information system components/services is that it does not require organizations to first determine whether compromises of components or services have occurred (something that may often be difficult for organizations to determine). The refresh of selected information system components and services occurs with sufficient frequency to prevent the spread or intended impact of attacks, but not with such frequency that it makes the information system unstable. In some instances, refreshes of critical components and services may be done periodically in order to hinder the ability of adversaries to exploit optimum windows of vulnerabilities. Related controls: SC-30, SC-34. |
The organization implements non-persistent [Assignment: organization-defined information system components and services] that are initiated in a known state and terminated [Selection (one or more): upon end of session of use; periodically at [Assignment: organization defined frequency]]. |
| CCI-002765 |
The organization defines the frequency at which it will terminate organization-defined non-persistent information system components and services. |
The organization conducting the inspection/assessment obtains and examines the documented frequency to ensure the organization being inspected/assessed defines the frequency at which it will terminate organization-defined non-persistent information system components and services.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the frequency at which it will terminate organization-defined non-persistent information system components and services.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
Non-Persistence |
SI-14 |
SI-14.2 |
This control mitigates risk from advanced persistent threats (APTs) by significantly reducing the targeting capability of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete cyber attacks. By implementing the concept of non-persistence for selected information system components, organizations can provide a known state computing resource for a specific period of time that does not give adversaries sufficient time on target to exploit vulnerabilities in organizational information systems and the environments in which those systems operate. Since the advanced persistent threat is a high-end threat with regard to capability, intent, and targeting, organizations assume that over an extended period of time, a percentage of cyber attacks will be successful. Non-persistent information system components and services are activated as required using protected information and terminated periodically or upon the end of sessions. Non-persistence increases the work factor of adversaries in attempting to compromise or breach organizational information systems.
Non-persistent system components can be implemented, for example, by periodically re-imaging components or by using a variety of common virtualization techniques. Non-persistent services can be implemented using virtualization techniques as part of virtual machines or as new instances of processes on physical machines (either persistent or non-persistent).The benefit of periodic refreshes of information system components/services is that it does not require organizations to first determine whether compromises of components or services have occurred (something that may often be difficult for organizations to determine). The refresh of selected information system components and services occurs with sufficient frequency to prevent the spread or intended impact of attacks, but not with such frequency that it makes the information system unstable. In some instances, refreshes of critical components and services may be done periodically in order to hinder the ability of adversaries to exploit optimum windows of vulnerabilities. Related controls: SC-30, SC-34. |
The organization implements non-persistent [Assignment: organization-defined information system components and services] that are initiated in a known state and terminated [Selection (one or more): upon end of session of use; periodically at [Assignment: organization defined frequency]]. |
| CCI-002766 |
The organization implements organization-defined non-persistence information system components and services that are initiated in a known state. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed implements non-persistence information system components and services defined in SI-14, CCI 2764 that are initiated in a known state. |
The organization being inspected/assessed designs the information system to implement non-persistence information system components and services defined in SI-14, CCI 2764 that are initiated in a known state. |
Non-Persistence |
SI-14 |
SI-14.3 |
This control mitigates risk from advanced persistent threats (APTs) by significantly reducing the targeting capability of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete cyber attacks. By implementing the concept of non-persistence for selected information system components, organizations can provide a known state computing resource for a specific period of time that does not give adversaries sufficient time on target to exploit vulnerabilities in organizational information systems and the environments in which those systems operate. Since the advanced persistent threat is a high-end threat with regard to capability, intent, and targeting, organizations assume that over an extended period of time, a percentage of cyber attacks will be successful. Non-persistent information system components and services are activated as required using protected information and terminated periodically or upon the end of sessions. Non-persistence increases the work factor of adversaries in attempting to compromise or breach organizational information systems.
Non-persistent system components can be implemented, for example, by periodically re-imaging components or by using a variety of common virtualization techniques. Non-persistent services can be implemented using virtualization techniques as part of virtual machines or as new instances of processes on physical machines (either persistent or non-persistent).The benefit of periodic refreshes of information system components/services is that it does not require organizations to first determine whether compromises of components or services have occurred (something that may often be difficult for organizations to determine). The refresh of selected information system components and services occurs with sufficient frequency to prevent the spread or intended impact of attacks, but not with such frequency that it makes the information system unstable. In some instances, refreshes of critical components and services may be done periodically in order to hinder the ability of adversaries to exploit optimum windows of vulnerabilities. Related controls: SC-30, SC-34. |
The organization implements non-persistent [Assignment: organization-defined information system components and services] that are initiated in a known state and terminated [Selection (one or more): upon end of session of use; periodically at [Assignment: organization defined frequency]]. |
| CCI-002767 |
The organization implements organization-defined non-persistence information system components and services that are terminated upon end of session of use and/or periodically at an organization-defined frequency. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed implements non-persistence information system components and services defined in SI-14, CCI 2764 that are terminated upon end of session of use and/or periodically at the frequency defined in SI-14, CCI 2765. |
The organization being inspected/assessed designs the information system to implement non-persistence information system components and services defined in SI-14, CCI 2764 that are terminated upon end of session of use and/or periodically at the frequency defined in SI-14, CCI 2765. |
Non-Persistence |
SI-14 |
SI-14.4 |
This control mitigates risk from advanced persistent threats (APTs) by significantly reducing the targeting capability of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete cyber attacks. By implementing the concept of non-persistence for selected information system components, organizations can provide a known state computing resource for a specific period of time that does not give adversaries sufficient time on target to exploit vulnerabilities in organizational information systems and the environments in which those systems operate. Since the advanced persistent threat is a high-end threat with regard to capability, intent, and targeting, organizations assume that over an extended period of time, a percentage of cyber attacks will be successful. Non-persistent information system components and services are activated as required using protected information and terminated periodically or upon the end of sessions. Non-persistence increases the work factor of adversaries in attempting to compromise or breach organizational information systems.
Non-persistent system components can be implemented, for example, by periodically re-imaging components or by using a variety of common virtualization techniques. Non-persistent services can be implemented using virtualization techniques as part of virtual machines or as new instances of processes on physical machines (either persistent or non-persistent).The benefit of periodic refreshes of information system components/services is that it does not require organizations to first determine whether compromises of components or services have occurred (something that may often be difficult for organizations to determine). The refresh of selected information system components and services occurs with sufficient frequency to prevent the spread or intended impact of attacks, but not with such frequency that it makes the information system unstable. In some instances, refreshes of critical components and services may be done periodically in order to hinder the ability of adversaries to exploit optimum windows of vulnerabilities. Related controls: SC-30, SC-34. |
The organization implements non-persistent [Assignment: organization-defined information system components and services] that are initiated in a known state and terminated [Selection (one or more): upon end of session of use; periodically at [Assignment: organization defined frequency]]. |
| CCI-002768 |
The organization defines the trusted sources from which it obtains software and data employed during the refreshing of non-persistent information system components and services. |
The organization conducting the inspection/assessment obtains and examines the documented trusted sources to ensure the organization being inspected/assessed defines the trusted sources from which it obtains software and data employed during the refreshing of non-persistent information system component and service.
DoD has determined the trusted sources are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the trusted sources from which it obtains software and data employed during the refreshing of non-persistent information system component and service.
DoD has determined the trusted sources are not appropriate to define at the Enterprise level. |
Non-Persistence | Refresh From Trusted Sources |
SI-14 (1) |
SI-14(1).1 |
Trusted sources include, for example, software/data from write-once, read-only media or from selected off-line secure storage facilities. |
The organization ensures that software and data employed during information system component and service refreshes are obtained from [Assignment: organization-defined trusted sources]. |
| CCI-002769 |
The organization ensures that software and data employed during non-persistent information system component and service refreshes are obtained from organization-defined trusted sources. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed ensures that software and data used during non-persistent information system component and service refreshes from trusted sources defined in SI-14 (1), CCI 2768. |
The organization being inspected/assessed documents and implements a process to obtain software and data used during non-persistent information system component and service refreshes from trusted sources defined in SI-14 (1), CCI 2768. |
Non-Persistence | Refresh From Trusted Sources |
SI-14 (1) |
SI-14(1).2 |
Trusted sources include, for example, software/data from write-once, read-only media or from selected off-line secure storage facilities. |
The organization ensures that software and data employed during information system component and service refreshes are obtained from [Assignment: organization-defined trusted sources]. |
| CCI-002770 |
The organization defines the software programs and/or applications from which the information system is to validate the information output to ensure the information is consistent with expected content. |
The organization conducting the inspection/assessment obtains and examines the documented software programs and/or applications to ensure the organization being inspected/assessed defines the software programs and/or applications from which the information system is to validate the information output to ensure the information is consistent with expected content.
DoD has determined the software programs and/or applications are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the software programs and/or applications from which the information system is to validate the information output to ensure the information is consistent with expected content.
DoD has determined the software programs and/or applications are not appropriate to define at the Enterprise level. |
Information Output Filtering |
SI-15 |
SI-15.1 |
Certain types of cyber attacks (e.g., SQL injections) produce output results that are unexpected or inconsistent with the output results that would normally be expected from software programs or applications. This control enhancement focuses on detecting extraneous content, preventing such extraneous content from being displayed, and alerting monitoring tools that anomalous behavior has been discovered. Related controls: SI-3, SI-4. |
The information system validates information output from [Assignment: organization-defined software programs and/or applications] to ensure that the information is consistent with the expected content. |
| CCI-002771 |
The information system validates information output from organization-defined software programs and/or applications to ensure that the information is consistent with the expected content. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to validate information output from software programs and/or applications defined in SI-15, CCI 2770 to ensure that the information is consistent with the expected content.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2771. |
The organization being inspected/assessed configures the information system to validate information output from software programs and/or applications defined in SI-15, CCI 2770 to ensure that the information is consistent with the expected content.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2771. |
Information Output Filtering |
SI-15 |
SI-15.2 |
Certain types of cyber attacks (e.g., SQL injections) produce output results that are unexpected or inconsistent with the output results that would normally be expected from software programs or applications. This control enhancement focuses on detecting extraneous content, preventing such extraneous content from being displayed, and alerting monitoring tools that anomalous behavior has been discovered. Related controls: SI-3, SI-4. |
The information system validates information output from [Assignment: organization-defined software programs and/or applications] to ensure that the information is consistent with the expected content. |
| CCI-002772 |
The organization defines the security safeguards to be implemented to protect the information system^s memory from unauthorized code execution. |
|
|
|
|
|
|
|
| CCI-002984 |
The organization develops an organization-wide information security program plan that reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical). |
DoD components are automatically compliant with this CCI as they are covered at the DoD level by DoDI 8500.01 and the Knowledge Service. If the organization or system owner is utilizing common controls they must be documented in their Security Plan. |
DoDI 8500.01 and the Knowledge Service meet the requirement for this CCI; individual organizations and system owners must provide documentation of common control implementation in their Security Plan. |
Information Security Program Plan |
PM-1 |
PM-1.5 |
Information security program plans can be represented in single documents or compilations of documents at the discretion of organizations. The plans document the program management controls and organization-defined common controls. Information security program plans provide sufficient information about the program management controls/common controls (including specification of parameters for any assignment and selection statements either explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended.
The security plans for individual information systems and the organization-wide information security program plan together, provide complete coverage for all security controls employed within the organization. Common controls are documented in an appendix to the organization's information security program plan unless the controls are included in a separate security plan for an information system (e.g., security controls employed as part of an intrusion detection system providing organization-wide boundary protection inherited by one or more organizational information systems). The organization-wide information security program plan will indicate which separate security plans contain descriptions of common controls.
Organizations have the flexibility to describe common controls in a single document or in multiple documents. In the case of multiple documents, the documents describing common controls are included as attachments to the information security program plan. If the information security program plan contains multiple documents, the organization specifies in each document the organizational official or officials responsible for the development, implementation, assessment, authorization, and monitoring of the respective common controls. For example, the organization may require that the Facilities Management Office develop, implement, assess, authorize, and continuously monitor common physical and environmental protection controls from the PE family when such controls are not associated with a particular information system but instead, support multiple information systems. Related control: PM-8. |
The organization:
a. Develops and disseminates an organization-wide information security program plan that:
1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
3. Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and
4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
b. Reviews the organization-wide information security program plan [Assignment: organization-defined frequency];
c. Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and
d. Protects the information security program plan from unauthorized disclosure and modification. |
| CCI-002985 |
The organization disseminates an organization-wide information security program plan that provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements. |
DoD components are automatically compliant with this CCI as they are covered at the DoD level by DoDI 8500.01 and the Knowledge Service. If the organization or system owner is utilizing common controls they must be documented in their Security Plan. |
DoD disseminates DoDI 8500.01 organization-wide via the DoD Issuances website (http://www.dtic.mil/whs/directives/corres/dir.html) and the Knowledge Service is available via: https://rmfks.osd.mil.
DoD components are automatically compliant with this CCI as they are covered at the DoD level by DoDI 8500.01 and the Knowledge Service. If the organization or system owner is utilizing common controls they must be documented in their Security Plan. |
Information Security Program Plan |
PM-1 |
PM-1.2 |
Information security program plans can be represented in single documents or compilations of documents at the discretion of organizations. The plans document the program management controls and organization-defined common controls. Information security program plans provide sufficient information about the program management controls/common controls (including specification of parameters for any assignment and selection statements either explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended.
The security plans for individual information systems and the organization-wide information security program plan together, provide complete coverage for all security controls employed within the organization. Common controls are documented in an appendix to the organization's information security program plan unless the controls are included in a separate security plan for an information system (e.g., security controls employed as part of an intrusion detection system providing organization-wide boundary protection inherited by one or more organizational information systems). The organization-wide information security program plan will indicate which separate security plans contain descriptions of common controls.
Organizations have the flexibility to describe common controls in a single document or in multiple documents. In the case of multiple documents, the documents describing common controls are included as attachments to the information security program plan. If the information security program plan contains multiple documents, the organization specifies in each document the organizational official or officials responsible for the development, implementation, assessment, authorization, and monitoring of the respective common controls. For example, the organization may require that the Facilities Management Office develop, implement, assess, authorize, and continuously monitor common physical and environmental protection controls from the PE family when such controls are not associated with a particular information system but instead, support multiple information systems. Related control: PM-8. |
The organization:
a. Develops and disseminates an organization-wide information security program plan that:
1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
3. Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and
4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
b. Reviews the organization-wide information security program plan [Assignment: organization-defined frequency];
c. Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and
d. Protects the information security program plan from unauthorized disclosure and modification. |
| CCI-002986 |
The organization disseminates an organization-wide information security program plan that includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
DoD components are automatically compliant with this CCI as they are covered at the DoD level by DoDI 8500.01 and the Knowledge Service. If the organization or system owner is utilizing common controls they must be documented in their Security Plan. |
DoD disseminates DoDI 8500.01 organization-wide via the DoD Issuances website (http://www.dtic.mil/whs/directives/corres/dir.html) and the Knowledge Service is available via: https://rmfks.osd.mil.
DoD components are automatically compliant with this CCI as they are covered at the DoD level by DoDI 8500.01 and the Knowledge Service. If the organization or system owner is utilizing common controls they must be documented in their Security Plan. |
Information Security Program Plan |
PM-1 |
PM-1.3 |
Information security program plans can be represented in single documents or compilations of documents at the discretion of organizations. The plans document the program management controls and organization-defined common controls. Information security program plans provide sufficient information about the program management controls/common controls (including specification of parameters for any assignment and selection statements either explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended.
The security plans for individual information systems and the organization-wide information security program plan together, provide complete coverage for all security controls employed within the organization. Common controls are documented in an appendix to the organization's information security program plan unless the controls are included in a separate security plan for an information system (e.g., security controls employed as part of an intrusion detection system providing organization-wide boundary protection inherited by one or more organizational information systems). The organization-wide information security program plan will indicate which separate security plans contain descriptions of common controls.
Organizations have the flexibility to describe common controls in a single document or in multiple documents. In the case of multiple documents, the documents describing common controls are included as attachments to the information security program plan. If the information security program plan contains multiple documents, the organization specifies in each document the organizational official or officials responsible for the development, implementation, assessment, authorization, and monitoring of the respective common controls. For example, the organization may require that the Facilities Management Office develop, implement, assess, authorize, and continuously monitor common physical and environmental protection controls from the PE family when such controls are not associated with a particular information system but instead, support multiple information systems. Related control: PM-8. |
The organization:
a. Develops and disseminates an organization-wide information security program plan that:
1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
3. Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and
4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
b. Reviews the organization-wide information security program plan [Assignment: organization-defined frequency];
c. Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and
d. Protects the information security program plan from unauthorized disclosure and modification. |
| CCI-002987 |
The organization disseminates an organization-wide information security program plan that reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical). |
DoD components are automatically compliant with this CCI as they are covered at the DoD level by DoDI 8500.01 and the Knowledge Service. If the organization or system owner is utilizing common controls they must be documented in their Security Plan. |
DoD disseminates DoDI 8500.01 organization-wide via the DoD Issuances website (http://www.dtic.mil/whs/directives/corres/dir.html) and the Knowledge Service is available via: https://rmfks.osd.mil.
DoD components are automatically compliant with this CCI as they are covered at the DoD level by DoDI 8500.01 and the Knowledge Service. If the organization or system owner is utilizing common controls they must be documented in their Security Plan. |
Information Security Program Plan |
PM-1 |
PM-1.6 |
Information security program plans can be represented in single documents or compilations of documents at the discretion of organizations. The plans document the program management controls and organization-defined common controls. Information security program plans provide sufficient information about the program management controls/common controls (including specification of parameters for any assignment and selection statements either explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended.
The security plans for individual information systems and the organization-wide information security program plan together, provide complete coverage for all security controls employed within the organization. Common controls are documented in an appendix to the organization's information security program plan unless the controls are included in a separate security plan for an information system (e.g., security controls employed as part of an intrusion detection system providing organization-wide boundary protection inherited by one or more organizational information systems). The organization-wide information security program plan will indicate which separate security plans contain descriptions of common controls.
Organizations have the flexibility to describe common controls in a single document or in multiple documents. In the case of multiple documents, the documents describing common controls are included as attachments to the information security program plan. If the information security program plan contains multiple documents, the organization specifies in each document the organizational official or officials responsible for the development, implementation, assessment, authorization, and monitoring of the respective common controls. For example, the organization may require that the Facilities Management Office develop, implement, assess, authorize, and continuously monitor common physical and environmental protection controls from the PE family when such controls are not associated with a particular information system but instead, support multiple information systems. Related control: PM-8. |
The organization:
a. Develops and disseminates an organization-wide information security program plan that:
1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
3. Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and
4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
b. Reviews the organization-wide information security program plan [Assignment: organization-defined frequency];
c. Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and
d. Protects the information security program plan from unauthorized disclosure and modification. |
| CCI-002988 |
The organization disseminates an organization-wide information security program plan that is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation. |
DoD components are automatically compliant with this CCI as they are covered at the DoD level by DoDI 8500.01 and the Knowledge Service. If the organization or system owner is utilizing common controls they must be documented in their Security Plan. |
DoD disseminates DoDI 8500.01 organization-wide via the DoD Issuances website (http://www.dtic.mil/whs/directives/corres/dir.html) and the Knowledge Service is available via: https://rmfks.osd.mil.
DoD components are automatically compliant with this CCI as they are covered at the DoD level by DoDI 8500.01 and the Knowledge Service. If the organization or system owner is utilizing common controls they must be documented in their Security Plan. |
Information Security Program Plan |
PM-1 |
PM-1.7 |
Information security program plans can be represented in single documents or compilations of documents at the discretion of organizations. The plans document the program management controls and organization-defined common controls. Information security program plans provide sufficient information about the program management controls/common controls (including specification of parameters for any assignment and selection statements either explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended.
The security plans for individual information systems and the organization-wide information security program plan together, provide complete coverage for all security controls employed within the organization. Common controls are documented in an appendix to the organization's information security program plan unless the controls are included in a separate security plan for an information system (e.g., security controls employed as part of an intrusion detection system providing organization-wide boundary protection inherited by one or more organizational information systems). The organization-wide information security program plan will indicate which separate security plans contain descriptions of common controls.
Organizations have the flexibility to describe common controls in a single document or in multiple documents. In the case of multiple documents, the documents describing common controls are included as attachments to the information security program plan. If the information security program plan contains multiple documents, the organization specifies in each document the organizational official or officials responsible for the development, implementation, assessment, authorization, and monitoring of the respective common controls. For example, the organization may require that the Facilities Management Office develop, implement, assess, authorize, and continuously monitor common physical and environmental protection controls from the PE family when such controls are not associated with a particular information system but instead, support multiple information systems. Related control: PM-8. |
The organization:
a. Develops and disseminates an organization-wide information security program plan that:
1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
3. Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and
4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
b. Reviews the organization-wide information security program plan [Assignment: organization-defined frequency];
c. Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and
d. Protects the information security program plan from unauthorized disclosure and modification. |
| CCI-002989 |
The organization protects the information security program plan from unauthorized disclosure. |
DoD components are automatically compliant with this CCI as they are covered at the DoD level by DoDI 8500.01 and the Knowledge Service. If the organization or system owner is utilizing common controls they must be documented in their Security Plan. |
DoD documents and implements methods to protect the information security program plan from unauthorized disclosure by marking, labeling, and handling to prevent unauthorized disclosure. DoD ensures that all changes to the information security program plan are approved. |
Information Security Program Plan |
PM-1 |
PM-1.12 |
Information security program plans can be represented in single documents or compilations of documents at the discretion of organizations. The plans document the program management controls and organization-defined common controls. Information security program plans provide sufficient information about the program management controls/common controls (including specification of parameters for any assignment and selection statements either explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended.
The security plans for individual information systems and the organization-wide information security program plan together, provide complete coverage for all security controls employed within the organization. Common controls are documented in an appendix to the organization's information security program plan unless the controls are included in a separate security plan for an information system (e.g., security controls employed as part of an intrusion detection system providing organization-wide boundary protection inherited by one or more organizational information systems). The organization-wide information security program plan will indicate which separate security plans contain descriptions of common controls.
Organizations have the flexibility to describe common controls in a single document or in multiple documents. In the case of multiple documents, the documents describing common controls are included as attachments to the information security program plan. If the information security program plan contains multiple documents, the organization specifies in each document the organizational official or officials responsible for the development, implementation, assessment, authorization, and monitoring of the respective common controls. For example, the organization may require that the Facilities Management Office develop, implement, assess, authorize, and continuously monitor common physical and environmental protection controls from the PE family when such controls are not associated with a particular information system but instead, support multiple information systems. Related control: PM-8. |
The organization:
a. Develops and disseminates an organization-wide information security program plan that:
1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
3. Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and
4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
b. Reviews the organization-wide information security program plan [Assignment: organization-defined frequency];
c. Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and
d. Protects the information security program plan from unauthorized disclosure and modification. |
| CCI-002990 |
The organization protects the information security program plan from unauthorized modification. |
DoD components are automatically compliant with this CCI as they are covered at the DoD level by DoDI 8500.01 and the Knowledge Service. If the organization or system owner is utilizing common controls they must be documented in their Security Plan. |
DoD documents and implements methods to protect the information security program plan from unauthorized disclosure by marking, labeling, and handling to prevent unauthorized modification. DoD ensures that all changes to the information security program plan are approved. |
Information Security Program Plan |
PM-1 |
PM-1.13 |
Information security program plans can be represented in single documents or compilations of documents at the discretion of organizations. The plans document the program management controls and organization-defined common controls. Information security program plans provide sufficient information about the program management controls/common controls (including specification of parameters for any assignment and selection statements either explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended.
The security plans for individual information systems and the organization-wide information security program plan together, provide complete coverage for all security controls employed within the organization. Common controls are documented in an appendix to the organization's information security program plan unless the controls are included in a separate security plan for an information system (e.g., security controls employed as part of an intrusion detection system providing organization-wide boundary protection inherited by one or more organizational information systems). The organization-wide information security program plan will indicate which separate security plans contain descriptions of common controls.
Organizations have the flexibility to describe common controls in a single document or in multiple documents. In the case of multiple documents, the documents describing common controls are included as attachments to the information security program plan. If the information security program plan contains multiple documents, the organization specifies in each document the organizational official or officials responsible for the development, implementation, assessment, authorization, and monitoring of the respective common controls. For example, the organization may require that the Facilities Management Office develop, implement, assess, authorize, and continuously monitor common physical and environmental protection controls from the PE family when such controls are not associated with a particular information system but instead, support multiple information systems. Related control: PM-8. |
The organization:
a. Develops and disseminates an organization-wide information security program plan that:
1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
3. Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and
4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
b. Reviews the organization-wide information security program plan [Assignment: organization-defined frequency];
c. Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and
d. Protects the information security program plan from unauthorized disclosure and modification. |
| CCI-002991 |
The organization implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems are developed. |
DoDI 8510.01 and the Knowledge Service meet the DoD requirements to develop a process for plans of action and milestones for the security program.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01 and the Knowledge Service. |
DoDI 8510.01 and the Knowledge Service meet the DoD requirements to develop a process for plans of action and milestones for the security program.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01 and the Knowledge Service. |
Plan Of Action And Milestones Process |
PM-4 |
PM-4.2 |
The plan of action and milestones is a key document in the information security program and is subject to federal reporting requirements established by OMB. With the increasing emphasis on organization-wide risk management across all three tiers in the risk management hierarchy (i.e., organization, mission/business process, and information system), organizations view plans of action and milestones from an organizational perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from security control assessments and continuous monitoring activities. OMB FISMA reporting guidance contains instructions regarding organizational plans of action and milestones. Related control: CA-5. |
The organization:
a. Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems:
1. Are developed and maintained;
2. Document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and
3. Are reported in accordance with OMB FISMA reporting requirements.
b. Reviews plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. |
| CCI-002992 |
The organization implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems are reported in accordance with OMB FISMA reporting requirements. |
DoDI 8510.01 and the Knowledge Service meet the DoD requirements to implement a process ensuring that the plans of action and milestones for the security program are reported in accordance with OMB FISMA reporting requirements.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01 and the Knowledge Service. |
DoDI 8510.01 and the Knowledge Service meet the DoD requirements to implement a process ensuring that the plans of action and milestones for the security program are reported in accordance with OMB FISMA reporting requirements.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01 and the Knowledge Service. |
Plan Of Action And Milestones Process |
PM-4 |
PM-4.4 |
The plan of action and milestones is a key document in the information security program and is subject to federal reporting requirements established by OMB. With the increasing emphasis on organization-wide risk management across all three tiers in the risk management hierarchy (i.e., organization, mission/business process, and information system), organizations view plans of action and milestones from an organizational perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from security control assessments and continuous monitoring activities. OMB FISMA reporting guidance contains instructions regarding organizational plans of action and milestones. Related control: CA-5. |
The organization:
a. Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems:
1. Are developed and maintained;
2. Document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and
3. Are reported in accordance with OMB FISMA reporting requirements.
b. Reviews plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. |
| CCI-002993 |
The organization reviews plans of action and milestones for the security program and associated organization information systems for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of reviews to ensure the organization being inspected/assessed reviews plans of action and milestones for the security program and associated organization information systems for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. |
The organization being inspected/assessed documents and implements a process to review plans of action and milestones for the security program and associated organization information systems for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
The organization must maintain a record of reviews. |
Plan Of Action And Milestones Process |
PM-4 |
PM-4.5 |
The plan of action and milestones is a key document in the information security program and is subject to federal reporting requirements established by OMB. With the increasing emphasis on organization-wide risk management across all three tiers in the risk management hierarchy (i.e., organization, mission/business process, and information system), organizations view plans of action and milestones from an organizational perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from security control assessments and continuous monitoring activities. OMB FISMA reporting guidance contains instructions regarding organizational plans of action and milestones. Related control: CA-5. |
The organization:
a. Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems:
1. Are developed and maintained;
2. Document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and
3. Are reported in accordance with OMB FISMA reporting requirements.
b. Reviews plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. |
| CCI-002994 |
The organization reviews and updates the risk management strategy in accordance with organization-defined frequency or as required, to address organizational changes. |
DoD Risk Management Framework meets the requirement for a comprehensive organizational risk strategy.
DoD components are automatically compliant with this CCI because they are covered by DoD Risk Management Framework (DoDI 8510.01). |
DoD Risk Management Framework meets the requirement for a comprehensive organizational risk strategy.
DoD components are automatically compliant with this CCI because they are covered by the DoD Risk Management Framework (DoDI 8510.01). |
Risk Management Strategy |
PM-9 |
PM-9.3 |
An organization-wide risk management strategy includes, for example, an unambiguous expression of the risk tolerance for the organization, acceptable risk assessment methodologies, risk mitigation strategies, a process for consistently evaluating risk across the organization with respect to the organization's risk tolerance, and approaches for monitoring risk over time. The use of a risk executive function can facilitate consistent, organization-wide application of the risk management strategy. The organization-wide risk management strategy can be informed by risk-related inputs from other sources both internal and external to the organization to ensure the strategy is both broad-based and comprehensive. Related control: RA-3. |
The organization:
a. Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems;
b. Implements the risk management strategy consistently across the organization; and
c. Reviews and updates the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes. |
| CCI-002995 |
The organization defines the frequency with which to review and update the risk management strategy to address organizational changes. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
Risk Management Strategy |
PM-9 |
PM-9.4 |
An organization-wide risk management strategy includes, for example, an unambiguous expression of the risk tolerance for the organization, acceptable risk assessment methodologies, risk mitigation strategies, a process for consistently evaluating risk across the organization with respect to the organization's risk tolerance, and approaches for monitoring risk over time. The use of a risk executive function can facilitate consistent, organization-wide application of the risk management strategy. The organization-wide risk management strategy can be informed by risk-related inputs from other sources both internal and external to the organization to ensure the strategy is both broad-based and comprehensive. Related control: RA-3. |
The organization:
a. Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems;
b. Implements the risk management strategy consistently across the organization; and
c. Reviews and updates the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes. |
| CCI-002996 |
The organization implements an insider threat program that includes a cross-discipline insider threat incident handling team. |
The organization conducting the inspection/assessment obtains and examines the documented insider threat program to ensure the organization being inspected/assessed implements an insider threat program that includes a cross-discipline insider threat incident handling team. |
The organization being inspected/assessed documents and implements an insider threat program that includes a cross-discipline insider threat incident handling team. |
Insider Threat Program |
PM-12 |
PM-12.1 |
Organizations handling classified information are required, under Executive Order 13587 and the National Policy on Insider Threat, to establish insider threat programs. The standards and guidelines that apply to insider threat programs in classified environments can also be employed effectively to improve the security of Controlled Unclassified Information in non-national security systems. Insider threat programs include security controls to detect and prevent malicious insider activity through the centralized integration and analysis of both technical and non-technical information to identify potential insider threat concerns. A senior organizational official is designated by the department/agency head as the responsible individual to implement and provide oversight for the program. In addition to the centralized integration and analysis capability, insider threat programs as a minimum, prepare department/agency insider threat policies and implementation plans, conduct host-based user monitoring of individual employee activities on government-owned classified computers, provide insider threat awareness training to employees, receive access to information from all offices within the department/agency (e.g., human resources, legal, physical security, personnel security, information technology, information system security, and law enforcement) for insider threat analysis, and conduct self-assessments of department/agency insider threat posture.
Insider threat programs can leverage the existence of incident handling teams organizations may already have in place, such as computer security incident response teams. Human resources records are especially important in this effort, as there is compelling evidence to show that some types of insider crimes are often preceded by nontechnical behaviors in the workplace (e.g., ongoing patterns of disgruntled behavior and conflicts with coworkers and other colleagues). These precursors can better inform and guide organizational officials in more focused, targeted monitoring efforts. The participation of a legal team is important to ensure that all monitoring activities are performed in accordance with appropriate legislation, directives, regulations, policies, standards, and guidelines. Related controls: AC-6, AT-2, AU-6, AU-7- AU-10, AU-12, AU-13, CA-7, IA-4, IR-4, MP-7, PE-2, PS-3, PS-4, PS-5, PS-8, SC-7, SC-38, SI-4, PM-1, PM-14. |
The organization implements an insider threat program that includes a cross-discipline insider threat incident handling team. |
| CCI-002997 |
The organization establishes an information security workforce development and improvement program. |
DoD 8570.01-M meets the DoD requirement to establish an information security workforce development and improvement program.
DoD components are automatically complaint with this CCI as they are covered at the DoD level, DoDI 8570.01-M. |
DoD 8570.01-M, "Information Assurance Workforce Improvement Program" meets the DoD requirement to establish an information security workforce development and improvement program.
DoD components are automatically complaint with this CCI as they are covered at the DoD level, DoDI 8570.01-M. |
Information Security Workforce |
PM-13 |
PM-13.1 |
Information security workforce development and improvement programs include, for example: (i) defining the knowledge and skill levels needed to perform information security duties and tasks; (ii) developing role-based training programs for individuals assigned information security roles and responsibilities; and (iii) providing standards for measuring and building individual qualifications for incumbents and applicants for information security-related positions. Such workforce programs can also include associated information security career paths to encourage: (i) information security professionals to advance in the field and fill positions with greater responsibility; and (ii) organizations to fill information security-related positions with qualified personnel. Information security workforce development and improvement programs are complementary to organizational security awareness and training programs. Information security workforce development and improvement programs focus on developing and institutionalizing core information security capabilities of selected personnel needed to protect organizational operations, assets, and individuals. Related controls: AT-2, AT-3. |
The organization establishes an information security workforce development and improvement program. |
| CCI-002998 |
The organization implements a process for ensuring that organizational plans for conducting security testing activities associated with organizational information systems are developed. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed implements a process for ensuring that organizational plans for conducting security testing activities associated with organizational information systems are developed. |
The organization being inspected/assessed documents and implements a process for ensuring that organizational plans for conducting security testing activities associated with organizational information systems are developed. |
Testing, Training, And Monitoring |
PM-14 |
PM-14.1 |
This control ensures that organizations provide oversight for the security testing, training, and monitoring activities conducted organization-wide and that those activities are coordinated. With the importance of continuous monitoring programs, the implementation of information security across the three tiers of the risk management hierarchy, and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing organizational assessments supporting a variety of security controls. Security training activities, while typically focused on individual information systems and specific roles, also necessitate coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments. Related controls: AT-3, CA-7, CP-4, IR-3, SI-4. |
The organization:
a. Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems:
1. Are developed and maintained; and
2. Continue to be executed in a timely manner;
b. Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. |
| CCI-002999 |
The organization implements a process for ensuring that organizational plans for conducting security testing activities associated with organizational information systems are maintained. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed implements a process for ensuring that organizational plans for conducting security testing activities associated with organizational information systems are maintained. |
The organization being inspected/assessed documents and implements a process for ensuring that organizational plans for conducting security testing activities associated with organizational information systems are maintained. |
Testing, Training, And Monitoring |
PM-14 |
PM-14.2 |
This control ensures that organizations provide oversight for the security testing, training, and monitoring activities conducted organization-wide and that those activities are coordinated. With the importance of continuous monitoring programs, the implementation of information security across the three tiers of the risk management hierarchy, and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing organizational assessments supporting a variety of security controls. Security training activities, while typically focused on individual information systems and specific roles, also necessitate coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments. Related controls: AT-3, CA-7, CP-4, IR-3, SI-4. |
The organization:
a. Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems:
1. Are developed and maintained; and
2. Continue to be executed in a timely manner;
b. Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. |
| CCI-003000 |
The organization implements a process for ensuring that organizational plans for conducting security training activities associated with organizational information systems are developed. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed implements a process for ensuring that organizational plans for conducting security training activities associated with organizational information systems are developed. |
The organization being inspected/assessed documents and implements a process for ensuring that organizational plans for conducting security training activities associated with organizational information systems are developed. |
Testing, Training, And Monitoring |
PM-14 |
PM-14.3 |
This control ensures that organizations provide oversight for the security testing, training, and monitoring activities conducted organization-wide and that those activities are coordinated. With the importance of continuous monitoring programs, the implementation of information security across the three tiers of the risk management hierarchy, and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing organizational assessments supporting a variety of security controls. Security training activities, while typically focused on individual information systems and specific roles, also necessitate coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments. Related controls: AT-3, CA-7, CP-4, IR-3, SI-4. |
The organization:
a. Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems:
1. Are developed and maintained; and
2. Continue to be executed in a timely manner;
b. Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. |
| CCI-003001 |
The organization implements a process for ensuring that organizational plans for conducting security training activities associated with organizational information systems are maintained. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed implements a process for ensuring that organizational plans for conducting security training activities associated with organizational information systems are maintained. |
The organization being inspected/assessed documents and implements a process for ensuring that organizational plans for conducting security training activities associated with organizational information systems are maintained. |
Testing, Training, And Monitoring |
PM-14 |
PM-14.4 |
This control ensures that organizations provide oversight for the security testing, training, and monitoring activities conducted organization-wide and that those activities are coordinated. With the importance of continuous monitoring programs, the implementation of information security across the three tiers of the risk management hierarchy, and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing organizational assessments supporting a variety of security controls. Security training activities, while typically focused on individual information systems and specific roles, also necessitate coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments. Related controls: AT-3, CA-7, CP-4, IR-3, SI-4. |
The organization:
a. Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems:
1. Are developed and maintained; and
2. Continue to be executed in a timely manner;
b. Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. |
| CCI-003002 |
The organization implements a process for ensuring that organizational plans for conducting security monitoring activities associated with organizational information systems are developed. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed implements a process for ensuring that organizational plans for conducting security monitoring activities associated with organizational information systems are developed. |
The organization being inspected/assessed documents and implements a process for ensuring that organizational plans for conducting security monitoring activities associated with organizational information systems are developed. |
Testing, Training, And Monitoring |
PM-14 |
PM-14.5 |
This control ensures that organizations provide oversight for the security testing, training, and monitoring activities conducted organization-wide and that those activities are coordinated. With the importance of continuous monitoring programs, the implementation of information security across the three tiers of the risk management hierarchy, and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing organizational assessments supporting a variety of security controls. Security training activities, while typically focused on individual information systems and specific roles, also necessitate coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments. Related controls: AT-3, CA-7, CP-4, IR-3, SI-4. |
The organization:
a. Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems:
1. Are developed and maintained; and
2. Continue to be executed in a timely manner;
b. Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. |
| CCI-003003 |
The organization implements a process for ensuring that organizational plans for conducting security monitoring activities associated with organizational information systems are maintained. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed implements a process for ensuring that organizational plans for conducting security monitoring activities associated with organizational information systems are maintained. |
The organization being inspected/assessed documents and implements a process for conducting security monitoring activities associated with organizational information systems are maintained. |
Testing, Training, And Monitoring |
PM-14 |
PM-14.6 |
This control ensures that organizations provide oversight for the security testing, training, and monitoring activities conducted organization-wide and that those activities are coordinated. With the importance of continuous monitoring programs, the implementation of information security across the three tiers of the risk management hierarchy, and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing organizational assessments supporting a variety of security controls. Security training activities, while typically focused on individual information systems and specific roles, also necessitate coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments. Related controls: AT-3, CA-7, CP-4, IR-3, SI-4. |
The organization:
a. Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems:
1. Are developed and maintained; and
2. Continue to be executed in a timely manner;
b. Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. |
| CCI-003004 |
The organization implements a process for ensuring that organizational plans for conducting security testing associated with organizational information systems continue to be executed in a timely manner. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as records of execution to ensure the organization being inspected/assessed implements a process for ensuring that organizational plans for conducting security testing associated with organizational information systems continue to be executed in a timely manner. |
The organization being inspected/assessed documents and implements a process for ensuring that organizational plans for conducting security testing associated with organizational information systems continue to be executed in a timely manner.
The organization must maintain records of execution. |
Testing, Training, And Monitoring |
PM-14 |
PM-14.7 |
This control ensures that organizations provide oversight for the security testing, training, and monitoring activities conducted organization-wide and that those activities are coordinated. With the importance of continuous monitoring programs, the implementation of information security across the three tiers of the risk management hierarchy, and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing organizational assessments supporting a variety of security controls. Security training activities, while typically focused on individual information systems and specific roles, also necessitate coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments. Related controls: AT-3, CA-7, CP-4, IR-3, SI-4. |
The organization:
a. Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems:
1. Are developed and maintained; and
2. Continue to be executed in a timely manner;
b. Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. |
| CCI-003005 |
The organization implements a process for ensuring that organizational plans for conducting security training associated with organizational information systems continue to be executed in a timely manner. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the records of execution to ensure the organization being inspected/assessed implements a process for ensuring that organizational plans for conducting security training associated with organizational information systems continue to be executed in a timely manner. |
The organization being inspected/assessed documents and implements a process for ensuring that organizational plans for conducting security training associated with organizational information systems continue to be executed in a timely manner.
The organization must maintain records of execution. |
Testing, Training, And Monitoring |
PM-14 |
PM-14.8 |
This control ensures that organizations provide oversight for the security testing, training, and monitoring activities conducted organization-wide and that those activities are coordinated. With the importance of continuous monitoring programs, the implementation of information security across the three tiers of the risk management hierarchy, and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing organizational assessments supporting a variety of security controls. Security training activities, while typically focused on individual information systems and specific roles, also necessitate coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments. Related controls: AT-3, CA-7, CP-4, IR-3, SI-4. |
The organization:
a. Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems:
1. Are developed and maintained; and
2. Continue to be executed in a timely manner;
b. Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. |
| CCI-003006 |
The organization implements a process for ensuring that organizational plans for conducting security monitoring activities associated with organizational information systems continue to be executed in a timely manner. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the records of execution to ensure the organization being inspected/assessed implements a process for ensuring that organizational plans for conducting security monitoring activities associated with organizational information systems continue to be executed in a timely manner. |
The organization being inspected/assessed documents and implements a process for ensuring that organizational plans for conducting security monitoring activities associated with organizational information systems continue to be executed in a timely manner.
The organization must maintain records of execution. |
Testing, Training, And Monitoring |
PM-14 |
PM-14.9 |
This control ensures that organizations provide oversight for the security testing, training, and monitoring activities conducted organization-wide and that those activities are coordinated. With the importance of continuous monitoring programs, the implementation of information security across the three tiers of the risk management hierarchy, and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing organizational assessments supporting a variety of security controls. Security training activities, while typically focused on individual information systems and specific roles, also necessitate coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments. Related controls: AT-3, CA-7, CP-4, IR-3, SI-4. |
The organization:
a. Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems:
1. Are developed and maintained; and
2. Continue to be executed in a timely manner;
b. Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. |
| CCI-003007 |
The organization reviews testing plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of reviews to ensure the organization being inspected/assessed reviews testing plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. |
The organization being inspected/assessed documents and implements a process to review testing plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
The organization must maintain a record of reviews. |
Testing, Training, And Monitoring |
PM-14 |
PM-14.10 |
This control ensures that organizations provide oversight for the security testing, training, and monitoring activities conducted organization-wide and that those activities are coordinated. With the importance of continuous monitoring programs, the implementation of information security across the three tiers of the risk management hierarchy, and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing organizational assessments supporting a variety of security controls. Security training activities, while typically focused on individual information systems and specific roles, also necessitate coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments. Related controls: AT-3, CA-7, CP-4, IR-3, SI-4. |
The organization:
a. Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems:
1. Are developed and maintained; and
2. Continue to be executed in a timely manner;
b. Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. |
| CCI-003008 |
The organization reviews training plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of reviews to ensure the organization being inspected/assessed reviews training plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. |
The organization being inspected/assessed reviews training plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
The organization must maintain a record of reviews. |
Testing, Training, And Monitoring |
PM-14 |
PM-14.11 |
This control ensures that organizations provide oversight for the security testing, training, and monitoring activities conducted organization-wide and that those activities are coordinated. With the importance of continuous monitoring programs, the implementation of information security across the three tiers of the risk management hierarchy, and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing organizational assessments supporting a variety of security controls. Security training activities, while typically focused on individual information systems and specific roles, also necessitate coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments. Related controls: AT-3, CA-7, CP-4, IR-3, SI-4. |
The organization:
a. Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems:
1. Are developed and maintained; and
2. Continue to be executed in a timely manner;
b. Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. |
| CCI-003009 |
The organization reviews monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of reviews to ensure the organization being inspected/assessed reviews monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. |
The organization being inspected/assessed reviews monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
The organization must maintain a record of reviews. |
Testing, Training, And Monitoring |
PM-14 |
PM-14.12 |
This control ensures that organizations provide oversight for the security testing, training, and monitoring activities conducted organization-wide and that those activities are coordinated. With the importance of continuous monitoring programs, the implementation of information security across the three tiers of the risk management hierarchy, and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing organizational assessments supporting a variety of security controls. Security training activities, while typically focused on individual information systems and specific roles, also necessitate coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments. Related controls: AT-3, CA-7, CP-4, IR-3, SI-4. |
The organization:
a. Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems:
1. Are developed and maintained; and
2. Continue to be executed in a timely manner;
b. Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. |
| CCI-003010 |
The organization establishes and institutionalizes contact with selected groups and associations within the security community to facilitate ongoing security education and training for organizational personnel. |
The organization conducting the inspection/assessment obtains and examines artifacts showing contact to ensure the organization being inspected/assessed establishes and institutionalizes contact with selected groups and associations within the security community to facilitate ongoing security education and training for organizational personnel. |
The organization being inspected/assessed establishes and institutionalizes contact with selected groups and associations within the security community to facilitate ongoing security education and training for organizational personnel. |
Contacts With Security Groups And Associations |
PM-15 |
PM-15.1 |
Ongoing contact with security groups and associations is of paramount importance in an environment of rapidly changing technologies and threats. Security groups and associations include, for example, special interest groups, forums, professional associations, news groups, and/or peer groups of security professionals in similar organizations. Organizations select groups and associations based on organizational missions/business functions. Organizations share threat, vulnerability, and incident information consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Related control: SI-5. |
The organization establishes and institutionalizes contact with selected groups and associations within the security community:
a. To facilitate ongoing security education and training for organizational personnel;
b. To maintain currency with recommended security practices, techniques, and technologies; and
c. To share current security-related information including threats, vulnerabilities, and incidents. |
| CCI-003011 |
The organization establishes and institutionalizes contact with selected groups and associations within the security community to maintain currency with recommended security practices, techniques, and technologies. |
The organization conducting the inspection/assessment obtains and examines artifacts showing contact to ensure the organization being inspected/assessed establishes and institutionalizes contact with selected groups and associations within the security community to maintain currency with recommended security practices, techniques, and technologies. |
The organization being inspected/assessed establishes and institutionalizes contact with selected groups and associations within the security community to maintain currency with recommended security practices, techniques, and technologies. |
Contacts With Security Groups And Associations |
PM-15 |
PM-15.2 |
Ongoing contact with security groups and associations is of paramount importance in an environment of rapidly changing technologies and threats. Security groups and associations include, for example, special interest groups, forums, professional associations, news groups, and/or peer groups of security professionals in similar organizations. Organizations select groups and associations based on organizational missions/business functions. Organizations share threat, vulnerability, and incident information consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Related control: SI-5. |
The organization establishes and institutionalizes contact with selected groups and associations within the security community:
a. To facilitate ongoing security education and training for organizational personnel;
b. To maintain currency with recommended security practices, techniques, and technologies; and
c. To share current security-related information including threats, vulnerabilities, and incidents. |
| CCI-003012 |
The organization establishes and institutionalizes contact with selected groups and associations within the security community to share current security-related information including threats, vulnerabilities, and incidents. |
The organization conducting the inspection/assessment obtains and examines artifacts showing contact to ensure the organization being inspected/assessed establishes and institutionalizes contact with selected groups and associations within the security community to share current security-related information including threats, vulnerabilities, and incidents. |
The organization being inspected/assessed establishes and institutionalizes contact with selected groups and associations within the security community to share current security-related information including threats, vulnerabilities, and incidents. |
Contacts With Security Groups And Associations |
PM-15 |
PM-15.3 |
Ongoing contact with security groups and associations is of paramount importance in an environment of rapidly changing technologies and threats. Security groups and associations include, for example, special interest groups, forums, professional associations, news groups, and/or peer groups of security professionals in similar organizations. Organizations select groups and associations based on organizational missions/business functions. Organizations share threat, vulnerability, and incident information consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Related control: SI-5. |
The organization establishes and institutionalizes contact with selected groups and associations within the security community:
a. To facilitate ongoing security education and training for organizational personnel;
b. To maintain currency with recommended security practices, techniques, and technologies; and
c. To share current security-related information including threats, vulnerabilities, and incidents. |
| CCI-003013 |
The organization implements a threat awareness program that includes a cross-organization information-sharing capability. |
The organization conducting the inspection/assessment obtains and examines the documented threat awareness program to ensure the organization being inspected/assessed implements a threat awareness program that includes a cross-organization information-sharing capability. |
The organization being inspected/assessed documents and implements a threat awareness program that includes a cross-organization information-sharing capability. |
Threat Awareness Program |
PM-16 |
PM-16.1 |
Because of the constantly changing and increasing sophistication of adversaries, especially the advanced persistent threat (APT), it is becoming more likely that adversaries may successfully breach or compromise organizational information systems. One of the best techniques to address this concern is for organizations to share threat information. This can include, for example, sharing threat events (i.e., tactics, techniques, and procedures) that organizations have experienced, mitigations that organizations have found are effective against certain types of threats, threat intelligence (i.e., indications and warnings about threats that are likely to occur). Threat information sharing may be bilateral (e.g., government-commercial cooperatives, government-government cooperatives), or multilateral (e.g., organizations taking part in threat-sharing consortia). Threat information may be highly sensitive requiring special agreements and protection, or less sensitive and freely shared. Related controls: PM-12, PM-16. |
The organization implements a threat awareness program that includes a cross-organization information-sharing capability. |
| CCI-003392 |
The organization determines and documents the legal authority that permits the collection of personally identifiable information (PII), either generally or in support of a specific program or information system need. |
The organization conducting the inspection/assessment obtains and examines the applicable privacy documentation to ensure the organization being inspected/assessed has documented the legal authority that permits the collection of PII, and that such collection is related to, and compatible with, the purpose and scope of the authority described in the privacy documentation. |
The organization being inspected/assessed identifies and documents in applicable privacy notices and privacy impact assessment, the legal authority applicable to the information system permitting the collection of PII IAW 5 USC 552a, DoDD 5400.11, DoD 5400.11-R, and DoDD 5400.16. |
Authority To Collect |
AP-1 |
AP-1.1 |
Before collecting PII, the organization determines whether the contemplated collection of PII is legally authorized. Program officials consult with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) and legal counsel regarding the authority of any program or activity to collect PII. The authority to collect PII is documented in the System of Records Notice (SORN) and/or Privacy Impact Assessment (PIA) or other applicable documentation such as Privacy Act Statements or Computer Matching Agreements. Related controls: AR-2, DM-1, TR-1, TR-2. |
The organization determines and documents the legal authority that permits the collection, use, maintenance, and sharing of personally identifiable information (PII), either generally or in support of a specific program or information system need. |
| CCI-003393 |
The organization determines and documents the legal authority that permits the use of personally identifiable information (PII), either generally or in support of a specific program or information system need. |
The organization conducting the inspection/assessment obtains and examines the applicable privacy documentation to ensure the organization being inspected/assessed has documented the legal authority that permits the use of PII, and that such use is related to, and compatible with, the purpose and scope of the authority described in the privacy documentation. |
The organization being inspected/assessed identifies and documents in applicable privacy notices and privacy impact assessment, the legal authority applicable to the information system permitting the collection of PII IAW 5 USC 552a, DoDD 5400.11, DoD 5400.11-R, and DoDD 5400.16. |
Authority To Collect |
AP-1 |
AP-1.2 |
Before collecting PII, the organization determines whether the contemplated collection of PII is legally authorized. Program officials consult with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) and legal counsel regarding the authority of any program or activity to collect PII. The authority to collect PII is documented in the System of Records Notice (SORN) and/or Privacy Impact Assessment (PIA) or other applicable documentation such as Privacy Act Statements or Computer Matching Agreements. Related controls: AR-2, DM-1, TR-1, TR-2. |
The organization determines and documents the legal authority that permits the collection, use, maintenance, and sharing of personally identifiable information (PII), either generally or in support of a specific program or information system need. |
| CCI-003394 |
The organization determines and documents the legal authority that permits the maintenance of personally identifiable information (PII), either generally or in support of a specific program or information system need. |
The organization conducting the inspection/assessment obtains and examines the applicable privacy documentation to ensure the organization being inspected/assessed has documented the legal authority that permits the maintenance of PII, and that such maintenance is related to, and compatible with, the purpose and scope of the authority described in the privacy documentation. |
The organization being inspected/assessed identifies and documents in applicable privacy notices and privacy impact assessment, the legal authority applicable to the information system permitting the collection of PII IAW 5 USC 552a, DoDD 5400.11, DoD 5400.11-R, and DoDD 5400.16. |
Authority To Collect |
AP-1 |
AP-1.3 |
Before collecting PII, the organization determines whether the contemplated collection of PII is legally authorized. Program officials consult with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) and legal counsel regarding the authority of any program or activity to collect PII. The authority to collect PII is documented in the System of Records Notice (SORN) and/or Privacy Impact Assessment (PIA) or other applicable documentation such as Privacy Act Statements or Computer Matching Agreements. Related controls: AR-2, DM-1, TR-1, TR-2. |
The organization determines and documents the legal authority that permits the collection, use, maintenance, and sharing of personally identifiable information (PII), either generally or in support of a specific program or information system need. |
| CCI-003395 |
The organization determines and documents the legal authority that permits the sharing of personally identifiable information (PII), either generally or in support of a specific program or information system need. |
The organization conducting the inspection/assessment obtains and examines the applicable privacy documentation to ensure the organization being inspected/assessed has documented the legal authority that permits the dissemination or sharing of PII, and that such dissemination or sharing is related to, and compatible with, the purpose and scope of the authority described in the privacy documentation. |
The organization being inspected/assessed identifies and documents in applicable privacy notices and privacy impact assessment, the legal authority applicable to the information system permitting the collection of PII IAW 5 USC 552a, DoDD 5400.11, DoD 5400.11-R, and DoDD 5400.16. |
Authority To Collect |
AP-1 |
AP-1.4 |
Before collecting PII, the organization determines whether the contemplated collection of PII is legally authorized. Program officials consult with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) and legal counsel regarding the authority of any program or activity to collect PII. The authority to collect PII is documented in the System of Records Notice (SORN) and/or Privacy Impact Assessment (PIA) or other applicable documentation such as Privacy Act Statements or Computer Matching Agreements. Related controls: AR-2, DM-1, TR-1, TR-2. |
The organization determines and documents the legal authority that permits the collection, use, maintenance, and sharing of personally identifiable information (PII), either generally or in support of a specific program or information system need. |
| CCI-003396 |
The organization describes, in its privacy notices, the purpose(s) for which personally identifiable information (PII) is collected. |
The organization conducting the inspection/assessment obtains and examines the applicable privacy notices and privacy impact assessment to ensure the organization being inspected/assessed describes, in its privacy notices, the purpose(s) for which PII is collected. |
The organization being inspected/assessed ensures the PII collected by the specific program or information system is related to, and compatible with, the purpose and scope of the authority described in the privacy documentation, for example, but not limited to, the Privacy Act system of records notice (SORN) or Privacy Impact Assessment (PIA). The privacy documentation shall be IAW 5 USC 552a, DoDD 5400.11, DoD 5400.11-R, Section 208 of the E-Gov Act of 2002 (Public Law 107-347) and DoDI 5400.16. |
Purpose Specification |
AP-2 |
AP-2.1 |
Often, statutory language expressly authorizes specific collections and uses of PII. When statutory language is written broadly and thus subject to interpretation, organizations ensure, in consultation with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) and legal counsel, that there is a close nexus between the general authorization and any specific collection of PII. Once the specific purposes have been identified, the purposes are clearly described in the related privacy compliance documentation, including but not limited to Privacy Impact Assessments (PIAs), System of Records Notices (SORNs), and Privacy Act Statements provided at the time of collection (e.g., on forms organizations use to collect PII). Further, in order to avoid unauthorized collections or uses of PII, personnel who handle PII receive training on the organizational authorities for collecting PII, authorized uses of PII, and on the contents of the notice. Related controls: AR-2, AR-4, AR-5, DM-1, DM-2, TR-1, TR-2, UL-1, UL-2. |
The organization describes the purpose(s) for which personally identifiable information (PII) is collected, used, maintained, and shared in its privacy notices. |
| CCI-003398 |
The organization describes, in its privacy notices, the purpose(s) for which personally identifiable information (PII) is used. |
The organization conducting the inspection/assessment obtains and examines the applicable privacy notices and privacy impact assessment to ensure the organization being inspected/assessed describes, in its privacy notices, the purpose(s) for which PII is used. |
The organization being inspected/assessed ensures the PII collected by the specific program or information system is related to, and compatible with, the purpose and scope of the authority described in the privacy documentation, for example, but not limited to, the Privacy Act system of records notice (SORN) or Privacy Impact Assessment (PIA). The privacy documentation shall be IAW 5 USC 552a, DoDD 5400.11, DoD 5400.11-R, Section 208 of the E-Gov Act of 2002 (Public Law 107-347) and DoDI 5400.16. |
Purpose Specification |
AP-2 |
AP-2.2 |
Often, statutory language expressly authorizes specific collections and uses of PII. When statutory language is written broadly and thus subject to interpretation, organizations ensure, in consultation with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) and legal counsel, that there is a close nexus between the general authorization and any specific collection of PII. Once the specific purposes have been identified, the purposes are clearly described in the related privacy compliance documentation, including but not limited to Privacy Impact Assessments (PIAs), System of Records Notices (SORNs), and Privacy Act Statements provided at the time of collection (e.g., on forms organizations use to collect PII). Further, in order to avoid unauthorized collections or uses of PII, personnel who handle PII receive training on the organizational authorities for collecting PII, authorized uses of PII, and on the contents of the notice. Related controls: AR-2, AR-4, AR-5, DM-1, DM-2, TR-1, TR-2, UL-1, UL-2. |
The organization describes the purpose(s) for which personally identifiable information (PII) is collected, used, maintained, and shared in its privacy notices. |
| CCI-003399 |
The organization describes, in its privacy notices, the purpose(s) for which personally identifiable information (PII) is maintained. |
The organization conducting the inspection/assessment obtains and examines the applicable privacy notices and privacy impact assessment to ensure the organization being inspected/assessed describes, in its privacy notices, the purpose(s) for which PII is maintained. |
The organization being inspected/assessed ensures the PII collected by the specific program or information system is related to, and compatible with, the purpose and scope of the authority described in the privacy documentation, for example, but not limited to, the Privacy Act system of records notice (SORN) or Privacy Impact Assessment (PIA). The privacy documentation shall be IAW 5 USC 552a, DoDD 5400.11, DoD 5400.11-R, Section 208 of the E-Gov Act of 2002 (Public Law 107-347) and DoDI 5400.16. |
Purpose Specification |
AP-2 |
AP-2.3 |
Often, statutory language expressly authorizes specific collections and uses of PII. When statutory language is written broadly and thus subject to interpretation, organizations ensure, in consultation with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) and legal counsel, that there is a close nexus between the general authorization and any specific collection of PII. Once the specific purposes have been identified, the purposes are clearly described in the related privacy compliance documentation, including but not limited to Privacy Impact Assessments (PIAs), System of Records Notices (SORNs), and Privacy Act Statements provided at the time of collection (e.g., on forms organizations use to collect PII). Further, in order to avoid unauthorized collections or uses of PII, personnel who handle PII receive training on the organizational authorities for collecting PII, authorized uses of PII, and on the contents of the notice. Related controls: AR-2, AR-4, AR-5, DM-1, DM-2, TR-1, TR-2, UL-1, UL-2. |
The organization describes the purpose(s) for which personally identifiable information (PII) is collected, used, maintained, and shared in its privacy notices. |
| CCI-003400 |
The organization describes, in its privacy notices, the purpose(s) for which personally identifiable information (PII) is shared. |
The organization conducting the inspection/assessment obtains and examines the applicable privacy notices and privacy impact assessment to ensure the organization being inspected/assessed describes, in its privacy notices, the purpose(s) for which PII is shared. |
The organization being inspected/assessed ensures the PII collected by the specific program or information system is related to, and compatible with, the purpose and scope of the authority described in the privacy documentation, for example, but not limited to, the Privacy Act system of records notice (SORN) or Privacy Impact Assessment (PIA). The privacy documentation shall be IAW 5 USC 552a, DoDD 5400.11, DoD 5400.11-R, Section 208 of the E-Gov Act of 2002 (Public Law 107-347) and DoDI 5400.16. |
Purpose Specification |
AP-2 |
AP-2.4 |
Often, statutory language expressly authorizes specific collections and uses of PII. When statutory language is written broadly and thus subject to interpretation, organizations ensure, in consultation with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) and legal counsel, that there is a close nexus between the general authorization and any specific collection of PII. Once the specific purposes have been identified, the purposes are clearly described in the related privacy compliance documentation, including but not limited to Privacy Impact Assessments (PIAs), System of Records Notices (SORNs), and Privacy Act Statements provided at the time of collection (e.g., on forms organizations use to collect PII). Further, in order to avoid unauthorized collections or uses of PII, personnel who handle PII receive training on the organizational authorities for collecting PII, authorized uses of PII, and on the contents of the notice. Related controls: AR-2, AR-4, AR-5, DM-1, DM-2, TR-1, TR-2, UL-1, UL-2. |
The organization describes the purpose(s) for which personally identifiable information (PII) is collected, used, maintained, and shared in its privacy notices. |
| CCI-003397 |
The organization appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of personally identifiable information (PII) by programs and information systems. |
The organization conducting the inspection/assessment obtains and examines the applicable privacy documentation to ensure the organization being inspected/assessed has document the appointment of component Senior Official for privacy. |
The Senior Agency Official for Privacy (SAOP) is appointed at the DoD enterprise level. The SAOP is accountable for developing, implementing and maintaining the DoD-enterprise level governance and privacy program, which can be augmented with a Component level guidance and privacy program.
The Component Senior Offical for Privacy is accountable for developing, implementing and maintaining the Component level governance and privacy program.
The organization being inspected/assessed appoints and documents a Component Senior Official for privacy. |
Governance And Privacy Program |
AR-1 |
AR-1.1 |
The development and implementation of a comprehensive governance and privacy program demonstrates organizational accountability for and commitment to the protection of individual privacy. Accountability begins with the appointment of an SAOP/CPO with the authority, mission, resources, and responsibility to develop and implement a multifaceted privacy program. The SAOP/CPO, in consultation with legal counsel, information security officials, and others as appropriate: (i) ensures the development, implementation, and enforcement of privacy policies and procedures; (ii) defines roles and responsibilities for protecting PII; (iii) determines the level of information sensitivity with regard to PII holdings; (iv) identifies the laws, regulations, and internal policies that apply to the PII; (v) monitors privacy best practices; and (vi) monitors/audits compliance with identified privacy controls.
To further accountability, the SAOP/CPO develops privacy plans to document the privacy requirements of organizations and the privacy and security controls in place or planned for meeting those requirements. The plan serves as evidence of organizational privacy operations and supports resource requests by the SAOP/CPO. A single plan or multiple plans may be necessary depending upon the organizational structures, requirements, and resources, and the plan(s) may vary in comprehensiveness. For example, a one-page privacy plan may cover privacy policies, documentation, and controls already in place, such as Privacy Impact Assessments (PIA) and System of Records Notices (SORN). A comprehensive plan may include a baseline of privacy controls selected from this appendix and include: (i) processes for conducting privacy risk assessments; (ii) templates and guidance for completing PIAs and SORNs; (iii) privacy training and awareness requirements; (iv) requirements for contractors processing PII; (v) plans for eliminating unnecessary PII holdings; and (vi) a framework for measuring annual performance goals and objectives for implementing identified privacy controls |
The organization:
a. Appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of personally identifiable information (PII) by programs and information systems;
b. Monitors federal privacy laws and policy for changes that affect the privacy program;
c. Allocates [Assignment: organization-defined allocation of budget and staffing] sufficient resources to implement and operate the organization-wide privacy program;
d. Develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures;
e. Develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII; and
f. Updates privacy plan, policies, and procedures [Assignment: organization-defined frequency, at least biennially]. |
| CCI-003401 |
The organization monitors federal privacy laws and policy for changes that affect the privacy program. |
The organization conducting the inspection/assessment obtains and examines the applicable privacy documentation to ensure the organization being inspected/assessed has a documented repeatable business process by which it monitors federal privacy laws and policy for changes that affect the privacy program. |
The organization being inspected/assessed documents and implements a repeatable business process by which it monitors federal privacy laws and policy for changes that affect the privacy program. |
Governance And Privacy Program |
AR-1 |
AR-1.2 |
The development and implementation of a comprehensive governance and privacy program demonstrates organizational accountability for and commitment to the protection of individual privacy. Accountability begins with the appointment of an SAOP/CPO with the authority, mission, resources, and responsibility to develop and implement a multifaceted privacy program. The SAOP/CPO, in consultation with legal counsel, information security officials, and others as appropriate: (i) ensures the development, implementation, and enforcement of privacy policies and procedures; (ii) defines roles and responsibilities for protecting PII; (iii) determines the level of information sensitivity with regard to PII holdings; (iv) identifies the laws, regulations, and internal policies that apply to the PII; (v) monitors privacy best practices; and (vi) monitors/audits compliance with identified privacy controls.
To further accountability, the SAOP/CPO develops privacy plans to document the privacy requirements of organizations and the privacy and security controls in place or planned for meeting those requirements. The plan serves as evidence of organizational privacy operations and supports resource requests by the SAOP/CPO. A single plan or multiple plans may be necessary depending upon the organizational structures, requirements, and resources, and the plan(s) may vary in comprehensiveness. For example, a one-page privacy plan may cover privacy policies, documentation, and controls already in place, such as Privacy Impact Assessments (PIA) and System of Records Notices (SORN). A comprehensive plan may include a baseline of privacy controls selected from this appendix and include: (i) processes for conducting privacy risk assessments; (ii) templates and guidance for completing PIAs and SORNs; (iii) privacy training and awareness requirements; (iv) requirements for contractors processing PII; (v) plans for eliminating unnecessary PII holdings; and (vi) a framework for measuring annual performance goals and objectives for implementing identified privacy controls |
The organization:
a. Appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of personally identifiable information (PII) by programs and information systems;
b. Monitors federal privacy laws and policy for changes that affect the privacy program;
c. Allocates [Assignment: organization-defined allocation of budget and staffing] sufficient resources to implement and operate the organization-wide privacy program;
d. Develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures;
e. Develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII; and
f. Updates privacy plan, policies, and procedures [Assignment: organization-defined frequency, at least biennially]. |
| CCI-003402 |
The organization defines the allocation of budget resources sufficient to implement and operate the organization-wide privacy program. |
The organization conducting the inspection/assessment obtains and examines the documented allocation to ensure the organization being inspected/assessed defines the allocation of budget resources sufficient to implement and operate the organization-wide privacy program.
DoD has determined the allocation of budget resources is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the allocation of budget resources sufficient to implement and operate the organization-wide privacy program.
DoD has determined the allocation of budget resources is not appropriate to define at the Enterprise level. |
Governance And Privacy Program |
AR-1 |
AR-1.3 |
The development and implementation of a comprehensive governance and privacy program demonstrates organizational accountability for and commitment to the protection of individual privacy. Accountability begins with the appointment of an SAOP/CPO with the authority, mission, resources, and responsibility to develop and implement a multifaceted privacy program. The SAOP/CPO, in consultation with legal counsel, information security officials, and others as appropriate: (i) ensures the development, implementation, and enforcement of privacy policies and procedures; (ii) defines roles and responsibilities for protecting PII; (iii) determines the level of information sensitivity with regard to PII holdings; (iv) identifies the laws, regulations, and internal policies that apply to the PII; (v) monitors privacy best practices; and (vi) monitors/audits compliance with identified privacy controls.
To further accountability, the SAOP/CPO develops privacy plans to document the privacy requirements of organizations and the privacy and security controls in place or planned for meeting those requirements. The plan serves as evidence of organizational privacy operations and supports resource requests by the SAOP/CPO. A single plan or multiple plans may be necessary depending upon the organizational structures, requirements, and resources, and the plan(s) may vary in comprehensiveness. For example, a one-page privacy plan may cover privacy policies, documentation, and controls already in place, such as Privacy Impact Assessments (PIA) and System of Records Notices (SORN). A comprehensive plan may include a baseline of privacy controls selected from this appendix and include: (i) processes for conducting privacy risk assessments; (ii) templates and guidance for completing PIAs and SORNs; (iii) privacy training and awareness requirements; (iv) requirements for contractors processing PII; (v) plans for eliminating unnecessary PII holdings; and (vi) a framework for measuring annual performance goals and objectives for implementing identified privacy controls |
The organization:
a. Appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of personally identifiable information (PII) by programs and information systems;
b. Monitors federal privacy laws and policy for changes that affect the privacy program;
c. Allocates [Assignment: organization-defined allocation of budget and staffing] sufficient resources to implement and operate the organization-wide privacy program;
d. Develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures;
e. Develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII; and
f. Updates privacy plan, policies, and procedures [Assignment: organization-defined frequency, at least biennially]. |
| CCI-003403 |
The organization defines the allocation of staffing resources sufficient to implement and operate the organization-wide privacy program. |
The organization conducting the inspection/assessment obtains and examines the documented allocation to ensure the organization being inspected/assessed defines the allocation of staffing resources sufficient to implement and operate the organization-wide privacy program.
DoD has determined the allocation of staffing resources is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the allocation of staffing resources sufficient to implement and operate the organization-wide privacy program.
DoD has determined the allocation of staffing resources is not appropriate to define at the Enterprise level. |
Governance And Privacy Program |
AR-1 |
AR-1.4 |
The development and implementation of a comprehensive governance and privacy program demonstrates organizational accountability for and commitment to the protection of individual privacy. Accountability begins with the appointment of an SAOP/CPO with the authority, mission, resources, and responsibility to develop and implement a multifaceted privacy program. The SAOP/CPO, in consultation with legal counsel, information security officials, and others as appropriate: (i) ensures the development, implementation, and enforcement of privacy policies and procedures; (ii) defines roles and responsibilities for protecting PII; (iii) determines the level of information sensitivity with regard to PII holdings; (iv) identifies the laws, regulations, and internal policies that apply to the PII; (v) monitors privacy best practices; and (vi) monitors/audits compliance with identified privacy controls.
To further accountability, the SAOP/CPO develops privacy plans to document the privacy requirements of organizations and the privacy and security controls in place or planned for meeting those requirements. The plan serves as evidence of organizational privacy operations and supports resource requests by the SAOP/CPO. A single plan or multiple plans may be necessary depending upon the organizational structures, requirements, and resources, and the plan(s) may vary in comprehensiveness. For example, a one-page privacy plan may cover privacy policies, documentation, and controls already in place, such as Privacy Impact Assessments (PIA) and System of Records Notices (SORN). A comprehensive plan may include a baseline of privacy controls selected from this appendix and include: (i) processes for conducting privacy risk assessments; (ii) templates and guidance for completing PIAs and SORNs; (iii) privacy training and awareness requirements; (iv) requirements for contractors processing PII; (v) plans for eliminating unnecessary PII holdings; and (vi) a framework for measuring annual performance goals and objectives for implementing identified privacy controls |
The organization:
a. Appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of personally identifiable information (PII) by programs and information systems;
b. Monitors federal privacy laws and policy for changes that affect the privacy program;
c. Allocates [Assignment: organization-defined allocation of budget and staffing] sufficient resources to implement and operate the organization-wide privacy program;
d. Develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures;
e. Develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII; and
f. Updates privacy plan, policies, and procedures [Assignment: organization-defined frequency, at least biennially]. |
| CCI-003404 |
The organization allocates sufficient organization-defined budget resources to implement and operate the organization-wide privacy program. |
The organization conducting the inspection/assessment obtains and examines the applicable privacy documentation to ensure the organization being inspected/assessed has documents which demonstrate allocation of sufficient organization-defined budget resources to implement and operate the organization-wide privacy program. |
The organization being inspected/assessed documents and implements a process for the allocation of sufficient organization-defined budget resources to implement and operate the organization-wide privacy program. |
Governance And Privacy Program |
AR-1 |
AR-1.5 |
The development and implementation of a comprehensive governance and privacy program demonstrates organizational accountability for and commitment to the protection of individual privacy. Accountability begins with the appointment of an SAOP/CPO with the authority, mission, resources, and responsibility to develop and implement a multifaceted privacy program. The SAOP/CPO, in consultation with legal counsel, information security officials, and others as appropriate: (i) ensures the development, implementation, and enforcement of privacy policies and procedures; (ii) defines roles and responsibilities for protecting PII; (iii) determines the level of information sensitivity with regard to PII holdings; (iv) identifies the laws, regulations, and internal policies that apply to the PII; (v) monitors privacy best practices; and (vi) monitors/audits compliance with identified privacy controls.
To further accountability, the SAOP/CPO develops privacy plans to document the privacy requirements of organizations and the privacy and security controls in place or planned for meeting those requirements. The plan serves as evidence of organizational privacy operations and supports resource requests by the SAOP/CPO. A single plan or multiple plans may be necessary depending upon the organizational structures, requirements, and resources, and the plan(s) may vary in comprehensiveness. For example, a one-page privacy plan may cover privacy policies, documentation, and controls already in place, such as Privacy Impact Assessments (PIA) and System of Records Notices (SORN). A comprehensive plan may include a baseline of privacy controls selected from this appendix and include: (i) processes for conducting privacy risk assessments; (ii) templates and guidance for completing PIAs and SORNs; (iii) privacy training and awareness requirements; (iv) requirements for contractors processing PII; (v) plans for eliminating unnecessary PII holdings; and (vi) a framework for measuring annual performance goals and objectives for implementing identified privacy controls |
The organization:
a. Appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of personally identifiable information (PII) by programs and information systems;
b. Monitors federal privacy laws and policy for changes that affect the privacy program;
c. Allocates [Assignment: organization-defined allocation of budget and staffing] sufficient resources to implement and operate the organization-wide privacy program;
d. Develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures;
e. Develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII; and
f. Updates privacy plan, policies, and procedures [Assignment: organization-defined frequency, at least biennially]. |
| CCI-003405 |
The organization allocates sufficient organization-defined staffing resources to implement and operate the organization-wide privacy program. |
The organization conducting the inspection/assessment obtains and examines the applicable privacy documentation to ensure the organization being inspected/assessed has documents which demonstrate allocation of sufficient organization-defined staffing resources to implement and operate the organization-wide privacy program. |
The organization being inspected/assessed documents and implements a process for the allocation of sufficient organization-defined staffing resources to implement and operate the organization-wide privacy program. |
Governance And Privacy Program |
AR-1 |
AR-1.6 |
The development and implementation of a comprehensive governance and privacy program demonstrates organizational accountability for and commitment to the protection of individual privacy. Accountability begins with the appointment of an SAOP/CPO with the authority, mission, resources, and responsibility to develop and implement a multifaceted privacy program. The SAOP/CPO, in consultation with legal counsel, information security officials, and others as appropriate: (i) ensures the development, implementation, and enforcement of privacy policies and procedures; (ii) defines roles and responsibilities for protecting PII; (iii) determines the level of information sensitivity with regard to PII holdings; (iv) identifies the laws, regulations, and internal policies that apply to the PII; (v) monitors privacy best practices; and (vi) monitors/audits compliance with identified privacy controls.
To further accountability, the SAOP/CPO develops privacy plans to document the privacy requirements of organizations and the privacy and security controls in place or planned for meeting those requirements. The plan serves as evidence of organizational privacy operations and supports resource requests by the SAOP/CPO. A single plan or multiple plans may be necessary depending upon the organizational structures, requirements, and resources, and the plan(s) may vary in comprehensiveness. For example, a one-page privacy plan may cover privacy policies, documentation, and controls already in place, such as Privacy Impact Assessments (PIA) and System of Records Notices (SORN). A comprehensive plan may include a baseline of privacy controls selected from this appendix and include: (i) processes for conducting privacy risk assessments; (ii) templates and guidance for completing PIAs and SORNs; (iii) privacy training and awareness requirements; (iv) requirements for contractors processing PII; (v) plans for eliminating unnecessary PII holdings; and (vi) a framework for measuring annual performance goals and objectives for implementing identified privacy controls |
The organization:
a. Appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of personally identifiable information (PII) by programs and information systems;
b. Monitors federal privacy laws and policy for changes that affect the privacy program;
c. Allocates [Assignment: organization-defined allocation of budget and staffing] sufficient resources to implement and operate the organization-wide privacy program;
d. Develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures;
e. Develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII; and
f. Updates privacy plan, policies, and procedures [Assignment: organization-defined frequency, at least biennially]. |
| CCI-003406 |
The organization develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures. |
The organization conducting the inspection/assessment obtains and examines the applicable privacy documentation to ensure the organization being inspected/assessed has documents which demonstrate a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures.
The DoD has determined that this CCI is not applicable until the policy is issued. |
The organization being inspected/assessed documents and implements a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures.
The DoD has determined that this CCI is not applicable until the policy is issued. |
Governance And Privacy Program |
AR-1 |
AR-1.7 |
The development and implementation of a comprehensive governance and privacy program demonstrates organizational accountability for and commitment to the protection of individual privacy. Accountability begins with the appointment of an SAOP/CPO with the authority, mission, resources, and responsibility to develop and implement a multifaceted privacy program. The SAOP/CPO, in consultation with legal counsel, information security officials, and others as appropriate: (i) ensures the development, implementation, and enforcement of privacy policies and procedures; (ii) defines roles and responsibilities for protecting PII; (iii) determines the level of information sensitivity with regard to PII holdings; (iv) identifies the laws, regulations, and internal policies that apply to the PII; (v) monitors privacy best practices; and (vi) monitors/audits compliance with identified privacy controls.
To further accountability, the SAOP/CPO develops privacy plans to document the privacy requirements of organizations and the privacy and security controls in place or planned for meeting those requirements. The plan serves as evidence of organizational privacy operations and supports resource requests by the SAOP/CPO. A single plan or multiple plans may be necessary depending upon the organizational structures, requirements, and resources, and the plan(s) may vary in comprehensiveness. For example, a one-page privacy plan may cover privacy policies, documentation, and controls already in place, such as Privacy Impact Assessments (PIA) and System of Records Notices (SORN). A comprehensive plan may include a baseline of privacy controls selected from this appendix and include: (i) processes for conducting privacy risk assessments; (ii) templates and guidance for completing PIAs and SORNs; (iii) privacy training and awareness requirements; (iv) requirements for contractors processing PII; (v) plans for eliminating unnecessary PII holdings; and (vi) a framework for measuring annual performance goals and objectives for implementing identified privacy controls |
The organization:
a. Appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of personally identifiable information (PII) by programs and information systems;
b. Monitors federal privacy laws and policy for changes that affect the privacy program;
c. Allocates [Assignment: organization-defined allocation of budget and staffing] sufficient resources to implement and operate the organization-wide privacy program;
d. Develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures;
e. Develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII; and
f. Updates privacy plan, policies, and procedures [Assignment: organization-defined frequency, at least biennially]. |
| CCI-003407 |
The organization develops operational privacy policies which govern the appropriate privacy and security controls for programs, information systems, or technologies involving personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the applicable privacy documentation to ensure the organization being inspected/assessed has documents which demonstrate operational privacy policies which govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII. |
The organization being inspected/assessed documents and implements operational privacy policies which govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII. |
Governance And Privacy Program |
AR-1 |
AR-1.8 |
The development and implementation of a comprehensive governance and privacy program demonstrates organizational accountability for and commitment to the protection of individual privacy. Accountability begins with the appointment of an SAOP/CPO with the authority, mission, resources, and responsibility to develop and implement a multifaceted privacy program. The SAOP/CPO, in consultation with legal counsel, information security officials, and others as appropriate: (i) ensures the development, implementation, and enforcement of privacy policies and procedures; (ii) defines roles and responsibilities for protecting PII; (iii) determines the level of information sensitivity with regard to PII holdings; (iv) identifies the laws, regulations, and internal policies that apply to the PII; (v) monitors privacy best practices; and (vi) monitors/audits compliance with identified privacy controls.
To further accountability, the SAOP/CPO develops privacy plans to document the privacy requirements of organizations and the privacy and security controls in place or planned for meeting those requirements. The plan serves as evidence of organizational privacy operations and supports resource requests by the SAOP/CPO. A single plan or multiple plans may be necessary depending upon the organizational structures, requirements, and resources, and the plan(s) may vary in comprehensiveness. For example, a one-page privacy plan may cover privacy policies, documentation, and controls already in place, such as Privacy Impact Assessments (PIA) and System of Records Notices (SORN). A comprehensive plan may include a baseline of privacy controls selected from this appendix and include: (i) processes for conducting privacy risk assessments; (ii) templates and guidance for completing PIAs and SORNs; (iii) privacy training and awareness requirements; (iv) requirements for contractors processing PII; (v) plans for eliminating unnecessary PII holdings; and (vi) a framework for measuring annual performance goals and objectives for implementing identified privacy controls |
The organization:
a. Appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of personally identifiable information (PII) by programs and information systems;
b. Monitors federal privacy laws and policy for changes that affect the privacy program;
c. Allocates [Assignment: organization-defined allocation of budget and staffing] sufficient resources to implement and operate the organization-wide privacy program;
d. Develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures;
e. Develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII; and
f. Updates privacy plan, policies, and procedures [Assignment: organization-defined frequency, at least biennially]. |
| CCI-003408 |
The organization disseminates operational privacy policies which govern the appropriate privacy and security controls for programs, information systems, or technologies involving personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the operational privacy policies and procedures via the organization's information sharing capability to ensure the organization being inspected/assessed disseminates operational privacy policies which govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII and procedures which implement these policies. |
The organization being inspected/assessed disseminates via an information sharing capability, operational privacy policies and procedures which govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII. |
Governance And Privacy Program |
AR-1 |
AR-1.9 |
The development and implementation of a comprehensive governance and privacy program demonstrates organizational accountability for and commitment to the protection of individual privacy. Accountability begins with the appointment of an SAOP/CPO with the authority, mission, resources, and responsibility to develop and implement a multifaceted privacy program. The SAOP/CPO, in consultation with legal counsel, information security officials, and others as appropriate: (i) ensures the development, implementation, and enforcement of privacy policies and procedures; (ii) defines roles and responsibilities for protecting PII; (iii) determines the level of information sensitivity with regard to PII holdings; (iv) identifies the laws, regulations, and internal policies that apply to the PII; (v) monitors privacy best practices; and (vi) monitors/audits compliance with identified privacy controls.
To further accountability, the SAOP/CPO develops privacy plans to document the privacy requirements of organizations and the privacy and security controls in place or planned for meeting those requirements. The plan serves as evidence of organizational privacy operations and supports resource requests by the SAOP/CPO. A single plan or multiple plans may be necessary depending upon the organizational structures, requirements, and resources, and the plan(s) may vary in comprehensiveness. For example, a one-page privacy plan may cover privacy policies, documentation, and controls already in place, such as Privacy Impact Assessments (PIA) and System of Records Notices (SORN). A comprehensive plan may include a baseline of privacy controls selected from this appendix and include: (i) processes for conducting privacy risk assessments; (ii) templates and guidance for completing PIAs and SORNs; (iii) privacy training and awareness requirements; (iv) requirements for contractors processing PII; (v) plans for eliminating unnecessary PII holdings; and (vi) a framework for measuring annual performance goals and objectives for implementing identified privacy controls |
The organization:
a. Appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of personally identifiable information (PII) by programs and information systems;
b. Monitors federal privacy laws and policy for changes that affect the privacy program;
c. Allocates [Assignment: organization-defined allocation of budget and staffing] sufficient resources to implement and operate the organization-wide privacy program;
d. Develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures;
e. Develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII; and
f. Updates privacy plan, policies, and procedures [Assignment: organization-defined frequency, at least biennially]. |
| CCI-003409 |
The organization implements operational privacy policies which govern the appropriate privacy and security controls for programs, information systems, or technologies involving personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the operational privacy policies to ensure the organization being inspected/assessed implements operational privacy policies which govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII. |
The organization being inspected/assessed documents and implements operational privacy policies which govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII. |
Governance And Privacy Program |
AR-1 |
AR-1.10 |
The development and implementation of a comprehensive governance and privacy program demonstrates organizational accountability for and commitment to the protection of individual privacy. Accountability begins with the appointment of an SAOP/CPO with the authority, mission, resources, and responsibility to develop and implement a multifaceted privacy program. The SAOP/CPO, in consultation with legal counsel, information security officials, and others as appropriate: (i) ensures the development, implementation, and enforcement of privacy policies and procedures; (ii) defines roles and responsibilities for protecting PII; (iii) determines the level of information sensitivity with regard to PII holdings; (iv) identifies the laws, regulations, and internal policies that apply to the PII; (v) monitors privacy best practices; and (vi) monitors/audits compliance with identified privacy controls.
To further accountability, the SAOP/CPO develops privacy plans to document the privacy requirements of organizations and the privacy and security controls in place or planned for meeting those requirements. The plan serves as evidence of organizational privacy operations and supports resource requests by the SAOP/CPO. A single plan or multiple plans may be necessary depending upon the organizational structures, requirements, and resources, and the plan(s) may vary in comprehensiveness. For example, a one-page privacy plan may cover privacy policies, documentation, and controls already in place, such as Privacy Impact Assessments (PIA) and System of Records Notices (SORN). A comprehensive plan may include a baseline of privacy controls selected from this appendix and include: (i) processes for conducting privacy risk assessments; (ii) templates and guidance for completing PIAs and SORNs; (iii) privacy training and awareness requirements; (iv) requirements for contractors processing PII; (v) plans for eliminating unnecessary PII holdings; and (vi) a framework for measuring annual performance goals and objectives for implementing identified privacy controls |
The organization:
a. Appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of personally identifiable information (PII) by programs and information systems;
b. Monitors federal privacy laws and policy for changes that affect the privacy program;
c. Allocates [Assignment: organization-defined allocation of budget and staffing] sufficient resources to implement and operate the organization-wide privacy program;
d. Develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures;
e. Develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII; and
f. Updates privacy plan, policies, and procedures [Assignment: organization-defined frequency, at least biennially]. |
| CCI-003410 |
The organization develops operational privacy procedures which govern the appropriate privacy and security controls for programs, information systems, or technologies involving personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented operational privacy procedures to ensure the organization being inspected/assessed develops operational privacy procedures which govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII. |
The organization being inspected/assessed defines and documents operational privacy procedures which govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII. |
Governance And Privacy Program |
AR-1 |
AR-1.11 |
The development and implementation of a comprehensive governance and privacy program demonstrates organizational accountability for and commitment to the protection of individual privacy. Accountability begins with the appointment of an SAOP/CPO with the authority, mission, resources, and responsibility to develop and implement a multifaceted privacy program. The SAOP/CPO, in consultation with legal counsel, information security officials, and others as appropriate: (i) ensures the development, implementation, and enforcement of privacy policies and procedures; (ii) defines roles and responsibilities for protecting PII; (iii) determines the level of information sensitivity with regard to PII holdings; (iv) identifies the laws, regulations, and internal policies that apply to the PII; (v) monitors privacy best practices; and (vi) monitors/audits compliance with identified privacy controls.
To further accountability, the SAOP/CPO develops privacy plans to document the privacy requirements of organizations and the privacy and security controls in place or planned for meeting those requirements. The plan serves as evidence of organizational privacy operations and supports resource requests by the SAOP/CPO. A single plan or multiple plans may be necessary depending upon the organizational structures, requirements, and resources, and the plan(s) may vary in comprehensiveness. For example, a one-page privacy plan may cover privacy policies, documentation, and controls already in place, such as Privacy Impact Assessments (PIA) and System of Records Notices (SORN). A comprehensive plan may include a baseline of privacy controls selected from this appendix and include: (i) processes for conducting privacy risk assessments; (ii) templates and guidance for completing PIAs and SORNs; (iii) privacy training and awareness requirements; (iv) requirements for contractors processing PII; (v) plans for eliminating unnecessary PII holdings; and (vi) a framework for measuring annual performance goals and objectives for implementing identified privacy controls |
The organization:
a. Appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of personally identifiable information (PII) by programs and information systems;
b. Monitors federal privacy laws and policy for changes that affect the privacy program;
c. Allocates [Assignment: organization-defined allocation of budget and staffing] sufficient resources to implement and operate the organization-wide privacy program;
d. Develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures;
e. Develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII; and
f. Updates privacy plan, policies, and procedures [Assignment: organization-defined frequency, at least biennially]. |
| CCI-003411 |
The organization disseminates operational privacy procedures which govern the appropriate privacy and security controls for programs, information systems, or technologies involving personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines via the organization's information sharing capability the operational privacy procedures to ensure it has been disseminated. |
The organization being inspected/assessed disseminates via an information sharing capability, the operational privacy procedures which implement the applicable privacy and security controls for programs, information systems, or technologies involving PII. |
Governance And Privacy Program |
AR-1 |
AR-1.12 |
The development and implementation of a comprehensive governance and privacy program demonstrates organizational accountability for and commitment to the protection of individual privacy. Accountability begins with the appointment of an SAOP/CPO with the authority, mission, resources, and responsibility to develop and implement a multifaceted privacy program. The SAOP/CPO, in consultation with legal counsel, information security officials, and others as appropriate: (i) ensures the development, implementation, and enforcement of privacy policies and procedures; (ii) defines roles and responsibilities for protecting PII; (iii) determines the level of information sensitivity with regard to PII holdings; (iv) identifies the laws, regulations, and internal policies that apply to the PII; (v) monitors privacy best practices; and (vi) monitors/audits compliance with identified privacy controls.
To further accountability, the SAOP/CPO develops privacy plans to document the privacy requirements of organizations and the privacy and security controls in place or planned for meeting those requirements. The plan serves as evidence of organizational privacy operations and supports resource requests by the SAOP/CPO. A single plan or multiple plans may be necessary depending upon the organizational structures, requirements, and resources, and the plan(s) may vary in comprehensiveness. For example, a one-page privacy plan may cover privacy policies, documentation, and controls already in place, such as Privacy Impact Assessments (PIA) and System of Records Notices (SORN). A comprehensive plan may include a baseline of privacy controls selected from this appendix and include: (i) processes for conducting privacy risk assessments; (ii) templates and guidance for completing PIAs and SORNs; (iii) privacy training and awareness requirements; (iv) requirements for contractors processing PII; (v) plans for eliminating unnecessary PII holdings; and (vi) a framework for measuring annual performance goals and objectives for implementing identified privacy controls |
The organization:
a. Appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of personally identifiable information (PII) by programs and information systems;
b. Monitors federal privacy laws and policy for changes that affect the privacy program;
c. Allocates [Assignment: organization-defined allocation of budget and staffing] sufficient resources to implement and operate the organization-wide privacy program;
d. Develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures;
e. Develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII; and
f. Updates privacy plan, policies, and procedures [Assignment: organization-defined frequency, at least biennially]. |
| CCI-003412 |
The organization implements operational privacy procedures which govern the appropriate privacy and security controls for programs, information systems, or technologies involving personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the operational privacy procedures to ensure the organization being inspected/assessed implements operational privacy procedures which govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII. |
The organization being inspected/assessed documents and implements operational privacy procedures which implement the applicable privacy and security controls for programs, information systems, or technologies involving PII. |
Governance And Privacy Program |
AR-1 |
AR-1.13 |
The development and implementation of a comprehensive governance and privacy program demonstrates organizational accountability for and commitment to the protection of individual privacy. Accountability begins with the appointment of an SAOP/CPO with the authority, mission, resources, and responsibility to develop and implement a multifaceted privacy program. The SAOP/CPO, in consultation with legal counsel, information security officials, and others as appropriate: (i) ensures the development, implementation, and enforcement of privacy policies and procedures; (ii) defines roles and responsibilities for protecting PII; (iii) determines the level of information sensitivity with regard to PII holdings; (iv) identifies the laws, regulations, and internal policies that apply to the PII; (v) monitors privacy best practices; and (vi) monitors/audits compliance with identified privacy controls.
To further accountability, the SAOP/CPO develops privacy plans to document the privacy requirements of organizations and the privacy and security controls in place or planned for meeting those requirements. The plan serves as evidence of organizational privacy operations and supports resource requests by the SAOP/CPO. A single plan or multiple plans may be necessary depending upon the organizational structures, requirements, and resources, and the plan(s) may vary in comprehensiveness. For example, a one-page privacy plan may cover privacy policies, documentation, and controls already in place, such as Privacy Impact Assessments (PIA) and System of Records Notices (SORN). A comprehensive plan may include a baseline of privacy controls selected from this appendix and include: (i) processes for conducting privacy risk assessments; (ii) templates and guidance for completing PIAs and SORNs; (iii) privacy training and awareness requirements; (iv) requirements for contractors processing PII; (v) plans for eliminating unnecessary PII holdings; and (vi) a framework for measuring annual performance goals and objectives for implementing identified privacy controls |
The organization:
a. Appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of personally identifiable information (PII) by programs and information systems;
b. Monitors federal privacy laws and policy for changes that affect the privacy program;
c. Allocates [Assignment: organization-defined allocation of budget and staffing] sufficient resources to implement and operate the organization-wide privacy program;
d. Develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures;
e. Develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII; and
f. Updates privacy plan, policies, and procedures [Assignment: organization-defined frequency, at least biennially]. |
| CCI-003413 |
The organization defines the frequency, minimally biennially, on which the privacy plan, policies, and procedures are to be updated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at a minimum, biennially. |
DoD has defined the frequency as at a minimum, biennially. |
Governance And Privacy Program |
AR-1 |
AR-1.14 |
The development and implementation of a comprehensive governance and privacy program demonstrates organizational accountability for and commitment to the protection of individual privacy. Accountability begins with the appointment of an SAOP/CPO with the authority, mission, resources, and responsibility to develop and implement a multifaceted privacy program. The SAOP/CPO, in consultation with legal counsel, information security officials, and others as appropriate: (i) ensures the development, implementation, and enforcement of privacy policies and procedures; (ii) defines roles and responsibilities for protecting PII; (iii) determines the level of information sensitivity with regard to PII holdings; (iv) identifies the laws, regulations, and internal policies that apply to the PII; (v) monitors privacy best practices; and (vi) monitors/audits compliance with identified privacy controls.
To further accountability, the SAOP/CPO develops privacy plans to document the privacy requirements of organizations and the privacy and security controls in place or planned for meeting those requirements. The plan serves as evidence of organizational privacy operations and supports resource requests by the SAOP/CPO. A single plan or multiple plans may be necessary depending upon the organizational structures, requirements, and resources, and the plan(s) may vary in comprehensiveness. For example, a one-page privacy plan may cover privacy policies, documentation, and controls already in place, such as Privacy Impact Assessments (PIA) and System of Records Notices (SORN). A comprehensive plan may include a baseline of privacy controls selected from this appendix and include: (i) processes for conducting privacy risk assessments; (ii) templates and guidance for completing PIAs and SORNs; (iii) privacy training and awareness requirements; (iv) requirements for contractors processing PII; (v) plans for eliminating unnecessary PII holdings; and (vi) a framework for measuring annual performance goals and objectives for implementing identified privacy controls |
The organization:
a. Appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of personally identifiable information (PII) by programs and information systems;
b. Monitors federal privacy laws and policy for changes that affect the privacy program;
c. Allocates [Assignment: organization-defined allocation of budget and staffing] sufficient resources to implement and operate the organization-wide privacy program;
d. Develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures;
e. Develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII; and
f. Updates privacy plan, policies, and procedures [Assignment: organization-defined frequency, at least biennially]. |
| CCI-003414 |
The organization updates the privacy plan per organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines records of updates to ensure the organization being inspected/assessed updates the privacy plan at a minimum, biennially.
DoD has defined the frequency as at a minimum, biennially. |
The organization being inspected/assessed updates the privacy plan at a minimum, biennially.
The organization must maintain records of updates.
DoD has defined the frequency as at a minimum, biennially. |
Governance And Privacy Program |
AR-1 |
AR-1.15 |
The development and implementation of a comprehensive governance and privacy program demonstrates organizational accountability for and commitment to the protection of individual privacy. Accountability begins with the appointment of an SAOP/CPO with the authority, mission, resources, and responsibility to develop and implement a multifaceted privacy program. The SAOP/CPO, in consultation with legal counsel, information security officials, and others as appropriate: (i) ensures the development, implementation, and enforcement of privacy policies and procedures; (ii) defines roles and responsibilities for protecting PII; (iii) determines the level of information sensitivity with regard to PII holdings; (iv) identifies the laws, regulations, and internal policies that apply to the PII; (v) monitors privacy best practices; and (vi) monitors/audits compliance with identified privacy controls.
To further accountability, the SAOP/CPO develops privacy plans to document the privacy requirements of organizations and the privacy and security controls in place or planned for meeting those requirements. The plan serves as evidence of organizational privacy operations and supports resource requests by the SAOP/CPO. A single plan or multiple plans may be necessary depending upon the organizational structures, requirements, and resources, and the plan(s) may vary in comprehensiveness. For example, a one-page privacy plan may cover privacy policies, documentation, and controls already in place, such as Privacy Impact Assessments (PIA) and System of Records Notices (SORN). A comprehensive plan may include a baseline of privacy controls selected from this appendix and include: (i) processes for conducting privacy risk assessments; (ii) templates and guidance for completing PIAs and SORNs; (iii) privacy training and awareness requirements; (iv) requirements for contractors processing PII; (v) plans for eliminating unnecessary PII holdings; and (vi) a framework for measuring annual performance goals and objectives for implementing identified privacy controls |
The organization:
a. Appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of personally identifiable information (PII) by programs and information systems;
b. Monitors federal privacy laws and policy for changes that affect the privacy program;
c. Allocates [Assignment: organization-defined allocation of budget and staffing] sufficient resources to implement and operate the organization-wide privacy program;
d. Develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures;
e. Develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII; and
f. Updates privacy plan, policies, and procedures [Assignment: organization-defined frequency, at least biennially]. |
| CCI-003415 |
The organization updates the privacy policies per organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines records of updates to ensure the organization being inspected/assessed updates the privacy policies at a minimum, biennially.
DoD has defined the frequency as at a minimum, biennially. |
The organization being inspected/assessed updates the privacy policies at a minimum, biennially.
The organization must maintain records of updates.
DoD has defined the frequency as at a minimum, biennially. |
Governance And Privacy Program |
AR-1 |
AR-1.16 |
The development and implementation of a comprehensive governance and privacy program demonstrates organizational accountability for and commitment to the protection of individual privacy. Accountability begins with the appointment of an SAOP/CPO with the authority, mission, resources, and responsibility to develop and implement a multifaceted privacy program. The SAOP/CPO, in consultation with legal counsel, information security officials, and others as appropriate: (i) ensures the development, implementation, and enforcement of privacy policies and procedures; (ii) defines roles and responsibilities for protecting PII; (iii) determines the level of information sensitivity with regard to PII holdings; (iv) identifies the laws, regulations, and internal policies that apply to the PII; (v) monitors privacy best practices; and (vi) monitors/audits compliance with identified privacy controls.
To further accountability, the SAOP/CPO develops privacy plans to document the privacy requirements of organizations and the privacy and security controls in place or planned for meeting those requirements. The plan serves as evidence of organizational privacy operations and supports resource requests by the SAOP/CPO. A single plan or multiple plans may be necessary depending upon the organizational structures, requirements, and resources, and the plan(s) may vary in comprehensiveness. For example, a one-page privacy plan may cover privacy policies, documentation, and controls already in place, such as Privacy Impact Assessments (PIA) and System of Records Notices (SORN). A comprehensive plan may include a baseline of privacy controls selected from this appendix and include: (i) processes for conducting privacy risk assessments; (ii) templates and guidance for completing PIAs and SORNs; (iii) privacy training and awareness requirements; (iv) requirements for contractors processing PII; (v) plans for eliminating unnecessary PII holdings; and (vi) a framework for measuring annual performance goals and objectives for implementing identified privacy controls |
The organization:
a. Appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of personally identifiable information (PII) by programs and information systems;
b. Monitors federal privacy laws and policy for changes that affect the privacy program;
c. Allocates [Assignment: organization-defined allocation of budget and staffing] sufficient resources to implement and operate the organization-wide privacy program;
d. Develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures;
e. Develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII; and
f. Updates privacy plan, policies, and procedures [Assignment: organization-defined frequency, at least biennially]. |
| CCI-003416 |
The organization updates the privacy procedures per organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines records of updates to ensure the organization being inspected/assessed updates privacy procedures at a minimum, biennially.
DoD has defined the frequency as at a minimum, biennially. |
The organization being inspected/assessed updates privacy procedures at a minimum, biennially.
The organization must maintain records of updates.
DoD has defined the frequency as at a minimum, biennially. |
Governance And Privacy Program |
AR-1 |
AR-1.17 |
The development and implementation of a comprehensive governance and privacy program demonstrates organizational accountability for and commitment to the protection of individual privacy. Accountability begins with the appointment of an SAOP/CPO with the authority, mission, resources, and responsibility to develop and implement a multifaceted privacy program. The SAOP/CPO, in consultation with legal counsel, information security officials, and others as appropriate: (i) ensures the development, implementation, and enforcement of privacy policies and procedures; (ii) defines roles and responsibilities for protecting PII; (iii) determines the level of information sensitivity with regard to PII holdings; (iv) identifies the laws, regulations, and internal policies that apply to the PII; (v) monitors privacy best practices; and (vi) monitors/audits compliance with identified privacy controls.
To further accountability, the SAOP/CPO develops privacy plans to document the privacy requirements of organizations and the privacy and security controls in place or planned for meeting those requirements. The plan serves as evidence of organizational privacy operations and supports resource requests by the SAOP/CPO. A single plan or multiple plans may be necessary depending upon the organizational structures, requirements, and resources, and the plan(s) may vary in comprehensiveness. For example, a one-page privacy plan may cover privacy policies, documentation, and controls already in place, such as Privacy Impact Assessments (PIA) and System of Records Notices (SORN). A comprehensive plan may include a baseline of privacy controls selected from this appendix and include: (i) processes for conducting privacy risk assessments; (ii) templates and guidance for completing PIAs and SORNs; (iii) privacy training and awareness requirements; (iv) requirements for contractors processing PII; (v) plans for eliminating unnecessary PII holdings; and (vi) a framework for measuring annual performance goals and objectives for implementing identified privacy controls |
The organization:
a. Appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of personally identifiable information (PII) by programs and information systems;
b. Monitors federal privacy laws and policy for changes that affect the privacy program;
c. Allocates [Assignment: organization-defined allocation of budget and staffing] sufficient resources to implement and operate the organization-wide privacy program;
d. Develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures;
e. Develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII; and
f. Updates privacy plan, policies, and procedures [Assignment: organization-defined frequency, at least biennially]. |
| CCI-003417 |
The organization documents a privacy risk management process which assesses the privacy risk to individuals. |
The organization conducting the inspection/assessment obtains and examines the documented privacy risk management process which assesses the privacy risk to individuals. |
The organization being inspected/assessed documents a privacy risk management process which assesses the privacy risk to individuals. |
Privacy Impact And Risk Assessment |
AR-2 |
AR-2.1 |
Organizational privacy risk management processes operate across the life cycles of all mission/business processes that collect, use, maintain, share, or dispose of PII. The tools and processes for managing risk are specific to organizational missions and resources. They include, but are not limited to, the conduct of PIAs. The PIA is both a process and the document that is the outcome of that process. OMB Memorandum 03-22 provides guidance to organizations for implementing the privacy provisions of the E-Government Act of 2002, including guidance on when PIAs are required for information systems. Some organizations may be required by law or policy to extend the PIA requirement to other activities involving PII or otherwise impacting privacy (e.g., programs, projects, or regulations). PIAs are conducted to identify privacy risks and identify methods to mitigate those risks. PIAs are also conducted to ensure that programs or information systems comply with legal, regulatory, and policy requirements. PIAs also serve as notice to the public of privacy practices. PIAs are performed before developing or procuring information systems, or initiating programs or projects, that collect, use, maintain, or share PII and are updated when changes create new privacy risks. |
The organization:
a. Documents and implements a privacy risk management process that assesses privacy risk to individuals resulting from the collection, sharing, storing, transmitting, use, and disposal of personally identifiable information (PII); and
b. Conducts Privacy Impact Assessments (PIAs) for information systems, programs, or other activities that pose a privacy risk in accordance with applicable law, OMB policy, or any existing organizational policies and procedures. |
| CCI-003418 |
The organization implements a privacy risk management process which assesses the privacy risk to individuals. |
The organization conducting the inspection/assessment obtains and examines the documents which implement a privacy risk management process which assesses the privacy risk to individuals. |
The organization being inspected/assessed implements a privacy risk management process which assesses the privacy risk to individuals. |
Privacy Impact And Risk Assessment |
AR-2 |
AR-2.2 |
Organizational privacy risk management processes operate across the life cycles of all mission/business processes that collect, use, maintain, share, or dispose of PII. The tools and processes for managing risk are specific to organizational missions and resources. They include, but are not limited to, the conduct of PIAs. The PIA is both a process and the document that is the outcome of that process. OMB Memorandum 03-22 provides guidance to organizations for implementing the privacy provisions of the E-Government Act of 2002, including guidance on when PIAs are required for information systems. Some organizations may be required by law or policy to extend the PIA requirement to other activities involving PII or otherwise impacting privacy (e.g., programs, projects, or regulations). PIAs are conducted to identify privacy risks and identify methods to mitigate those risks. PIAs are also conducted to ensure that programs or information systems comply with legal, regulatory, and policy requirements. PIAs also serve as notice to the public of privacy practices. PIAs are performed before developing or procuring information systems, or initiating programs or projects, that collect, use, maintain, or share PII and are updated when changes create new privacy risks. |
The organization:
a. Documents and implements a privacy risk management process that assesses privacy risk to individuals resulting from the collection, sharing, storing, transmitting, use, and disposal of personally identifiable information (PII); and
b. Conducts Privacy Impact Assessments (PIAs) for information systems, programs, or other activities that pose a privacy risk in accordance with applicable law, OMB policy, or any existing organizational policies and procedures. |
| CCI-003419 |
The organization^s privacy risk management process assesses the privacy risk to individuals resulting from the collection of personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented privacy risk management process which assesses the privacy risk to individuals resulting from the collection of PII. (http://iatraining.disa.mil/eta/piiv2/launchPage.htm) |
The organization being inspected/assessed documents a privacy risk management process which assesses the privacy risk to individuals resulting from the collection of PII. (http://iatraining.disa.mil/eta/piiv2/launchPage.htm) |
Privacy Impact And Risk Assessment |
AR-2 |
AR-2.3 |
Organizational privacy risk management processes operate across the life cycles of all mission/business processes that collect, use, maintain, share, or dispose of PII. The tools and processes for managing risk are specific to organizational missions and resources. They include, but are not limited to, the conduct of PIAs. The PIA is both a process and the document that is the outcome of that process. OMB Memorandum 03-22 provides guidance to organizations for implementing the privacy provisions of the E-Government Act of 2002, including guidance on when PIAs are required for information systems. Some organizations may be required by law or policy to extend the PIA requirement to other activities involving PII or otherwise impacting privacy (e.g., programs, projects, or regulations). PIAs are conducted to identify privacy risks and identify methods to mitigate those risks. PIAs are also conducted to ensure that programs or information systems comply with legal, regulatory, and policy requirements. PIAs also serve as notice to the public of privacy practices. PIAs are performed before developing or procuring information systems, or initiating programs or projects, that collect, use, maintain, or share PII and are updated when changes create new privacy risks. |
The organization:
a. Documents and implements a privacy risk management process that assesses privacy risk to individuals resulting from the collection, sharing, storing, transmitting, use, and disposal of personally identifiable information (PII); and
b. Conducts Privacy Impact Assessments (PIAs) for information systems, programs, or other activities that pose a privacy risk in accordance with applicable law, OMB policy, or any existing organizational policies and procedures. |
| CCI-003420 |
The organization^s privacy risk management process assesses the privacy risk to individuals resulting from the sharing of personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented privacy risk management process which assesses the privacy risk to individuals resulting from the sharing of PII. (http://iatraining.disa.mil/eta/piiv2/launchPage.htm) |
The organization being inspected/assessed documents a privacy risk management process which assesses the privacy risk to individuals resulting from t sharing of PII. (http://iatraining.disa.mil/eta/piiv2/launchPage.htm) |
Privacy Impact And Risk Assessment |
AR-2 |
AR-2.4 |
Organizational privacy risk management processes operate across the life cycles of all mission/business processes that collect, use, maintain, share, or dispose of PII. The tools and processes for managing risk are specific to organizational missions and resources. They include, but are not limited to, the conduct of PIAs. The PIA is both a process and the document that is the outcome of that process. OMB Memorandum 03-22 provides guidance to organizations for implementing the privacy provisions of the E-Government Act of 2002, including guidance on when PIAs are required for information systems. Some organizations may be required by law or policy to extend the PIA requirement to other activities involving PII or otherwise impacting privacy (e.g., programs, projects, or regulations). PIAs are conducted to identify privacy risks and identify methods to mitigate those risks. PIAs are also conducted to ensure that programs or information systems comply with legal, regulatory, and policy requirements. PIAs also serve as notice to the public of privacy practices. PIAs are performed before developing or procuring information systems, or initiating programs or projects, that collect, use, maintain, or share PII and are updated when changes create new privacy risks. |
The organization:
a. Documents and implements a privacy risk management process that assesses privacy risk to individuals resulting from the collection, sharing, storing, transmitting, use, and disposal of personally identifiable information (PII); and
b. Conducts Privacy Impact Assessments (PIAs) for information systems, programs, or other activities that pose a privacy risk in accordance with applicable law, OMB policy, or any existing organizational policies and procedures. |
| CCI-003421 |
The organization^s privacy risk management process assesses the privacy risk to individuals resulting from the storing of personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented privacy risk management process which assesses the privacy risk to individuals resulting from the storing of PII. (http://iatraining.disa.mil/eta/piiv2/launchPage.htm) |
The organization being inspected/assessed documents a privacy risk management process which assesses the privacy risk to individuals resulting from the storing of PII. (http://iatraining.disa.mil/eta/piiv2/launchPage.htm) |
Privacy Impact And Risk Assessment |
AR-2 |
AR-2.5 |
Organizational privacy risk management processes operate across the life cycles of all mission/business processes that collect, use, maintain, share, or dispose of PII. The tools and processes for managing risk are specific to organizational missions and resources. They include, but are not limited to, the conduct of PIAs. The PIA is both a process and the document that is the outcome of that process. OMB Memorandum 03-22 provides guidance to organizations for implementing the privacy provisions of the E-Government Act of 2002, including guidance on when PIAs are required for information systems. Some organizations may be required by law or policy to extend the PIA requirement to other activities involving PII or otherwise impacting privacy (e.g., programs, projects, or regulations). PIAs are conducted to identify privacy risks and identify methods to mitigate those risks. PIAs are also conducted to ensure that programs or information systems comply with legal, regulatory, and policy requirements. PIAs also serve as notice to the public of privacy practices. PIAs are performed before developing or procuring information systems, or initiating programs or projects, that collect, use, maintain, or share PII and are updated when changes create new privacy risks. |
The organization:
a. Documents and implements a privacy risk management process that assesses privacy risk to individuals resulting from the collection, sharing, storing, transmitting, use, and disposal of personally identifiable information (PII); and
b. Conducts Privacy Impact Assessments (PIAs) for information systems, programs, or other activities that pose a privacy risk in accordance with applicable law, OMB policy, or any existing organizational policies and procedures. |
| CCI-003422 |
The organization^s privacy risk management process assesses the privacy risk to individuals resulting from the transmitting of personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented privacy risk management process which assesses the privacy risk to individuals resulting from the transmitting of PII. (http://iatraining.disa.mil/eta/piiv2/launchPage.htm) |
The organization being inspected/assessed documents a privacy risk management process which assesses the privacy risk to individuals resulting from the transmitting of PII. (http://iatraining.disa.mil/eta/piiv2/launchPage.htm) |
Privacy Impact And Risk Assessment |
AR-2 |
AR-2.6 |
Organizational privacy risk management processes operate across the life cycles of all mission/business processes that collect, use, maintain, share, or dispose of PII. The tools and processes for managing risk are specific to organizational missions and resources. They include, but are not limited to, the conduct of PIAs. The PIA is both a process and the document that is the outcome of that process. OMB Memorandum 03-22 provides guidance to organizations for implementing the privacy provisions of the E-Government Act of 2002, including guidance on when PIAs are required for information systems. Some organizations may be required by law or policy to extend the PIA requirement to other activities involving PII or otherwise impacting privacy (e.g., programs, projects, or regulations). PIAs are conducted to identify privacy risks and identify methods to mitigate those risks. PIAs are also conducted to ensure that programs or information systems comply with legal, regulatory, and policy requirements. PIAs also serve as notice to the public of privacy practices. PIAs are performed before developing or procuring information systems, or initiating programs or projects, that collect, use, maintain, or share PII and are updated when changes create new privacy risks. |
The organization:
a. Documents and implements a privacy risk management process that assesses privacy risk to individuals resulting from the collection, sharing, storing, transmitting, use, and disposal of personally identifiable information (PII); and
b. Conducts Privacy Impact Assessments (PIAs) for information systems, programs, or other activities that pose a privacy risk in accordance with applicable law, OMB policy, or any existing organizational policies and procedures. |
| CCI-003423 |
The organization^s privacy risk management process assesses the privacy risk to individuals resulting from the use of personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented privacy risk management process which assesses the privacy risk to individuals resulting from the use of PII. (http://iatraining.disa.mil/eta/piiv2/launchPage.htm) |
The organization being inspected/assessed documents a privacy risk management process which assesses the privacy risk to individuals resulting from the use of PII. (http://iatraining.disa.mil/eta/piiv2/launchPage.htm) |
Privacy Impact And Risk Assessment |
AR-2 |
AR-2.7 |
Organizational privacy risk management processes operate across the life cycles of all mission/business processes that collect, use, maintain, share, or dispose of PII. The tools and processes for managing risk are specific to organizational missions and resources. They include, but are not limited to, the conduct of PIAs. The PIA is both a process and the document that is the outcome of that process. OMB Memorandum 03-22 provides guidance to organizations for implementing the privacy provisions of the E-Government Act of 2002, including guidance on when PIAs are required for information systems. Some organizations may be required by law or policy to extend the PIA requirement to other activities involving PII or otherwise impacting privacy (e.g., programs, projects, or regulations). PIAs are conducted to identify privacy risks and identify methods to mitigate those risks. PIAs are also conducted to ensure that programs or information systems comply with legal, regulatory, and policy requirements. PIAs also serve as notice to the public of privacy practices. PIAs are performed before developing or procuring information systems, or initiating programs or projects, that collect, use, maintain, or share PII and are updated when changes create new privacy risks. |
The organization:
a. Documents and implements a privacy risk management process that assesses privacy risk to individuals resulting from the collection, sharing, storing, transmitting, use, and disposal of personally identifiable information (PII); and
b. Conducts Privacy Impact Assessments (PIAs) for information systems, programs, or other activities that pose a privacy risk in accordance with applicable law, OMB policy, or any existing organizational policies and procedures. |
| CCI-003424 |
The organization^s privacy risk management process assesses the privacy risk to individuals resulting from the disposal of personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented privacy risk management process which assesses the privacy risk to individuals resulting from the disposal of PII. (http://iatraining.disa.mil/eta/piiv2/launchPage.htm) |
The organization being inspected/assessed documents a privacy risk management process which assesses the privacy risk to individuals resulting from the disposal of PII. (http://iatraining.disa.mil/eta/piiv2/launchPage.htm) |
Privacy Impact And Risk Assessment |
AR-2 |
AR-2.8 |
Organizational privacy risk management processes operate across the life cycles of all mission/business processes that collect, use, maintain, share, or dispose of PII. The tools and processes for managing risk are specific to organizational missions and resources. They include, but are not limited to, the conduct of PIAs. The PIA is both a process and the document that is the outcome of that process. OMB Memorandum 03-22 provides guidance to organizations for implementing the privacy provisions of the E-Government Act of 2002, including guidance on when PIAs are required for information systems. Some organizations may be required by law or policy to extend the PIA requirement to other activities involving PII or otherwise impacting privacy (e.g., programs, projects, or regulations). PIAs are conducted to identify privacy risks and identify methods to mitigate those risks. PIAs are also conducted to ensure that programs or information systems comply with legal, regulatory, and policy requirements. PIAs also serve as notice to the public of privacy practices. PIAs are performed before developing or procuring information systems, or initiating programs or projects, that collect, use, maintain, or share PII and are updated when changes create new privacy risks. |
The organization:
a. Documents and implements a privacy risk management process that assesses privacy risk to individuals resulting from the collection, sharing, storing, transmitting, use, and disposal of personally identifiable information (PII); and
b. Conducts Privacy Impact Assessments (PIAs) for information systems, programs, or other activities that pose a privacy risk in accordance with applicable law, OMB policy, or any existing organizational policies and procedures. |
| CCI-003425 |
The organization conducts Privacy Impact Assessments (PIAs) for information systems, programs, or other activities that pose a privacy risk in accordance with applicable law, OMB policy, or any existing organizational policies and procedures. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed conducts Privacy Impact Assessments (PIAs) for information systems, programs, or other activities that pose a privacy risk in accordance with applicable law, OMB policy, or any existing organizational policies and procedures. |
The organization being inspected/assessed documents and implements a process to conduct Privacy Impact Assessments (PIAs) for information systems, programs, or other activities that pose a privacy risk in accordance with applicable law, OMB policy, or any existing organizational policies and procedures.
Only applies to non national security systems. |
Privacy Impact And Risk Assessment |
AR-2 |
AR-2.9 |
Organizational privacy risk management processes operate across the life cycles of all mission/business processes that collect, use, maintain, share, or dispose of PII. The tools and processes for managing risk are specific to organizational missions and resources. They include, but are not limited to, the conduct of PIAs. The PIA is both a process and the document that is the outcome of that process. OMB Memorandum 03-22 provides guidance to organizations for implementing the privacy provisions of the E-Government Act of 2002, including guidance on when PIAs are required for information systems. Some organizations may be required by law or policy to extend the PIA requirement to other activities involving PII or otherwise impacting privacy (e.g., programs, projects, or regulations). PIAs are conducted to identify privacy risks and identify methods to mitigate those risks. PIAs are also conducted to ensure that programs or information systems comply with legal, regulatory, and policy requirements. PIAs also serve as notice to the public of privacy practices. PIAs are performed before developing or procuring information systems, or initiating programs or projects, that collect, use, maintain, or share PII and are updated when changes create new privacy risks. |
The organization:
a. Documents and implements a privacy risk management process that assesses privacy risk to individuals resulting from the collection, sharing, storing, transmitting, use, and disposal of personally identifiable information (PII); and
b. Conducts Privacy Impact Assessments (PIAs) for information systems, programs, or other activities that pose a privacy risk in accordance with applicable law, OMB policy, or any existing organizational policies and procedures. |
| CCI-003426 |
The organization establishes privacy roles for contractors. |
The organization conducting the inspection/assessment obtains and examines the documented privacy roles for contractors. |
The organization being inspected/assessed establishes and documents privacy roles for contractors. |
Privacy Requirements For Contractors And Service Providers |
AR-3 |
AR-3.1 |
Contractors and service providers include, but are not limited to, information providers, information processors, and other organizations providing information system development, information technology services, and other outsourced applications. Organizations consult with legal counsel, the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO), and contracting officers about applicable laws, directives, policies, or regulations that may impact implementation of this control. Related control: AR-1, AR-5, SA-4. |
The organization:
a. Establishes privacy roles, responsibilities, and access requirements for contractors and service providers; and
b. Includes privacy requirements in contracts and other acquisition-related documents. |
| CCI-003427 |
The organization establishes privacy responsibilities for contractors. |
The organization conducting the inspection/assessment obtains and examines the documented privacy responsibilities for contractors. |
The organization being inspected/assessed establishes and documents privacy responsibilities for contractors. |
Privacy Requirements For Contractors And Service Providers |
AR-3 |
AR-3.2 |
Contractors and service providers include, but are not limited to, information providers, information processors, and other organizations providing information system development, information technology services, and other outsourced applications. Organizations consult with legal counsel, the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO), and contracting officers about applicable laws, directives, policies, or regulations that may impact implementation of this control. Related control: AR-1, AR-5, SA-4. |
The organization:
a. Establishes privacy roles, responsibilities, and access requirements for contractors and service providers; and
b. Includes privacy requirements in contracts and other acquisition-related documents. |
| CCI-003428 |
The organization establishes access requirements for contractors. |
The organization conducting the inspection/assessment obtains and examines the access requirements for contractors. |
The organization being inspected/assessed establishes and documents access requirements for contractors. |
Privacy Requirements For Contractors And Service Providers |
AR-3 |
AR-3.3 |
Contractors and service providers include, but are not limited to, information providers, information processors, and other organizations providing information system development, information technology services, and other outsourced applications. Organizations consult with legal counsel, the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO), and contracting officers about applicable laws, directives, policies, or regulations that may impact implementation of this control. Related control: AR-1, AR-5, SA-4. |
The organization:
a. Establishes privacy roles, responsibilities, and access requirements for contractors and service providers; and
b. Includes privacy requirements in contracts and other acquisition-related documents. |
| CCI-003429 |
The organization establishes privacy roles for service providers. |
The organization conducting the inspection/assessment obtains and examines the privacy roles established for service providers. |
The organization being inspected/assessed establishes and documents privacy roles for service providers. |
Privacy Requirements For Contractors And Service Providers |
AR-3 |
AR-3.4 |
Contractors and service providers include, but are not limited to, information providers, information processors, and other organizations providing information system development, information technology services, and other outsourced applications. Organizations consult with legal counsel, the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO), and contracting officers about applicable laws, directives, policies, or regulations that may impact implementation of this control. Related control: AR-1, AR-5, SA-4. |
The organization:
a. Establishes privacy roles, responsibilities, and access requirements for contractors and service providers; and
b. Includes privacy requirements in contracts and other acquisition-related documents. |
| CCI-003430 |
The organization establishes privacy responsibilities for service providers. |
The organization conducting the inspection/assessment obtains and examines the privacy responsibilities established for service providers. |
The organization being inspected/assessed establishes and documents privacy responsibilities for service providers. |
Privacy Requirements For Contractors And Service Providers |
AR-3 |
AR-3.5 |
Contractors and service providers include, but are not limited to, information providers, information processors, and other organizations providing information system development, information technology services, and other outsourced applications. Organizations consult with legal counsel, the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO), and contracting officers about applicable laws, directives, policies, or regulations that may impact implementation of this control. Related control: AR-1, AR-5, SA-4. |
The organization:
a. Establishes privacy roles, responsibilities, and access requirements for contractors and service providers; and
b. Includes privacy requirements in contracts and other acquisition-related documents. |
| CCI-003431 |
The organization establishes access requirements for service providers. |
The organization conducting the inspection/assessment obtains and examines the access requirements established for service providers. |
The organization being inspected/assessed establishes and documents access requirements for service providers. |
Privacy Requirements For Contractors And Service Providers |
AR-3 |
AR-3.6 |
Contractors and service providers include, but are not limited to, information providers, information processors, and other organizations providing information system development, information technology services, and other outsourced applications. Organizations consult with legal counsel, the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO), and contracting officers about applicable laws, directives, policies, or regulations that may impact implementation of this control. Related control: AR-1, AR-5, SA-4. |
The organization:
a. Establishes privacy roles, responsibilities, and access requirements for contractors and service providers; and
b. Includes privacy requirements in contracts and other acquisition-related documents. |
| CCI-003432 |
The organization includes privacy requirements in contracts. |
The organization conducting the inspection/assessment obtains and examines a representative sample and business procedures which ensure all contracts include the privacy requirements from Federal Acquisition Regulation Subpart 24.1, 48 CFR Part 24 and Part 39.105, and DoDD 5400.11. |
The organization being inspected/assessed includes the privacy requirements from Federal Acquisition Regulation Subpart 24.1, 48 CFR Part 24 and Part 39.105, and DoDD 5400.11 in contracts. |
Privacy Requirements For Contractors And Service Providers |
AR-3 |
AR-3.7 |
Contractors and service providers include, but are not limited to, information providers, information processors, and other organizations providing information system development, information technology services, and other outsourced applications. Organizations consult with legal counsel, the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO), and contracting officers about applicable laws, directives, policies, or regulations that may impact implementation of this control. Related control: AR-1, AR-5, SA-4. |
The organization:
a. Establishes privacy roles, responsibilities, and access requirements for contractors and service providers; and
b. Includes privacy requirements in contracts and other acquisition-related documents. |
| CCI-003433 |
The organization includes privacy requirements in other acquisition-related documents. |
The organization conducting the inspection/assessment obtains and examines the business procedures and a representative sample of the documents to demonstrate all other acquisition-related documents applicable to the information system include the privacy requirements from Federal Acquisition Regulation Subpart 24.1, 48 CFR Part 24 and Part 39.105, and DoDD 5400.11. |
The organization being inspected/assessed includes the privacy requirements from Federal Acquisition Regulation Subpart 24.1, 48 CFR Part 24 and Part 39.105, and DoDD 5400.11 in other acquisition-related documents. |
Privacy Requirements For Contractors And Service Providers |
AR-3 |
AR-3.8 |
Contractors and service providers include, but are not limited to, information providers, information processors, and other organizations providing information system development, information technology services, and other outsourced applications. Organizations consult with legal counsel, the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO), and contracting officers about applicable laws, directives, policies, or regulations that may impact implementation of this control. Related control: AR-1, AR-5, SA-4. |
The organization:
a. Establishes privacy roles, responsibilities, and access requirements for contractors and service providers; and
b. Includes privacy requirements in contracts and other acquisition-related documents. |
| CCI-003434 |
The organization defines the frequency for monitoring privacy controls and internal privacy policy to ensure effective implementation. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as upon a change in the privacy, security or authorization posture of the system and not to exceed every three years. |
DoD has defined the frequency as upon a change in the privacy, security or authorization posture of the system and not to exceed every three years. |
Privacy Monitoring And Auditing |
AR-4 |
AR-4.1 |
To promote accountability, organizations identify and address gaps in privacy compliance, management, operational, and technical controls by conducting regular assessments (e.g., internal risk assessments). These assessments can be self-assessments or third-party audits that result in reports on compliance gaps identified in programs, projects, and information systems. In addition to auditing for effective implementation of all privacy controls identified in this appendix, organizations assess whether they: (i) implement a process to embed privacy considerations into the life cycle of personally identifiable information (PII), programs, information systems, mission/business processes, and technology; (ii) monitor for changes to applicable privacy laws, regulations, and policies; (iii) track programs, information systems, and applications that collect and maintain PII to ensure compliance; (iv) ensure that access to PII is only on a need-to-know basis; and (v) ensure that PII is being maintained and used only for the legally authorized purposes identified in the public notice(s).
Organizations also: (i) implement technology to audit for the security, appropriate use, and loss of PII; (ii) perform reviews to ensure physical security of documents containing PII; (iii) assess contractor compliance with privacy requirements; and (iv) ensure that corrective actions identified as part of the assessment process are tracked and monitored until audit findings are corrected. The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) coordinates monitoring and auditing efforts with information security officials and ensures that the results are provided to senior managers and oversight officials. Related controls: AR-6, AR-7, AU-1, AU-2, AU-3, AU-6, AU-12, CA-7, TR-1, UL-2. |
The organization monitors and audits privacy controls and internal privacy policy [Assignment: organization-defined frequency] to ensure effective implementation. |
| CCI-003435 |
The organization defines the frequency for auditing privacy controls and internal privacy policy to ensure effective implementation. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every three years or as required by major system change.
DoD has defined the frequency as upon a change in the privacy, security or authorization posture of the system and not to exceed every three years. |
DoD has defined the frequency as every three years or as required by major system change.
DoD has defined the frequency as upon a change in the privacy, security or authorization posture of the system and not to exceed every three years. |
Privacy Monitoring And Auditing |
AR-4 |
AR-4.2 |
To promote accountability, organizations identify and address gaps in privacy compliance, management, operational, and technical controls by conducting regular assessments (e.g., internal risk assessments). These assessments can be self-assessments or third-party audits that result in reports on compliance gaps identified in programs, projects, and information systems. In addition to auditing for effective implementation of all privacy controls identified in this appendix, organizations assess whether they: (i) implement a process to embed privacy considerations into the life cycle of personally identifiable information (PII), programs, information systems, mission/business processes, and technology; (ii) monitor for changes to applicable privacy laws, regulations, and policies; (iii) track programs, information systems, and applications that collect and maintain PII to ensure compliance; (iv) ensure that access to PII is only on a need-to-know basis; and (v) ensure that PII is being maintained and used only for the legally authorized purposes identified in the public notice(s).
Organizations also: (i) implement technology to audit for the security, appropriate use, and loss of PII; (ii) perform reviews to ensure physical security of documents containing PII; (iii) assess contractor compliance with privacy requirements; and (iv) ensure that corrective actions identified as part of the assessment process are tracked and monitored until audit findings are corrected. The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) coordinates monitoring and auditing efforts with information security officials and ensures that the results are provided to senior managers and oversight officials. Related controls: AR-6, AR-7, AU-1, AU-2, AU-3, AU-6, AU-12, CA-7, TR-1, UL-2. |
The organization monitors and audits privacy controls and internal privacy policy [Assignment: organization-defined frequency] to ensure effective implementation. |
| CCI-003436 |
The organization monitors privacy controls, per organization-defined frequency, to ensure effective implementation. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed monitors privacy controls to ensure effective implementation. |
The organization being inspected/assessed documents and implements a process to monitor privacy controls to ensure effective implementation. |
Privacy Monitoring And Auditing |
AR-4 |
AR-4.3 |
To promote accountability, organizations identify and address gaps in privacy compliance, management, operational, and technical controls by conducting regular assessments (e.g., internal risk assessments). These assessments can be self-assessments or third-party audits that result in reports on compliance gaps identified in programs, projects, and information systems. In addition to auditing for effective implementation of all privacy controls identified in this appendix, organizations assess whether they: (i) implement a process to embed privacy considerations into the life cycle of personally identifiable information (PII), programs, information systems, mission/business processes, and technology; (ii) monitor for changes to applicable privacy laws, regulations, and policies; (iii) track programs, information systems, and applications that collect and maintain PII to ensure compliance; (iv) ensure that access to PII is only on a need-to-know basis; and (v) ensure that PII is being maintained and used only for the legally authorized purposes identified in the public notice(s).
Organizations also: (i) implement technology to audit for the security, appropriate use, and loss of PII; (ii) perform reviews to ensure physical security of documents containing PII; (iii) assess contractor compliance with privacy requirements; and (iv) ensure that corrective actions identified as part of the assessment process are tracked and monitored until audit findings are corrected. The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) coordinates monitoring and auditing efforts with information security officials and ensures that the results are provided to senior managers and oversight officials. Related controls: AR-6, AR-7, AU-1, AU-2, AU-3, AU-6, AU-12, CA-7, TR-1, UL-2. |
The organization monitors and audits privacy controls and internal privacy policy [Assignment: organization-defined frequency] to ensure effective implementation. |
| CCI-003437 |
The organization monitors internal privacy policy to ensure effective implementation. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed monitors internal privacy policy to ensure effective implementation. |
The organization being inspected/assessed documents and implements a process to monitor internal privacy policy to ensure effective implementation. |
Privacy Monitoring And Auditing |
AR-4 |
AR-4.4 |
To promote accountability, organizations identify and address gaps in privacy compliance, management, operational, and technical controls by conducting regular assessments (e.g., internal risk assessments). These assessments can be self-assessments or third-party audits that result in reports on compliance gaps identified in programs, projects, and information systems. In addition to auditing for effective implementation of all privacy controls identified in this appendix, organizations assess whether they: (i) implement a process to embed privacy considerations into the life cycle of personally identifiable information (PII), programs, information systems, mission/business processes, and technology; (ii) monitor for changes to applicable privacy laws, regulations, and policies; (iii) track programs, information systems, and applications that collect and maintain PII to ensure compliance; (iv) ensure that access to PII is only on a need-to-know basis; and (v) ensure that PII is being maintained and used only for the legally authorized purposes identified in the public notice(s).
Organizations also: (i) implement technology to audit for the security, appropriate use, and loss of PII; (ii) perform reviews to ensure physical security of documents containing PII; (iii) assess contractor compliance with privacy requirements; and (iv) ensure that corrective actions identified as part of the assessment process are tracked and monitored until audit findings are corrected. The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) coordinates monitoring and auditing efforts with information security officials and ensures that the results are provided to senior managers and oversight officials. Related controls: AR-6, AR-7, AU-1, AU-2, AU-3, AU-6, AU-12, CA-7, TR-1, UL-2. |
The organization monitors and audits privacy controls and internal privacy policy [Assignment: organization-defined frequency] to ensure effective implementation. |
| CCI-003438 |
The organization audits privacy controls, per organization-defined frequency, to ensure effective implementation. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail to ensure the organization being inspected/assessed audits privacy controls, every three years or as required by major system change, to ensure effective implementation.
DoD has defined the frequency as every three years or as required by major system change.
DoD has defined the frequency as upon a change in the privacy, security or authorization posture of the system and not to exceed every three years. |
The organization being inspected/assessed documents and implements a process to audit privacy controls, every three years or as required by major system change, to ensure effective implementation.
The organization must maintain an audit trail.
DoD has defined the frequency as every three years or as required by major system change.
DoD has defined the frequency as upon a change in the privacy, security or authorization posture of the system and not to exceed every three years. |
Privacy Monitoring And Auditing |
AR-4 |
AR-4.5 |
To promote accountability, organizations identify and address gaps in privacy compliance, management, operational, and technical controls by conducting regular assessments (e.g., internal risk assessments). These assessments can be self-assessments or third-party audits that result in reports on compliance gaps identified in programs, projects, and information systems. In addition to auditing for effective implementation of all privacy controls identified in this appendix, organizations assess whether they: (i) implement a process to embed privacy considerations into the life cycle of personally identifiable information (PII), programs, information systems, mission/business processes, and technology; (ii) monitor for changes to applicable privacy laws, regulations, and policies; (iii) track programs, information systems, and applications that collect and maintain PII to ensure compliance; (iv) ensure that access to PII is only on a need-to-know basis; and (v) ensure that PII is being maintained and used only for the legally authorized purposes identified in the public notice(s).
Organizations also: (i) implement technology to audit for the security, appropriate use, and loss of PII; (ii) perform reviews to ensure physical security of documents containing PII; (iii) assess contractor compliance with privacy requirements; and (iv) ensure that corrective actions identified as part of the assessment process are tracked and monitored until audit findings are corrected. The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) coordinates monitoring and auditing efforts with information security officials and ensures that the results are provided to senior managers and oversight officials. Related controls: AR-6, AR-7, AU-1, AU-2, AU-3, AU-6, AU-12, CA-7, TR-1, UL-2. |
The organization monitors and audits privacy controls and internal privacy policy [Assignment: organization-defined frequency] to ensure effective implementation. |
| CCI-003439 |
The organization audits internal privacy policy, per organization-defined frequency, to ensure effective implementation. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail to ensure the organization being inspected/assessed audits privacy controls, every three years or as required by major system change, to ensure effective implementation.
DoD has defined the frequency as every three years or as required by major system change.
DoD has defined the frequency as upon a change in the privacy, security or authorization posture of the system and not to exceed every three years. |
The organization being inspected/assessed documents and implements a process to audit privacy controls, every three years or as required by major system change, to ensure effective implementation.
The organization must maintain an audit trail.
DoD has defined the frequency as every three years or as required by major system change.
DoD has defined the frequency as upon a change in the privacy, security or authorization posture of the system and not to exceed every three years. |
Privacy Monitoring And Auditing |
AR-4 |
AR-4.6 |
To promote accountability, organizations identify and address gaps in privacy compliance, management, operational, and technical controls by conducting regular assessments (e.g., internal risk assessments). These assessments can be self-assessments or third-party audits that result in reports on compliance gaps identified in programs, projects, and information systems. In addition to auditing for effective implementation of all privacy controls identified in this appendix, organizations assess whether they: (i) implement a process to embed privacy considerations into the life cycle of personally identifiable information (PII), programs, information systems, mission/business processes, and technology; (ii) monitor for changes to applicable privacy laws, regulations, and policies; (iii) track programs, information systems, and applications that collect and maintain PII to ensure compliance; (iv) ensure that access to PII is only on a need-to-know basis; and (v) ensure that PII is being maintained and used only for the legally authorized purposes identified in the public notice(s).
Organizations also: (i) implement technology to audit for the security, appropriate use, and loss of PII; (ii) perform reviews to ensure physical security of documents containing PII; (iii) assess contractor compliance with privacy requirements; and (iv) ensure that corrective actions identified as part of the assessment process are tracked and monitored until audit findings are corrected. The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) coordinates monitoring and auditing efforts with information security officials and ensures that the results are provided to senior managers and oversight officials. Related controls: AR-6, AR-7, AU-1, AU-2, AU-3, AU-6, AU-12, CA-7, TR-1, UL-2. |
The organization monitors and audits privacy controls and internal privacy policy [Assignment: organization-defined frequency] to ensure effective implementation. |
| CCI-003440 |
The organization develops a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures. |
The organization conducting the inspection/assessment obtains and examines the documented evidence of a review as to whether the IASE provided PII training provides personnel with the information necessary to understand their roles and responsibilities. If the documented review indicates that organization-specific training is necessary, then the organization conducting the inspection/assessment obtains and examines documentation identifying the unique privacy needs which must be addressed by training to ensure they are identified. |
The organization being inspected/assessed documents whether the IASE PII Training provides personnel with the information necessary to understand their roles and responsibilities, or if additional organization-specific training is required. If organization-specific training is required, the organization being inspected/assessed defines and documents the unique privacy needs which must be addressed by training. |
Privacy Awareness And Training |
AR-5 |
AR-5.1 |
Through implementation of a privacy training and awareness strategy, the organization promotes a culture of privacy. Privacy training and awareness programs typically focus on broad topics, such as responsibilities under the Privacy Act of 1974 and E-Government Act of 2002 and the consequences of failing to carry out those responsibilities, how to identify new privacy risks, how to mitigate privacy risks, and how and when to report privacy incidents. Privacy training may also target data collection and use requirements identified in public notices, such as Privacy Impact Assessments (PIAs) or System of Records Notices (SORNs) for a program or information system. Specific training methods may include: (i) mandatory annual privacy awareness training; (ii) targeted, role-based training; (iii) internal privacy program websites; (iv) manuals, guides, and handbooks; (v) slide presentations; (vi) events (e.g., privacy awareness week, privacy clean-up day); (vii) posters and brochures; and (viii) email messages to all employees and contractors. Organizations update training based on changing statutory, regulatory, mission, program, business process, and information system requirements, or on the results of compliance monitoring and auditing. Where appropriate, organizations may provide privacy training as part of existing information security training. Related controls: AR-3, AT-2, AT-3, TR-1. |
The organization:
a. Develops, implements, and updates a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures;
b. Administers basic privacy training [Assignment: organization-defined frequency, at least annually] and targeted, role-based privacy training for personnel having responsibility for
personally identifiable information (PII) or for activities that involve PII [Assignment: organization-defined frequency, at least annually]; and
c. Ensures that personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements [Assignment: organization-defined frequency, at least annually]. |
| CCI-003441 |
The organization implements a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures. |
The organization conducting the inspection/assessment obtains and examines the documented results of the review conducted IAW AR-5, CCI 3440. If the review indicates that IASE provided PII training meets the needs of the organization then the organization is automatically compliant. Otherwise, the organization conducting the inspection/assessment obtains and examines the documented training and awareness strategy to ensure that it implements training aimed at ensuring that personnel understand privacy responsibilities and procedures. |
If the organization being inspected/assessed identifies IAW AR-5, CCI 3440 that IASE provided PII training meets the needs of the organization then the organization is automatically compliant. Otherwise, the organization being inspected/assessed documents and implements a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures. |
Privacy Awareness And Training |
AR-5 |
AR-5.2 |
Through implementation of a privacy training and awareness strategy, the organization promotes a culture of privacy. Privacy training and awareness programs typically focus on broad topics, such as responsibilities under the Privacy Act of 1974 and E-Government Act of 2002 and the consequences of failing to carry out those responsibilities, how to identify new privacy risks, how to mitigate privacy risks, and how and when to report privacy incidents. Privacy training may also target data collection and use requirements identified in public notices, such as Privacy Impact Assessments (PIAs) or System of Records Notices (SORNs) for a program or information system. Specific training methods may include: (i) mandatory annual privacy awareness training; (ii) targeted, role-based training; (iii) internal privacy program websites; (iv) manuals, guides, and handbooks; (v) slide presentations; (vi) events (e.g., privacy awareness week, privacy clean-up day); (vii) posters and brochures; and (viii) email messages to all employees and contractors. Organizations update training based on changing statutory, regulatory, mission, program, business process, and information system requirements, or on the results of compliance monitoring and auditing. Where appropriate, organizations may provide privacy training as part of existing information security training. Related controls: AR-3, AT-2, AT-3, TR-1. |
The organization:
a. Develops, implements, and updates a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures;
b. Administers basic privacy training [Assignment: organization-defined frequency, at least annually] and targeted, role-based privacy training for personnel having responsibility for
personally identifiable information (PII) or for activities that involve PII [Assignment: organization-defined frequency, at least annually]; and
c. Ensures that personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements [Assignment: organization-defined frequency, at least annually]. |
| CCI-003442 |
The organization updates a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures. |
The organization conducting the inspection/assessment obtains and examines the documented results of the review conducted IAW AR-5, CCI 3440. If the review indicates that IASE provided PII training meets the needs of the organization then the organization is automatically compliant. Otherwise, the organization conducting the inspection/assessment obtains and examines the documented update process for the training and awareness strategy to ensure that the organization being inspected/assessed updates the strategy. |
If the organization being inspected/assessed identifies IAW AR-5, CCI 3440 that IASE provided PII training meets the needs of the organization then the organization is automatically compliant. Otherwise, the organization being inspected/assessed documents and implements a process to update the comprehensive training and awareness strategy. |
Privacy Awareness And Training |
AR-5 |
AR-5.3 |
Through implementation of a privacy training and awareness strategy, the organization promotes a culture of privacy. Privacy training and awareness programs typically focus on broad topics, such as responsibilities under the Privacy Act of 1974 and E-Government Act of 2002 and the consequences of failing to carry out those responsibilities, how to identify new privacy risks, how to mitigate privacy risks, and how and when to report privacy incidents. Privacy training may also target data collection and use requirements identified in public notices, such as Privacy Impact Assessments (PIAs) or System of Records Notices (SORNs) for a program or information system. Specific training methods may include: (i) mandatory annual privacy awareness training; (ii) targeted, role-based training; (iii) internal privacy program websites; (iv) manuals, guides, and handbooks; (v) slide presentations; (vi) events (e.g., privacy awareness week, privacy clean-up day); (vii) posters and brochures; and (viii) email messages to all employees and contractors. Organizations update training based on changing statutory, regulatory, mission, program, business process, and information system requirements, or on the results of compliance monitoring and auditing. Where appropriate, organizations may provide privacy training as part of existing information security training. Related controls: AR-3, AT-2, AT-3, TR-1. |
The organization:
a. Develops, implements, and updates a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures;
b. Administers basic privacy training [Assignment: organization-defined frequency, at least annually] and targeted, role-based privacy training for personnel having responsibility for
personally identifiable information (PII) or for activities that involve PII [Assignment: organization-defined frequency, at least annually]; and
c. Ensures that personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements [Assignment: organization-defined frequency, at least annually]. |
| CCI-003443 |
The organization defines the frequency, minimally annually, for administering its basic privacy training. |
The organization conducting the inspection/assessment obtains and examines the documented evidence of a review as to whether the IASE provided PII training provides personnel with the information necessary to understand their roles and responsibilities. If the documented review indicates that organization-specific training is necessary, then the organization conducting the inspection/assessment obtains and examines documentation identifying the unique privacy needs which must be addressed by training to ensure they are identified. |
The organization being inspected/assessed documents whether the IASE PII Training provides personnel with the information necessary to understand their roles and responsibilities, or if additional organization-specific training is required. If organization-specific training is required, the organization being inspected/assessed defines and documents the unique privacy needs which must be addressed by training. |
Privacy Awareness And Training |
AR-5 |
AR-5.4 |
Through implementation of a privacy training and awareness strategy, the organization promotes a culture of privacy. Privacy training and awareness programs typically focus on broad topics, such as responsibilities under the Privacy Act of 1974 and E-Government Act of 2002 and the consequences of failing to carry out those responsibilities, how to identify new privacy risks, how to mitigate privacy risks, and how and when to report privacy incidents. Privacy training may also target data collection and use requirements identified in public notices, such as Privacy Impact Assessments (PIAs) or System of Records Notices (SORNs) for a program or information system. Specific training methods may include: (i) mandatory annual privacy awareness training; (ii) targeted, role-based training; (iii) internal privacy program websites; (iv) manuals, guides, and handbooks; (v) slide presentations; (vi) events (e.g., privacy awareness week, privacy clean-up day); (vii) posters and brochures; and (viii) email messages to all employees and contractors. Organizations update training based on changing statutory, regulatory, mission, program, business process, and information system requirements, or on the results of compliance monitoring and auditing. Where appropriate, organizations may provide privacy training as part of existing information security training. Related controls: AR-3, AT-2, AT-3, TR-1. |
The organization:
a. Develops, implements, and updates a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures;
b. Administers basic privacy training [Assignment: organization-defined frequency, at least annually] and targeted, role-based privacy training for personnel having responsibility for
personally identifiable information (PII) or for activities that involve PII [Assignment: organization-defined frequency, at least annually]; and
c. Ensures that personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements [Assignment: organization-defined frequency, at least annually]. |
| CCI-003444 |
The organization defines the frequency, minimally annually, for administering the targeted, role-based privacy training for personnel having responsibility for personally identifiable information (PII) or for activities that involve PII. |
The organization conducting the inspection/assessment obtains and examines the documented results of the review conducted IAW AR-5, CCI 3440. If the review indicates that IASE provided PII training meets the needs of the organization then the organization is automatically compliant. Otherwise, the organization conducting the inspection/assessment obtains and examines the documented training and awareness strategy to ensure that it implements training aimed at ensuring that personnel understand privacy responsibilities and procedures. |
If the organization being inspected/assessed identifies IAW AR-5, CCI 3440 that IASE provided PII training meets the needs of the organization then the organization is automatically compliant. Otherwise, the organization being inspected/assessed documents and implements a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures. |
Privacy Awareness And Training |
AR-5 |
AR-5.5 |
Through implementation of a privacy training and awareness strategy, the organization promotes a culture of privacy. Privacy training and awareness programs typically focus on broad topics, such as responsibilities under the Privacy Act of 1974 and E-Government Act of 2002 and the consequences of failing to carry out those responsibilities, how to identify new privacy risks, how to mitigate privacy risks, and how and when to report privacy incidents. Privacy training may also target data collection and use requirements identified in public notices, such as Privacy Impact Assessments (PIAs) or System of Records Notices (SORNs) for a program or information system. Specific training methods may include: (i) mandatory annual privacy awareness training; (ii) targeted, role-based training; (iii) internal privacy program websites; (iv) manuals, guides, and handbooks; (v) slide presentations; (vi) events (e.g., privacy awareness week, privacy clean-up day); (vii) posters and brochures; and (viii) email messages to all employees and contractors. Organizations update training based on changing statutory, regulatory, mission, program, business process, and information system requirements, or on the results of compliance monitoring and auditing. Where appropriate, organizations may provide privacy training as part of existing information security training. Related controls: AR-3, AT-2, AT-3, TR-1. |
The organization:
a. Develops, implements, and updates a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures;
b. Administers basic privacy training [Assignment: organization-defined frequency, at least annually] and targeted, role-based privacy training for personnel having responsibility for
personally identifiable information (PII) or for activities that involve PII [Assignment: organization-defined frequency, at least annually]; and
c. Ensures that personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements [Assignment: organization-defined frequency, at least annually]. |
| CCI-003445 |
The organization administers basic privacy training per the organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the documented results of the review conducted IAW AR-5, CCI 3440. If the review indicates that IASE provided PII training meets the needs of the organization then the organization is automatically compliant. Otherwise, the organization conducting the inspection/assessment obtains and examines the documented update process for the training and awareness strategy to ensure that the organization being inspected/assessed updates the strategy. |
If the organization being inspected/assessed identifies IAW AR-5, CCI 3440 that IASE provided PII training meets the needs of the organization then the organization is automatically compliant. Otherwise, the organization being inspected/assessed documents and implements a process to update the comprehensive training and awareness strategy. |
Privacy Awareness And Training |
AR-5 |
AR-5.6 |
Through implementation of a privacy training and awareness strategy, the organization promotes a culture of privacy. Privacy training and awareness programs typically focus on broad topics, such as responsibilities under the Privacy Act of 1974 and E-Government Act of 2002 and the consequences of failing to carry out those responsibilities, how to identify new privacy risks, how to mitigate privacy risks, and how and when to report privacy incidents. Privacy training may also target data collection and use requirements identified in public notices, such as Privacy Impact Assessments (PIAs) or System of Records Notices (SORNs) for a program or information system. Specific training methods may include: (i) mandatory annual privacy awareness training; (ii) targeted, role-based training; (iii) internal privacy program websites; (iv) manuals, guides, and handbooks; (v) slide presentations; (vi) events (e.g., privacy awareness week, privacy clean-up day); (vii) posters and brochures; and (viii) email messages to all employees and contractors. Organizations update training based on changing statutory, regulatory, mission, program, business process, and information system requirements, or on the results of compliance monitoring and auditing. Where appropriate, organizations may provide privacy training as part of existing information security training. Related controls: AR-3, AT-2, AT-3, TR-1. |
The organization:
a. Develops, implements, and updates a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures;
b. Administers basic privacy training [Assignment: organization-defined frequency, at least annually] and targeted, role-based privacy training for personnel having responsibility for
personally identifiable information (PII) or for activities that involve PII [Assignment: organization-defined frequency, at least annually]; and
c. Ensures that personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements [Assignment: organization-defined frequency, at least annually]. |
| CCI-003446 |
The organization administers, per organization-defined frequency, targeted, role-based privacy training for personnel having responsibility for personally identifiable information (PII) or for activities that involve PII. |
The organization conducting the inspection/assessment reviews evidence of the organization being inspected providing annual targeted, role-based privacy training. DoD Components that have determined and documented adequate justification that DoD-wide privacy training and awareness activities provide evidence to demonstrate its personnel are taking this training annually. |
The organization follows its strategy and plan for administering targeted, role-based privacy training. |
Privacy Awareness And Training |
AR-5 |
AR-5.7 |
Through implementation of a privacy training and awareness strategy, the organization promotes a culture of privacy. Privacy training and awareness programs typically focus on broad topics, such as responsibilities under the Privacy Act of 1974 and E-Government Act of 2002 and the consequences of failing to carry out those responsibilities, how to identify new privacy risks, how to mitigate privacy risks, and how and when to report privacy incidents. Privacy training may also target data collection and use requirements identified in public notices, such as Privacy Impact Assessments (PIAs) or System of Records Notices (SORNs) for a program or information system. Specific training methods may include: (i) mandatory annual privacy awareness training; (ii) targeted, role-based training; (iii) internal privacy program websites; (iv) manuals, guides, and handbooks; (v) slide presentations; (vi) events (e.g., privacy awareness week, privacy clean-up day); (vii) posters and brochures; and (viii) email messages to all employees and contractors. Organizations update training based on changing statutory, regulatory, mission, program, business process, and information system requirements, or on the results of compliance monitoring and auditing. Where appropriate, organizations may provide privacy training as part of existing information security training. Related controls: AR-3, AT-2, AT-3, TR-1. |
The organization:
a. Develops, implements, and updates a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures;
b. Administers basic privacy training [Assignment: organization-defined frequency, at least annually] and targeted, role-based privacy training for personnel having responsibility for
personally identifiable information (PII) or for activities that involve PII [Assignment: organization-defined frequency, at least annually]; and
c. Ensures that personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements [Assignment: organization-defined frequency, at least annually]. |
| CCI-003447 |
The organization defines the frequency, minimally annually, on which personnel certify acceptance of responsibilities for privacy requirements. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Privacy Awareness And Training |
AR-5 |
AR-5.8 |
Through implementation of a privacy training and awareness strategy, the organization promotes a culture of privacy. Privacy training and awareness programs typically focus on broad topics, such as responsibilities under the Privacy Act of 1974 and E-Government Act of 2002 and the consequences of failing to carry out those responsibilities, how to identify new privacy risks, how to mitigate privacy risks, and how and when to report privacy incidents. Privacy training may also target data collection and use requirements identified in public notices, such as Privacy Impact Assessments (PIAs) or System of Records Notices (SORNs) for a program or information system. Specific training methods may include: (i) mandatory annual privacy awareness training; (ii) targeted, role-based training; (iii) internal privacy program websites; (iv) manuals, guides, and handbooks; (v) slide presentations; (vi) events (e.g., privacy awareness week, privacy clean-up day); (vii) posters and brochures; and (viii) email messages to all employees and contractors. Organizations update training based on changing statutory, regulatory, mission, program, business process, and information system requirements, or on the results of compliance monitoring and auditing. Where appropriate, organizations may provide privacy training as part of existing information security training. Related controls: AR-3, AT-2, AT-3, TR-1. |
The organization:
a. Develops, implements, and updates a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures;
b. Administers basic privacy training [Assignment: organization-defined frequency, at least annually] and targeted, role-based privacy training for personnel having responsibility for
personally identifiable information (PII) or for activities that involve PII [Assignment: organization-defined frequency, at least annually]; and
c. Ensures that personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements [Assignment: organization-defined frequency, at least annually]. |
| CCI-003448 |
The organization ensures personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements per organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the documented results of the review conducted IAW AR-5, CCI 3440. If the review indicates that IASE provided PII training meets the needs of the organization then the organization is automatically compliant. Otherwise, the organization conducting the inspection/assessment obtains and examines the documented certification process as well as a representative sample of employee certification records to ensure that the organization being inspected/assessed ensures personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements per organization-defined frequency. |
The organization being inspected/assessed must ensure that personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements at least annually. This can be achieved either through inclusion of these requirements within and annually recertifying their existing AUP, or via a separate acceptance method. |
Privacy Awareness And Training |
AR-5 |
AR-5.9 |
Through implementation of a privacy training and awareness strategy, the organization promotes a culture of privacy. Privacy training and awareness programs typically focus on broad topics, such as responsibilities under the Privacy Act of 1974 and E-Government Act of 2002 and the consequences of failing to carry out those responsibilities, how to identify new privacy risks, how to mitigate privacy risks, and how and when to report privacy incidents. Privacy training may also target data collection and use requirements identified in public notices, such as Privacy Impact Assessments (PIAs) or System of Records Notices (SORNs) for a program or information system. Specific training methods may include: (i) mandatory annual privacy awareness training; (ii) targeted, role-based training; (iii) internal privacy program websites; (iv) manuals, guides, and handbooks; (v) slide presentations; (vi) events (e.g., privacy awareness week, privacy clean-up day); (vii) posters and brochures; and (viii) email messages to all employees and contractors. Organizations update training based on changing statutory, regulatory, mission, program, business process, and information system requirements, or on the results of compliance monitoring and auditing. Where appropriate, organizations may provide privacy training as part of existing information security training. Related controls: AR-3, AT-2, AT-3, TR-1. |
The organization:
a. Develops, implements, and updates a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures;
b. Administers basic privacy training [Assignment: organization-defined frequency, at least annually] and targeted, role-based privacy training for personnel having responsibility for
personally identifiable information (PII) or for activities that involve PII [Assignment: organization-defined frequency, at least annually]; and
c. Ensures that personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements [Assignment: organization-defined frequency, at least annually]. |
| CCI-003449 |
The organization develops reports for the Office of Management and Budget (OMB), Congress, and other oversight bodies, as appropriate, to demonstrate accountability with specific statutory and regulatory privacy program mandates. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as reports generated to ensure the organization being inspected/assessed provides all input required by Defense Privacy and Civil Liberties Office (DPLCO), DA&M and/or the OCIO to support the reporting OMB, Congress and the other oversight bodies. |
The organization being inspected/assessed documents and implements a process to provide all input required by Defense Privacy and Civil Liberties Office (DPLCO), DA&M and/or the OCIO to support the reporting OMB, Congress and the other oversight bodies. |
Privacy Reporting |
AR-6 |
AR-6.1 |
Through internal and external privacy reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting also helps organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, identify vulnerabilities and gaps in policy and implementation, and identify success models. Types of privacy reports include: (i) annual Senior Agency Official for Privacy (SAOP) reports to OMB; (ii) reports to Congress required by the Implementing Regulations of the 9/11 Commission Act; and (iii) other public reports required by specific statutory mandates or internal policies of organizations. The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements. |
The organization develops, disseminates, and updates reports to the Office of Management and Budget (OMB), Congress, and other oversight bodies, as appropriate, to demonstrate accountability with specific statutory and regulatory privacy program mandates, and to senior management and other personnel with responsibility for monitoring privacy program progress and compliance. |
| CCI-003450 |
The organization disseminates reports to the Office of Management and Budget (OMB), Congress, and other oversight bodies, as appropriate, to demonstrate accountability with specific statutory and regulatory privacy program mandates. |
The DPCLO meets the requirement to disseminate reports to the Office of Management and Budget (OMB), Congress, and other oversight bodies, as appropriate, to demonstrate accountability with specific statutory and regulatory privacy program mandates.
DoD Components are automatically compliant with this control because they are covered by the DPCLO and the action is performed by the DA&M and/or OCIO. |
Only designated officials, such as the Senior Agency Official for Privacy (SAOP), respond to external reporting requirements on behalf of the DoD. The Defense Civil Liberties and Privacy Office (DPCLO) meets the requirement to disseminate reports to the Office of Management and Budget (OMB), Congress, and other oversight bodies, as appropriate, to demonstrate accountability with specific statutory and regulatory privacy program mandates.
DoD Components are automatically compliant with this control because they are covered by the DPCLO and the action is performed by the DA&M and/or OCIO. |
Privacy Reporting |
AR-6 |
AR-6.2 |
Through internal and external privacy reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting also helps organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, identify vulnerabilities and gaps in policy and implementation, and identify success models. Types of privacy reports include: (i) annual Senior Agency Official for Privacy (SAOP) reports to OMB; (ii) reports to Congress required by the Implementing Regulations of the 9/11 Commission Act; and (iii) other public reports required by specific statutory mandates or internal policies of organizations. The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements. |
The organization develops, disseminates, and updates reports to the Office of Management and Budget (OMB), Congress, and other oversight bodies, as appropriate, to demonstrate accountability with specific statutory and regulatory privacy program mandates, and to senior management and other personnel with responsibility for monitoring privacy program progress and compliance. |
| CCI-003451 |
The organization updates reports for the Office of Management and Budget (OMB), Congress, and other oversight bodies, as appropriate, to demonstrate accountability with specific statutory and regulatory privacy program mandates. |
The organization conducting the inspection/assessment reviews evidence of contributions of updated inputs to external privacy reports as mandated by the DPCLO and OCIO to ensure the organization being inspected/assessed updates reports for the OMB, Congress, and other oversight bodies, as appropriate, to demonstrate accountability with specific statutory and regulatory privacy program mandates. |
The organization being inspected/assessed provides the necessary inputs to external privacy reports as mandated by the DPCLO and OCIO to ensure the organization being inspected/assessed updates reports for the OMB, Congress, and other oversight bodies, as appropriate, to demonstrate accountability with specific statutory and regulatory privacy program mandates. |
Privacy Reporting |
AR-6 |
AR-6.3 |
Through internal and external privacy reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting also helps organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, identify vulnerabilities and gaps in policy and implementation, and identify success models. Types of privacy reports include: (i) annual Senior Agency Official for Privacy (SAOP) reports to OMB; (ii) reports to Congress required by the Implementing Regulations of the 9/11 Commission Act; and (iii) other public reports required by specific statutory mandates or internal policies of organizations. The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements. |
The organization develops, disseminates, and updates reports to the Office of Management and Budget (OMB), Congress, and other oversight bodies, as appropriate, to demonstrate accountability with specific statutory and regulatory privacy program mandates, and to senior management and other personnel with responsibility for monitoring privacy program progress and compliance. |
| CCI-003452 |
The organization develops reports for senior management and other personnel with responsibility for monitoring privacy program progress and compliance. |
The organization conducting the inspection/assessment reviews evidence of contributions to internal privacy reports as mandated by the DPLCO and OCIO to ensure the organization being inspected/assessed develops reports for senior management and other personnel with responsibility for monitoring privacy program progress and compliance. |
The organization being inspected/assessed provides the necessary inputs to support DoD's internal privacy reporting requirements. For example, DoD Components are required to report to the Defense Privacy Office the status and metrics for internal periodic Privacy Act System of Records Notices (SORN) reviews. DoD 5400.11-R, sections C8.1-3 establish policy for DoD Component compliance DPCLO requirements for DoD Privacy Reports. |
Privacy Reporting |
AR-6 |
AR-6.4 |
Through internal and external privacy reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting also helps organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, identify vulnerabilities and gaps in policy and implementation, and identify success models. Types of privacy reports include: (i) annual Senior Agency Official for Privacy (SAOP) reports to OMB; (ii) reports to Congress required by the Implementing Regulations of the 9/11 Commission Act; and (iii) other public reports required by specific statutory mandates or internal policies of organizations. The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements. |
The organization develops, disseminates, and updates reports to the Office of Management and Budget (OMB), Congress, and other oversight bodies, as appropriate, to demonstrate accountability with specific statutory and regulatory privacy program mandates, and to senior management and other personnel with responsibility for monitoring privacy program progress and compliance. |
| CCI-003453 |
The organization disseminates reports to senior management and other personnel with responsibility for monitoring privacy program progress and compliance. |
The organization conducting the inspection/assessment reviews evidence of contributions to internal privacy reports as mandated by the DPCLO and OCIO to ensure the organization being inspected/assessed disseminates reports to senior management and other personnel with responsibility for monitoring privacy program progress and compliance. |
The organization being inspected/assessed provides the necessary inputs to support DoD's internal privacy reports to the appropriate personnel in a timely manner. |
Privacy Reporting |
AR-6 |
AR-6.5 |
Through internal and external privacy reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting also helps organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, identify vulnerabilities and gaps in policy and implementation, and identify success models. Types of privacy reports include: (i) annual Senior Agency Official for Privacy (SAOP) reports to OMB; (ii) reports to Congress required by the Implementing Regulations of the 9/11 Commission Act; and (iii) other public reports required by specific statutory mandates or internal policies of organizations. The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements. |
The organization develops, disseminates, and updates reports to the Office of Management and Budget (OMB), Congress, and other oversight bodies, as appropriate, to demonstrate accountability with specific statutory and regulatory privacy program mandates, and to senior management and other personnel with responsibility for monitoring privacy program progress and compliance. |
| CCI-003454 |
The organization updates reports for senior management and other personnel with responsibility for monitoring privacy program progress and compliance. |
The organization conducting the inspection/assessment reviews evidence of contributions of updated inputs to internal privacy reports as mandated by the DPCLO and OCIO to ensure the organization being inspected/assessed updates reports for senior management and other personnel with responsibility for monitoring privacy program progress and compliance. |
The organization being inspected/assessed provides the necessary inputs to support any required updates to DoD's internal privacy reports. |
Privacy Reporting |
AR-6 |
AR-6.6 |
Through internal and external privacy reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting also helps organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, identify vulnerabilities and gaps in policy and implementation, and identify success models. Types of privacy reports include: (i) annual Senior Agency Official for Privacy (SAOP) reports to OMB; (ii) reports to Congress required by the Implementing Regulations of the 9/11 Commission Act; and (iii) other public reports required by specific statutory mandates or internal policies of organizations. The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements. |
The organization develops, disseminates, and updates reports to the Office of Management and Budget (OMB), Congress, and other oversight bodies, as appropriate, to demonstrate accountability with specific statutory and regulatory privacy program mandates, and to senior management and other personnel with responsibility for monitoring privacy program progress and compliance. |
| CCI-003455 |
The organization designs information systems to support privacy by automating privacy controls. |
The organization conducting the inspection/assessment:
1. reviews policies and procedures that govern the organization's systems engineering lifecycle to ensure privacy requirements are included in the process.,
2. obtains and examines system design documents and examines the information system to ensure it includes automated privacy controls,
3. examines plans for periodic reviews to ensure they are commensurate with the privacy risks identified for the system and that they are occurring based on the planned frequency; and
4. when available, examines results of reviews and associated action plans to address findings to ensure they are being addressed. |
To the extent feasible, when designing information systems, the organization being inspected/assessed employs technologies and system capabilities that automate privacy controls on the collection, use, retention, and disclosure of personally identifiable information (PII).
For example, when sharing records between systems, design the system to only share PII data fields within a record that are relevant to the purpose of sharing rather than sending the entire record (which may contain PII data fields that are not relevant to the purpose for sharing). Privacy requirements and controls should be identified during the concept and requirements development phases of system design, and design decisions should be documented in appropriate system artifacts throughout (e.g. system design documents, system security plans, interconnection security agreements, and Privacy Impact Assessments). By building privacy controls into system design and development, DoD Components mitigate privacy risks to PII, thereby reducing the likelihood of information system breaches and other privacy-related incidents. DoD Components also plan for and conduct periodic reviews of systems to determine the need for updates to maintain compliance with the Privacy Act as well as the DoD's and DoD Component's privacy policies. Regardless of whether automated privacy controls are employed, DoD Components regularly monitor information system use and sharing of PII to ensure that the use/sharing is consistent with the authorized purposes identified in the Privacy Act and/or in the public notice of organizations (e.g. System of Records Notices), or in a manner compatible with those purposes. |
Privacy-Enhanced System Design And Development |
AR-7 |
AR-7.1 |
To the extent feasible, when designing organizational information systems, organizations employ technologies and system capabilities that automate privacy controls on the collection, use, retention, and disclosure of personally identifiable information (PII). By building privacy controls into system design and development, organizations mitigate privacy risks to PII, thereby reducing the likelihood of information system breaches and other privacy-related incidents. Organizations also conduct periodic reviews of systems to determine the need for updates to maintain compliance with the Privacy Act and the organization’s privacy policy. Regardless of whether automated privacy controls are employed, organizations regularly monitor information system use and sharing of PII to ensure that the use/sharing is consistent with the authorized purposes identified in the Privacy Act and/or in the public notice of organizations, or in a manner compatible with those purposes. Related controls: AC-6, AR-4, AR-5, DM-2, TR-1. |
The organization designs information systems to support privacy by automating privacy controls. |
| CCI-003456 |
The organization, as part of the accurate accounting of disclosures of Privacy Act information held in each system of records under its control, includes the date of each disclosure of a record. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed as part of the accurate accounting of disclosures of Privacy Act information held in each system of records under its control, includes the date of each disclosure of a record. |
The organization being inspected/assessed documents and implements a process, as part of the accurate accounting of disclosures of Privacy Act information held in each system of records under its control, to include the date of each disclosure of a record. |
Accounting Of Disclosures |
AR-8 |
AR-8.1 |
The Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) periodically consults with managers of organization systems of record to ensure that the required accountings of disclosures of records are being properly maintained and provided to persons named in those records consistent with the dictates of the Privacy Act. Organizations are not required to keep an accounting of disclosures when the disclosures are made to individuals with a need to know, are made pursuant to the Freedom of Information Act, or are made to a law enforcement agency pursuant to 5 U.S.C. § 552a(c)(3). Heads of agencies can promulgate rules to exempt certain systems of records from the requirement to provide the accounting of disclosures to individuals. Related control: IP-2. |
The organization:
a. Keeps an accurate accounting of disclosures of information held in each system of records under its control, including:
(1) Date, nature, and purpose of each disclosure of a record; and
(2) Name and address of the person or agency to which the disclosure was made;
b. Retains the accounting of disclosures for the life of the record or five years after the disclosure is made, whichever is longer; and
c. Makes the accounting of disclosures available to the person named in the record upon request. |
| CCI-003457 |
The organization, as part of the accurate accounting of disclosures of Privacy Act information held in each system of records under its control, includes the nature of each disclosure of a record. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed as part of the accurate accounting of disclosures of Privacy Act information held in each system of records under its control, includes the nature of each disclosure of a record. |
The organization being inspected/assessed documents and implements a process, as part of the accurate accounting of disclosures of Privacy Act information held in each system of records under its control, to include the nature of each disclosure of a record. |
Accounting Of Disclosures |
AR-8 |
AR-8.2 |
The Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) periodically consults with managers of organization systems of record to ensure that the required accountings of disclosures of records are being properly maintained and provided to persons named in those records consistent with the dictates of the Privacy Act. Organizations are not required to keep an accounting of disclosures when the disclosures are made to individuals with a need to know, are made pursuant to the Freedom of Information Act, or are made to a law enforcement agency pursuant to 5 U.S.C. § 552a(c)(3). Heads of agencies can promulgate rules to exempt certain systems of records from the requirement to provide the accounting of disclosures to individuals. Related control: IP-2. |
The organization:
a. Keeps an accurate accounting of disclosures of information held in each system of records under its control, including:
(1) Date, nature, and purpose of each disclosure of a record; and
(2) Name and address of the person or agency to which the disclosure was made;
b. Retains the accounting of disclosures for the life of the record or five years after the disclosure is made, whichever is longer; and
c. Makes the accounting of disclosures available to the person named in the record upon request. |
| CCI-003458 |
The organization, as part of the accurate accounting of disclosures of Privacy Act information held in each system of records under its control, includes the purpose of each disclosure of a record. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed as part of the accurate accounting of disclosures of Privacy Act information held in each system of records under its control, includes the purpose of each disclosure of a record. |
The organization being inspected/assessed documents and implements a process as part of the accurate accounting of disclosures of Privacy Act information held in each system of records under its control, to include the purpose of each disclosure of a record. |
Accounting Of Disclosures |
AR-8 |
AR-8.3 |
The Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) periodically consults with managers of organization systems of record to ensure that the required accountings of disclosures of records are being properly maintained and provided to persons named in those records consistent with the dictates of the Privacy Act. Organizations are not required to keep an accounting of disclosures when the disclosures are made to individuals with a need to know, are made pursuant to the Freedom of Information Act, or are made to a law enforcement agency pursuant to 5 U.S.C. § 552a(c)(3). Heads of agencies can promulgate rules to exempt certain systems of records from the requirement to provide the accounting of disclosures to individuals. Related control: IP-2. |
The organization:
a. Keeps an accurate accounting of disclosures of information held in each system of records under its control, including:
(1) Date, nature, and purpose of each disclosure of a record; and
(2) Name and address of the person or agency to which the disclosure was made;
b. Retains the accounting of disclosures for the life of the record or five years after the disclosure is made, whichever is longer; and
c. Makes the accounting of disclosures available to the person named in the record upon request. |
| CCI-003459 |
The organization keeps an accurate accounting of disclosures of Privacy Act information held in each system of records under its control. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed keeps an accurate accounting of disclosures of Privacy Act information held in each system of records under its control. |
The organization being inspected/assessed documents and implements a process to keep an accurate accounting of disclosures of Privacy Act information held in each system of records under its control. |
Accounting Of Disclosures |
AR-8 |
AR-8.4 |
The Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) periodically consults with managers of organization systems of record to ensure that the required accountings of disclosures of records are being properly maintained and provided to persons named in those records consistent with the dictates of the Privacy Act. Organizations are not required to keep an accounting of disclosures when the disclosures are made to individuals with a need to know, are made pursuant to the Freedom of Information Act, or are made to a law enforcement agency pursuant to 5 U.S.C. § 552a(c)(3). Heads of agencies can promulgate rules to exempt certain systems of records from the requirement to provide the accounting of disclosures to individuals. Related control: IP-2. |
The organization:
a. Keeps an accurate accounting of disclosures of information held in each system of records under its control, including:
(1) Date, nature, and purpose of each disclosure of a record; and
(2) Name and address of the person or agency to which the disclosure was made;
b. Retains the accounting of disclosures for the life of the record or five years after the disclosure is made, whichever is longer; and
c. Makes the accounting of disclosures available to the person named in the record upon request. |
| CCI-003460 |
The organization, as part of the accurate accounting of disclosures of Privacy Act information held in each system of records under its control, includes the name and address of the person or agency to which the disclosure was made. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed as part of the accurate accounting of disclosures of Privacy Act information held in each system of records under its control, includes the name and address of the person or agency to which the disclosure was made. |
The organization being inspected/assessed documents and implements a process, as part of the accurate accounting of disclosures of Privacy Act information held in each system of records under its control, to include the name and address of the person or agency to which the disclosure was made. |
Accounting Of Disclosures |
AR-8 |
AR-8.5 |
The Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) periodically consults with managers of organization systems of record to ensure that the required accountings of disclosures of records are being properly maintained and provided to persons named in those records consistent with the dictates of the Privacy Act. Organizations are not required to keep an accounting of disclosures when the disclosures are made to individuals with a need to know, are made pursuant to the Freedom of Information Act, or are made to a law enforcement agency pursuant to 5 U.S.C. § 552a(c)(3). Heads of agencies can promulgate rules to exempt certain systems of records from the requirement to provide the accounting of disclosures to individuals. Related control: IP-2. |
The organization:
a. Keeps an accurate accounting of disclosures of information held in each system of records under its control, including:
(1) Date, nature, and purpose of each disclosure of a record; and
(2) Name and address of the person or agency to which the disclosure was made;
b. Retains the accounting of disclosures for the life of the record or five years after the disclosure is made, whichever is longer; and
c. Makes the accounting of disclosures available to the person named in the record upon request. |
| CCI-003461 |
The organization retains the accounting of disclosures for the life of the record or five years after the disclosure is made, whichever is longer. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed retains the accounting of disclosures for the life of the record or five years after the disclosure is made, whichever is longer. |
The organization being inspected/assessed documents and implements a process to retain the accounting of disclosures for the life of the record or five years after the disclosure is made, whichever is longer. |
Accounting Of Disclosures |
AR-8 |
AR-8.6 |
The Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) periodically consults with managers of organization systems of record to ensure that the required accountings of disclosures of records are being properly maintained and provided to persons named in those records consistent with the dictates of the Privacy Act. Organizations are not required to keep an accounting of disclosures when the disclosures are made to individuals with a need to know, are made pursuant to the Freedom of Information Act, or are made to a law enforcement agency pursuant to 5 U.S.C. § 552a(c)(3). Heads of agencies can promulgate rules to exempt certain systems of records from the requirement to provide the accounting of disclosures to individuals. Related control: IP-2. |
The organization:
a. Keeps an accurate accounting of disclosures of information held in each system of records under its control, including:
(1) Date, nature, and purpose of each disclosure of a record; and
(2) Name and address of the person or agency to which the disclosure was made;
b. Retains the accounting of disclosures for the life of the record or five years after the disclosure is made, whichever is longer; and
c. Makes the accounting of disclosures available to the person named in the record upon request. |
| CCI-003462 |
The organization makes the accounting of disclosures available to the person named in the record upon request. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed makes the accounting of disclosures available to the person named in the record upon request.
NOTE: The system of the record might have an exemption that prevents the accounting of disclosures to the person named in the record. This must be spelled out in the SORN. |
The organization being inspected/assessed documents and implements a process to make the accounting of disclosures available to the person named in the record upon request.
NOTE: The system of the record might have an exemption that prevents the accounting of disclosures to the person named in the record. This must be spelled out in the SORN. |
Accounting Of Disclosures |
AR-8 |
AR-8.7 |
The Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) periodically consults with managers of organization systems of record to ensure that the required accountings of disclosures of records are being properly maintained and provided to persons named in those records consistent with the dictates of the Privacy Act. Organizations are not required to keep an accounting of disclosures when the disclosures are made to individuals with a need to know, are made pursuant to the Freedom of Information Act, or are made to a law enforcement agency pursuant to 5 U.S.C. § 552a(c)(3). Heads of agencies can promulgate rules to exempt certain systems of records from the requirement to provide the accounting of disclosures to individuals. Related control: IP-2. |
The organization:
a. Keeps an accurate accounting of disclosures of information held in each system of records under its control, including:
(1) Date, nature, and purpose of each disclosure of a record; and
(2) Name and address of the person or agency to which the disclosure was made;
b. Retains the accounting of disclosures for the life of the record or five years after the disclosure is made, whichever is longer; and
c. Makes the accounting of disclosures available to the person named in the record upon request. |
| CCI-003463 |
The organization confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the accuracy of that information. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed confirms to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about an individual's rights, benefits, and privileges under Federal programs. |
The organization being inspected/assessed documents and implements a process to confirm to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about an individual's rights, benefits, and privileges under Federal programs. |
Data Quality |
DI-1 |
DI-1.1 |
Organizations take reasonable steps to confirm the accuracy and relevance of PII. Such steps may include, for example, editing and validating addresses as they are collected or entered into information systems using automated address verification look-up application programming interfaces (API). The types of measures taken to protect data quality are based on the nature and context of the PII, how it is to be used, and how it was obtained. Measures taken to validate the accuracy of PII that is used to make determinations about the rights, benefits, or privileges of individuals under federal programs may be more comprehensive than those used to validate less sensitive PII. Additional steps may be necessary to validate PII that is obtained from sources other than individuals or the authorized representatives of individuals.
When PII is of a sufficiently sensitive nature (e.g., when it is used for annual reconfirmation of a taxpayer’s income for a recurring benefit), organizations incorporate mechanisms into information systems and develop corresponding procedures for how frequently, and by what method, the information is to be updated. Related controls: AP-2, DI-2, DM-1, IP-3, SI-10. |
The organization:
a. Confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the accuracy, relevance, timeliness, and completeness of that
information;
b. Collects PII directly from the individual to the greatest extent practicable;
c. Checks for, and corrects as necessary, any inaccurate or outdated PII used by its programs or systems [Assignment: organization-defined frequency]; and
d. Issues guidelines ensuring and maximizing the quality, utility, objectivity, and integrity of disseminated information. |
| CCI-003464 |
The organization confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the relevancy of that information. |
The organization being inspected/assessed documents and implements a process to confirm to the greatest extent practicable upon collection or creation of PII, the relevancy of that information collect information to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about an individual's rights, benefits, and privileges under Federal programs |
The organization being inspected/assessed documents and implements a process to confirm to the greatest extent practicable upon collection or creation of PII, the relevancy of that information collect information to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about an individual's rights, benefits, and privileges under Federal programs |
Data Quality |
DI-1 |
DI-1.2 |
Organizations take reasonable steps to confirm the accuracy and relevance of PII. Such steps may include, for example, editing and validating addresses as they are collected or entered into information systems using automated address verification look-up application programming interfaces (API). The types of measures taken to protect data quality are based on the nature and context of the PII, how it is to be used, and how it was obtained. Measures taken to validate the accuracy of PII that is used to make determinations about the rights, benefits, or privileges of individuals under federal programs may be more comprehensive than those used to validate less sensitive PII. Additional steps may be necessary to validate PII that is obtained from sources other than individuals or the authorized representatives of individuals.
When PII is of a sufficiently sensitive nature (e.g., when it is used for annual reconfirmation of a taxpayer’s income for a recurring benefit), organizations incorporate mechanisms into information systems and develop corresponding procedures for how frequently, and by what method, the information is to be updated. Related controls: AP-2, DI-2, DM-1, IP-3, SI-10. |
The organization:
a. Confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the accuracy, relevance, timeliness, and completeness of that
information;
b. Collects PII directly from the individual to the greatest extent practicable;
c. Checks for, and corrects as necessary, any inaccurate or outdated PII used by its programs or systems [Assignment: organization-defined frequency]; and
d. Issues guidelines ensuring and maximizing the quality, utility, objectivity, and integrity of disseminated information. |
| CCI-003465 |
The organization confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the timeliness of that information. |
The organization being inspected/assessed documents and implements a process to confirm to the greatest extent practicable upon collection or creation of PII, the timeliness of that information collect information to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about an individual's rights, benefits, and privileges under Federal programs |
The organization being inspected/assessed documents and implements a process to confirm to the greatest extent practicable upon collection or creation of PII, the timeliness of that information collect information to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about an individual's rights, benefits, and privileges under Federal programs |
Data Quality |
DI-1 |
DI-1.3 |
Organizations take reasonable steps to confirm the accuracy and relevance of PII. Such steps may include, for example, editing and validating addresses as they are collected or entered into information systems using automated address verification look-up application programming interfaces (API). The types of measures taken to protect data quality are based on the nature and context of the PII, how it is to be used, and how it was obtained. Measures taken to validate the accuracy of PII that is used to make determinations about the rights, benefits, or privileges of individuals under federal programs may be more comprehensive than those used to validate less sensitive PII. Additional steps may be necessary to validate PII that is obtained from sources other than individuals or the authorized representatives of individuals.
When PII is of a sufficiently sensitive nature (e.g., when it is used for annual reconfirmation of a taxpayer’s income for a recurring benefit), organizations incorporate mechanisms into information systems and develop corresponding procedures for how frequently, and by what method, the information is to be updated. Related controls: AP-2, DI-2, DM-1, IP-3, SI-10. |
The organization:
a. Confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the accuracy, relevance, timeliness, and completeness of that
information;
b. Collects PII directly from the individual to the greatest extent practicable;
c. Checks for, and corrects as necessary, any inaccurate or outdated PII used by its programs or systems [Assignment: organization-defined frequency]; and
d. Issues guidelines ensuring and maximizing the quality, utility, objectivity, and integrity of disseminated information. |
| CCI-003466 |
The organization confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the completeness of that information. |
The organization being inspected/assessed documents and implements a process to confirm to the greatest extent practicable upon collection or creation of PII, the completeness of that information collect information to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about an individual's rights, benefits, and privileges under Federal programs. |
The organization being inspected/assessed documents and implements a process to confirm to the greatest extent practicable upon collection or creation of PII, the completeness of that information collect information to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about an individual's rights, benefits, and privileges under Federal programs. |
Data Quality |
DI-1 |
DI-1.4 |
Organizations take reasonable steps to confirm the accuracy and relevance of PII. Such steps may include, for example, editing and validating addresses as they are collected or entered into information systems using automated address verification look-up application programming interfaces (API). The types of measures taken to protect data quality are based on the nature and context of the PII, how it is to be used, and how it was obtained. Measures taken to validate the accuracy of PII that is used to make determinations about the rights, benefits, or privileges of individuals under federal programs may be more comprehensive than those used to validate less sensitive PII. Additional steps may be necessary to validate PII that is obtained from sources other than individuals or the authorized representatives of individuals.
When PII is of a sufficiently sensitive nature (e.g., when it is used for annual reconfirmation of a taxpayer’s income for a recurring benefit), organizations incorporate mechanisms into information systems and develop corresponding procedures for how frequently, and by what method, the information is to be updated. Related controls: AP-2, DI-2, DM-1, IP-3, SI-10. |
The organization:
a. Confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the accuracy, relevance, timeliness, and completeness of that
information;
b. Collects PII directly from the individual to the greatest extent practicable;
c. Checks for, and corrects as necessary, any inaccurate or outdated PII used by its programs or systems [Assignment: organization-defined frequency]; and
d. Issues guidelines ensuring and maximizing the quality, utility, objectivity, and integrity of disseminated information. |
| CCI-003467 |
The organization collects personally identifiable information (PII) directly from the individual to the greatest extent practicable. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed collects information to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about an individual's rights, benefits, and privileges under Federal programs. |
The organization being inspected/assessed documents and implements a process to collect information to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about an individual's rights, benefits, and privileges under Federal programs. |
Data Quality |
DI-1 |
DI-1.5 |
Organizations take reasonable steps to confirm the accuracy and relevance of PII. Such steps may include, for example, editing and validating addresses as they are collected or entered into information systems using automated address verification look-up application programming interfaces (API). The types of measures taken to protect data quality are based on the nature and context of the PII, how it is to be used, and how it was obtained. Measures taken to validate the accuracy of PII that is used to make determinations about the rights, benefits, or privileges of individuals under federal programs may be more comprehensive than those used to validate less sensitive PII. Additional steps may be necessary to validate PII that is obtained from sources other than individuals or the authorized representatives of individuals.
When PII is of a sufficiently sensitive nature (e.g., when it is used for annual reconfirmation of a taxpayer’s income for a recurring benefit), organizations incorporate mechanisms into information systems and develop corresponding procedures for how frequently, and by what method, the information is to be updated. Related controls: AP-2, DI-2, DM-1, IP-3, SI-10. |
The organization:
a. Confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the accuracy, relevance, timeliness, and completeness of that
information;
b. Collects PII directly from the individual to the greatest extent practicable;
c. Checks for, and corrects as necessary, any inaccurate or outdated PII used by its programs or systems [Assignment: organization-defined frequency]; and
d. Issues guidelines ensuring and maximizing the quality, utility, objectivity, and integrity of disseminated information. |
| CCI-003468 |
The organization defines the frequency on which it will check for, and correct as necessary, inaccurate or outdated personally identifiable information (PII) used by its programs or systems. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as when changes warrant corrections. |
DoD has defined the frequency as when changes warrant corrections. |
Data Quality |
DI-1 |
DI-1.6 |
Organizations take reasonable steps to confirm the accuracy and relevance of PII. Such steps may include, for example, editing and validating addresses as they are collected or entered into information systems using automated address verification look-up application programming interfaces (API). The types of measures taken to protect data quality are based on the nature and context of the PII, how it is to be used, and how it was obtained. Measures taken to validate the accuracy of PII that is used to make determinations about the rights, benefits, or privileges of individuals under federal programs may be more comprehensive than those used to validate less sensitive PII. Additional steps may be necessary to validate PII that is obtained from sources other than individuals or the authorized representatives of individuals.
When PII is of a sufficiently sensitive nature (e.g., when it is used for annual reconfirmation of a taxpayer’s income for a recurring benefit), organizations incorporate mechanisms into information systems and develop corresponding procedures for how frequently, and by what method, the information is to be updated. Related controls: AP-2, DI-2, DM-1, IP-3, SI-10. |
The organization:
a. Confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the accuracy, relevance, timeliness, and completeness of that
information;
b. Collects PII directly from the individual to the greatest extent practicable;
c. Checks for, and corrects as necessary, any inaccurate or outdated PII used by its programs or systems [Assignment: organization-defined frequency]; and
d. Issues guidelines ensuring and maximizing the quality, utility, objectivity, and integrity of disseminated information. |
| CCI-003469 |
The organization checks for, and corrects as necessary, any inaccurate or outdated personally identifiable information (PII) used by its programs or systems on an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed checks for, and corrects as necessary, any inaccurate or outdated PII used by its programs or systems when changes warrant corrections.
DoD has defined the frequency as when changes warrant corrections. |
The organization being inspected/assessed documents and implements a process to checks for, and correct as necessary, any inaccurate or outdated PII used by its programs or systems when changes warrant corrections.
DoD has defined the frequency as when changes warrant corrections. |
Data Quality |
DI-1 |
DI-1.7 |
Organizations take reasonable steps to confirm the accuracy and relevance of PII. Such steps may include, for example, editing and validating addresses as they are collected or entered into information systems using automated address verification look-up application programming interfaces (API). The types of measures taken to protect data quality are based on the nature and context of the PII, how it is to be used, and how it was obtained. Measures taken to validate the accuracy of PII that is used to make determinations about the rights, benefits, or privileges of individuals under federal programs may be more comprehensive than those used to validate less sensitive PII. Additional steps may be necessary to validate PII that is obtained from sources other than individuals or the authorized representatives of individuals.
When PII is of a sufficiently sensitive nature (e.g., when it is used for annual reconfirmation of a taxpayer’s income for a recurring benefit), organizations incorporate mechanisms into information systems and develop corresponding procedures for how frequently, and by what method, the information is to be updated. Related controls: AP-2, DI-2, DM-1, IP-3, SI-10. |
The organization:
a. Confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the accuracy, relevance, timeliness, and completeness of that
information;
b. Collects PII directly from the individual to the greatest extent practicable;
c. Checks for, and corrects as necessary, any inaccurate or outdated PII used by its programs or systems [Assignment: organization-defined frequency]; and
d. Issues guidelines ensuring and maximizing the quality, utility, objectivity, and integrity of disseminated information. |
| CCI-003470 |
The organization issues guidelines ensuring the quality of disseminated Privacy Act information. |
The organization conducting the inspection/assessment reviews the PII quality guidelines for the organization being inspected/assessed against documentation for the program or system to ensure quality thresholds are being met. |
The organization being inspected/assessed defines and issues PII quality assurance guidelines IAW DoD 5400.11-R to ensure accuracy, relevance, timeliness, and completion of PII prior to its dissemination. Quality guidelines are tailored as necessary for specific programs or systems. |
Data Quality |
DI-1 |
DI-1.8 |
Organizations take reasonable steps to confirm the accuracy and relevance of PII. Such steps may include, for example, editing and validating addresses as they are collected or entered into information systems using automated address verification look-up application programming interfaces (API). The types of measures taken to protect data quality are based on the nature and context of the PII, how it is to be used, and how it was obtained. Measures taken to validate the accuracy of PII that is used to make determinations about the rights, benefits, or privileges of individuals under federal programs may be more comprehensive than those used to validate less sensitive PII. Additional steps may be necessary to validate PII that is obtained from sources other than individuals or the authorized representatives of individuals.
When PII is of a sufficiently sensitive nature (e.g., when it is used for annual reconfirmation of a taxpayer’s income for a recurring benefit), organizations incorporate mechanisms into information systems and develop corresponding procedures for how frequently, and by what method, the information is to be updated. Related controls: AP-2, DI-2, DM-1, IP-3, SI-10. |
The organization:
a. Confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the accuracy, relevance, timeliness, and completeness of that
information;
b. Collects PII directly from the individual to the greatest extent practicable;
c. Checks for, and corrects as necessary, any inaccurate or outdated PII used by its programs or systems [Assignment: organization-defined frequency]; and
d. Issues guidelines ensuring and maximizing the quality, utility, objectivity, and integrity of disseminated information. |
| CCI-003471 |
The organization issues guidelines ensuring the utility of disseminated Privacy Act information. |
The organization conducting the inspection/assessment reviews the PII utility guidelines for the organization being inspected/assessed against documentation for the program or system to ensure utility thresholds are being met and that PII is not shared other than as allowed by policy or notice. |
The organization being inspected/assessed defines and issues PII utility guidelines IAW DoD 5400.11-R. Utility guidelines are tailored as necessary for specific programs or systems. Utility of information covered under the Privacy Act is strictly limited to an authorized purpose and need-to-know. When evaluating options for greater PII utility, consult with the DoD Component's privacy office. |
Data Quality |
DI-1 |
DI-1.9 |
Organizations take reasonable steps to confirm the accuracy and relevance of PII. Such steps may include, for example, editing and validating addresses as they are collected or entered into information systems using automated address verification look-up application programming interfaces (API). The types of measures taken to protect data quality are based on the nature and context of the PII, how it is to be used, and how it was obtained. Measures taken to validate the accuracy of PII that is used to make determinations about the rights, benefits, or privileges of individuals under federal programs may be more comprehensive than those used to validate less sensitive PII. Additional steps may be necessary to validate PII that is obtained from sources other than individuals or the authorized representatives of individuals.
When PII is of a sufficiently sensitive nature (e.g., when it is used for annual reconfirmation of a taxpayer’s income for a recurring benefit), organizations incorporate mechanisms into information systems and develop corresponding procedures for how frequently, and by what method, the information is to be updated. Related controls: AP-2, DI-2, DM-1, IP-3, SI-10. |
The organization:
a. Confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the accuracy, relevance, timeliness, and completeness of that
information;
b. Collects PII directly from the individual to the greatest extent practicable;
c. Checks for, and corrects as necessary, any inaccurate or outdated PII used by its programs or systems [Assignment: organization-defined frequency]; and
d. Issues guidelines ensuring and maximizing the quality, utility, objectivity, and integrity of disseminated information. |
| CCI-003472 |
The organization issues guidelines ensuring the objectivity of disseminated Privacy Act information. |
The organization conducting the inspection/assessment reviews the PII objectivity guidelines for the organization being inspected/assessed against documentation for the program or system to ensure objectivity thresholds are being met. |
The organization being inspected/assessed defines and issues PII objectivity guidelines IAW DoD 5400.11-R. Objectivity guidelines are tailored as necessary for specific programs or systems. |
Data Quality |
DI-1 |
DI-1.10 |
Organizations take reasonable steps to confirm the accuracy and relevance of PII. Such steps may include, for example, editing and validating addresses as they are collected or entered into information systems using automated address verification look-up application programming interfaces (API). The types of measures taken to protect data quality are based on the nature and context of the PII, how it is to be used, and how it was obtained. Measures taken to validate the accuracy of PII that is used to make determinations about the rights, benefits, or privileges of individuals under federal programs may be more comprehensive than those used to validate less sensitive PII. Additional steps may be necessary to validate PII that is obtained from sources other than individuals or the authorized representatives of individuals.
When PII is of a sufficiently sensitive nature (e.g., when it is used for annual reconfirmation of a taxpayer’s income for a recurring benefit), organizations incorporate mechanisms into information systems and develop corresponding procedures for how frequently, and by what method, the information is to be updated. Related controls: AP-2, DI-2, DM-1, IP-3, SI-10. |
The organization:
a. Confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the accuracy, relevance, timeliness, and completeness of that
information;
b. Collects PII directly from the individual to the greatest extent practicable;
c. Checks for, and corrects as necessary, any inaccurate or outdated PII used by its programs or systems [Assignment: organization-defined frequency]; and
d. Issues guidelines ensuring and maximizing the quality, utility, objectivity, and integrity of disseminated information. |
| CCI-003473 |
The organization issues guidelines ensuring the integrity of disseminated Privacy Act information. |
The organization conducting the inspection/assessment reviews the PII integrity guidelines for the organization being inspected/assessed against documentation for the program or system to ensure integrity thresholds are being met. |
The organization being inspected/assessed defines and issues PII integrity guidelines IAW DoD 5400.11-R. Integrity guidelines are tailored as necessary for specific programs or systems. |
Data Quality |
DI-1 |
DI-1.11 |
Organizations take reasonable steps to confirm the accuracy and relevance of PII. Such steps may include, for example, editing and validating addresses as they are collected or entered into information systems using automated address verification look-up application programming interfaces (API). The types of measures taken to protect data quality are based on the nature and context of the PII, how it is to be used, and how it was obtained. Measures taken to validate the accuracy of PII that is used to make determinations about the rights, benefits, or privileges of individuals under federal programs may be more comprehensive than those used to validate less sensitive PII. Additional steps may be necessary to validate PII that is obtained from sources other than individuals or the authorized representatives of individuals.
When PII is of a sufficiently sensitive nature (e.g., when it is used for annual reconfirmation of a taxpayer’s income for a recurring benefit), organizations incorporate mechanisms into information systems and develop corresponding procedures for how frequently, and by what method, the information is to be updated. Related controls: AP-2, DI-2, DM-1, IP-3, SI-10. |
The organization:
a. Confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the accuracy, relevance, timeliness, and completeness of that
information;
b. Collects PII directly from the individual to the greatest extent practicable;
c. Checks for, and corrects as necessary, any inaccurate or outdated PII used by its programs or systems [Assignment: organization-defined frequency]; and
d. Issues guidelines ensuring and maximizing the quality, utility, objectivity, and integrity of disseminated information. |
| CCI-003474 |
The organization issues guidelines maximizing the quality of disseminated Privacy Act information. |
The organization conducting the inspection/assessment reviews the PII quality guidelines for the organization being inspected/assessed against documentation for the program or system to ensure quality thresholds are being met. |
The organization being inspected/assessed defines and issues PII quality guidelines IAW DoD 5400.11-R. Quality guidelines are tailored as necessary for specific programs or systems. |
Data Quality |
DI-1 |
DI-1.12 |
Organizations take reasonable steps to confirm the accuracy and relevance of PII. Such steps may include, for example, editing and validating addresses as they are collected or entered into information systems using automated address verification look-up application programming interfaces (API). The types of measures taken to protect data quality are based on the nature and context of the PII, how it is to be used, and how it was obtained. Measures taken to validate the accuracy of PII that is used to make determinations about the rights, benefits, or privileges of individuals under federal programs may be more comprehensive than those used to validate less sensitive PII. Additional steps may be necessary to validate PII that is obtained from sources other than individuals or the authorized representatives of individuals.
When PII is of a sufficiently sensitive nature (e.g., when it is used for annual reconfirmation of a taxpayer’s income for a recurring benefit), organizations incorporate mechanisms into information systems and develop corresponding procedures for how frequently, and by what method, the information is to be updated. Related controls: AP-2, DI-2, DM-1, IP-3, SI-10. |
The organization:
a. Confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the accuracy, relevance, timeliness, and completeness of that
information;
b. Collects PII directly from the individual to the greatest extent practicable;
c. Checks for, and corrects as necessary, any inaccurate or outdated PII used by its programs or systems [Assignment: organization-defined frequency]; and
d. Issues guidelines ensuring and maximizing the quality, utility, objectivity, and integrity of disseminated information. |
| CCI-003475 |
The organization issues guidelines maximizing the utility of disseminated Privacy Act information. |
The organization conducting the inspection/assessment reviews the PII utility guidelines for the organization being inspected/assessed against documentation for the program or system to ensure utility thresholds are being met and that PII is not shared other than as allowed by policy or notice. |
The organization being inspected/assessed defines and issues PII utility guidelines IAW DoD 5400.11-R. Utility guidelines are tailored as necessary for specific programs or systems. Utility of information covered under the Privacy Act is strictly limited to an authorized purpose and need-to-know. When evaluating options for greater PII utility, consult with the DoD Component's privacy office. |
Data Quality |
DI-1 |
DI-1.13 |
Organizations take reasonable steps to confirm the accuracy and relevance of PII. Such steps may include, for example, editing and validating addresses as they are collected or entered into information systems using automated address verification look-up application programming interfaces (API). The types of measures taken to protect data quality are based on the nature and context of the PII, how it is to be used, and how it was obtained. Measures taken to validate the accuracy of PII that is used to make determinations about the rights, benefits, or privileges of individuals under federal programs may be more comprehensive than those used to validate less sensitive PII. Additional steps may be necessary to validate PII that is obtained from sources other than individuals or the authorized representatives of individuals.
When PII is of a sufficiently sensitive nature (e.g., when it is used for annual reconfirmation of a taxpayer’s income for a recurring benefit), organizations incorporate mechanisms into information systems and develop corresponding procedures for how frequently, and by what method, the information is to be updated. Related controls: AP-2, DI-2, DM-1, IP-3, SI-10. |
The organization:
a. Confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the accuracy, relevance, timeliness, and completeness of that
information;
b. Collects PII directly from the individual to the greatest extent practicable;
c. Checks for, and corrects as necessary, any inaccurate or outdated PII used by its programs or systems [Assignment: organization-defined frequency]; and
d. Issues guidelines ensuring and maximizing the quality, utility, objectivity, and integrity of disseminated information. |
| CCI-003476 |
The organization issues guidelines maximizing the objectivity of disseminated Privacy Act information. |
The organization conducting the inspection/assessment reviews the PII objectivity guidelines for the organization being inspected/assessed against documentation for the program or system to ensure objectivity thresholds are being met. |
The organization being inspected/assessed defines and issues PII objectivity guidelines IAW DoD 5400.11-R. Objectivity guidelines are tailored as necessary for specific programs or systems. |
Data Quality |
DI-1 |
DI-1.14 |
Organizations take reasonable steps to confirm the accuracy and relevance of PII. Such steps may include, for example, editing and validating addresses as they are collected or entered into information systems using automated address verification look-up application programming interfaces (API). The types of measures taken to protect data quality are based on the nature and context of the PII, how it is to be used, and how it was obtained. Measures taken to validate the accuracy of PII that is used to make determinations about the rights, benefits, or privileges of individuals under federal programs may be more comprehensive than those used to validate less sensitive PII. Additional steps may be necessary to validate PII that is obtained from sources other than individuals or the authorized representatives of individuals.
When PII is of a sufficiently sensitive nature (e.g., when it is used for annual reconfirmation of a taxpayer’s income for a recurring benefit), organizations incorporate mechanisms into information systems and develop corresponding procedures for how frequently, and by what method, the information is to be updated. Related controls: AP-2, DI-2, DM-1, IP-3, SI-10. |
The organization:
a. Confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the accuracy, relevance, timeliness, and completeness of that
information;
b. Collects PII directly from the individual to the greatest extent practicable;
c. Checks for, and corrects as necessary, any inaccurate or outdated PII used by its programs or systems [Assignment: organization-defined frequency]; and
d. Issues guidelines ensuring and maximizing the quality, utility, objectivity, and integrity of disseminated information. |
| CCI-003477 |
The organization issues guidelines maximizing the integrity of disseminated Privacy Act information. |
The organization conducting the inspection/assessment reviews the PII integrity guidelines for the organization being inspected/assessed against documentation for the program or system to ensure integrity thresholds are being met. |
The organization being inspected/assessed defines and issues PII integrity guidelines IAW DoD 5400.11-R. Integrity guidelines are tailored as necessary for specific programs or systems. |
Data Quality |
DI-1 |
DI-1.15 |
Organizations take reasonable steps to confirm the accuracy and relevance of PII. Such steps may include, for example, editing and validating addresses as they are collected or entered into information systems using automated address verification look-up application programming interfaces (API). The types of measures taken to protect data quality are based on the nature and context of the PII, how it is to be used, and how it was obtained. Measures taken to validate the accuracy of PII that is used to make determinations about the rights, benefits, or privileges of individuals under federal programs may be more comprehensive than those used to validate less sensitive PII. Additional steps may be necessary to validate PII that is obtained from sources other than individuals or the authorized representatives of individuals.
When PII is of a sufficiently sensitive nature (e.g., when it is used for annual reconfirmation of a taxpayer’s income for a recurring benefit), organizations incorporate mechanisms into information systems and develop corresponding procedures for how frequently, and by what method, the information is to be updated. Related controls: AP-2, DI-2, DM-1, IP-3, SI-10. |
The organization:
a. Confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the accuracy, relevance, timeliness, and completeness of that
information;
b. Collects PII directly from the individual to the greatest extent practicable;
c. Checks for, and corrects as necessary, any inaccurate or outdated PII used by its programs or systems [Assignment: organization-defined frequency]; and
d. Issues guidelines ensuring and maximizing the quality, utility, objectivity, and integrity of disseminated information. |
| CCI-003478 |
The organization requests the individual or individual^s authorized representative validate personally identifiable information (PII) during the collection process. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed requests the individual or individual's authorized representative validate PII during the collection process. |
The organization being inspected/assessed documents and implements a process to request the individual or individual's authorized representative validate PII during the collection process. |
Data Quality | Validate PII |
DI-1 (1) |
DI-1(1).1 |
|
The organization requests that the individual or individual’s authorized representative validate PII during the collection process. |
| CCI-003479 |
The organization defines the frequency on which it will request the individual, or individual^s authorized representative, revalidate that personally identifiable information (PII) collected is still accurate. |
The organization conducting the inspection/assessment obtains and examines the documented frequency to ensure the organization being inspected/assessed defines and documents the frequency on which it will request the individual, or individual's authorized representative, revalidate that PII collected is still accurate.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the frequency on which it will request the individual, or individual's authorized representative, revalidate that PII collected is still accurate. The frequency should be as often as is necessary to ensure the PII is accurate, relevant, timely, and complete; commensurate with the impact of the determination to an individual's rights, benefits, or privileges as determined by the system owner in consultation with the organization's privacy office.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
Data Quality | Re-Validate PII |
DI-1 (2) |
DI-1(2).1 |
|
The organization requests that the individual or individual’s authorized representative revalidate that PII collected is still accurate [Assignment: organization-defined frequency]. |
| CCI-003480 |
On an organization-defined frequency, the organization requests the individual, or individual^s authorized representative, revalidate that personally identifiable information (PII) collected is still accurate. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed requests the individual, or individual's authorized representative, revalidate that PII collected is still accurate. as frequently as is necessary to ensure the PII is accurate, relevant, timely, and complete; commensurate with the impact of the determination to an individual's rights, benefits, or privileges as determined by the system owner in consultation with the organization's privacy office. |
The organization being inspected/assessed documents and implements a process to request the individual, or individual's authorized representative, revalidate that PII collected is still accurate, as frequently as is necessary to ensure the PII is accurate, relevant, timely, and complete; commensurate with the impact of the determination to an individual's rights, benefits, or privileges as determined by the system owner in consultation with the organization's privacy office. |
Data Quality | Re-Validate PII |
DI-1 (2) |
DI-1(2).2 |
|
The organization requests that the individual or individual’s authorized representative revalidate that PII collected is still accurate [Assignment: organization-defined frequency]. |
| CCI-003481 |
The organization documents processes to ensure the integrity of personally identifiable information (PII) through existing security controls. |
|
|
|
|
|
|
|
| CCI-003482 |
The organization, when appropriate, establishes a Data Integrity Board. |
|
|
|
|
|
|
|
| CCI-003483 |
The organization^s Data Integrity Board oversees the organizational Computer Matching Agreements. |
|
|
|
|
|
|
|
| CCI-003484 |
The organization^s Data Integrity Board ensures the Computer Matching Agreements comply with the computer matching provisions of the Privacy Act. |
|
|
|
|
|
|
|
| CCI-003485 |
The organization publishes Computer Matching Agreements on its public website. |
|
|
|
|
|
|
|
| CCI-003486 |
The organization identifies the minimum personally identifiable information (PII) elements that are relevant and necessary to accomplish the legally authorized purpose of collection. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed identifies the minimum personally identifiable information (PII) elements that are relevant and necessary to accomplish the legally authorized purpose of collection. |
The organization being inspected/assessed documents and implements a process to identify the minimum personally identifiable information (PII) elements that are relevant and necessary to accomplish the legally authorized purpose of collection. |
Minimization Of Personally Identifiable Information |
DM-1 |
DM-1.1 |
Organizations take appropriate steps to ensure that the collection of PII is consistent with a purpose authorized by law or regulation. The minimum set of PII elements required to support a specific organization business process may be a subset of the PII the organization is authorized to collect. Program officials consult with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) and legal counsel to identify the minimum PII elements required by the information system or activity to accomplish the legally authorized purpose.
Organizations can further reduce their privacy and security risks by also reducing their inventory of PII, where appropriate. OMB Memorandum 07-16 requires organizations to conduct both an initial review and subsequent reviews of their holdings of all PII and ensure, to the maximum extent practicable, that such holdings are accurate, relevant, timely, and complete. Organizations are also directed by OMB to reduce their holdings to the minimum necessary for the proper performance of a documented organizational business purpose. OMB Memorandum 07-16 requires organizations to develop and publicize, either through a notice in the Federal Register or on their websites, a schedule for periodic reviews of their holdings to supplement the initial review. Organizations coordinate with their federal records officers to ensure that reductions in organizational holdings of PII are consistent with NARA retention schedules.
By performing periodic evaluations, organizations reduce risk, ensure that they are collecting only the data specified in the notice, and ensure that the data collected is still relevant and necessary for the purpose(s) specified in the notice. Related controls: AP-1, AP-2, AR-4, IP-1, SE-1, SI-12, TR-1. |
The organization:
a. Identifies the minimum personally identifiable information (PII) elements that are relevant and necessary to accomplish the legally authorized purpose of collection;
b. Limits the collection and retention of PII to the minimum elements identified for the purposes described in the notice and for which the individual has provided consent; and
c. Conducts an initial evaluation of PII holdings and establishes and follows a schedule for regularly reviewing those holdings [Assignment: organization-defined frequency, at least annually] to ensure that only PII identified in the notice is collected and retained, and that the PII continues to be necessary to accomplish the legally authorized purpose. |
| CCI-003487 |
The organization limits the collection and retention of personally identifiable information (PII) to the minimum elements identified for the purposes described in the published privacy notice. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed limits the collection and retention of PII to the minimum elements identified for the purposes described in the published SORN and Privacy Act Statement. |
The organization being inspected/assessed documents and implements a process to limit the collection and retention of PII to the minimum elements identified for the purposes described in the published SORN and Privacy Act Statement. |
Minimization Of Personally Identifiable Information |
DM-1 |
DM-1.2 |
Organizations take appropriate steps to ensure that the collection of PII is consistent with a purpose authorized by law or regulation. The minimum set of PII elements required to support a specific organization business process may be a subset of the PII the organization is authorized to collect. Program officials consult with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) and legal counsel to identify the minimum PII elements required by the information system or activity to accomplish the legally authorized purpose.
Organizations can further reduce their privacy and security risks by also reducing their inventory of PII, where appropriate. OMB Memorandum 07-16 requires organizations to conduct both an initial review and subsequent reviews of their holdings of all PII and ensure, to the maximum extent practicable, that such holdings are accurate, relevant, timely, and complete. Organizations are also directed by OMB to reduce their holdings to the minimum necessary for the proper performance of a documented organizational business purpose. OMB Memorandum 07-16 requires organizations to develop and publicize, either through a notice in the Federal Register or on their websites, a schedule for periodic reviews of their holdings to supplement the initial review. Organizations coordinate with their federal records officers to ensure that reductions in organizational holdings of PII are consistent with NARA retention schedules.
By performing periodic evaluations, organizations reduce risk, ensure that they are collecting only the data specified in the notice, and ensure that the data collected is still relevant and necessary for the purpose(s) specified in the notice. Related controls: AP-1, AP-2, AR-4, IP-1, SE-1, SI-12, TR-1. |
The organization:
a. Identifies the minimum personally identifiable information (PII) elements that are relevant and necessary to accomplish the legally authorized purpose of collection;
b. Limits the collection and retention of PII to the minimum elements identified for the purposes described in the notice and for which the individual has provided consent; and
c. Conducts an initial evaluation of PII holdings and establishes and follows a schedule for regularly reviewing those holdings [Assignment: organization-defined frequency, at least annually] to ensure that only PII identified in the notice is collected and retained, and that the PII continues to be necessary to accomplish the legally authorized purpose. |
| CCI-003488 |
The organization limits the collection and retention of personally identifiable information (PII) to the minimum elements identified for the purposes which the individual has provided consent. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed limits the collection and retention of PII to the minimum elements identified for the purposes which the individual has provided consent. |
The organization being inspected/assessed documents and implements a process to limit the collection and retention of PII to the minimum elements identified for the purposes which the individual has provided consent. |
Minimization Of Personally Identifiable Information |
DM-1 |
DM-1.3 |
Organizations take appropriate steps to ensure that the collection of PII is consistent with a purpose authorized by law or regulation. The minimum set of PII elements required to support a specific organization business process may be a subset of the PII the organization is authorized to collect. Program officials consult with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) and legal counsel to identify the minimum PII elements required by the information system or activity to accomplish the legally authorized purpose.
Organizations can further reduce their privacy and security risks by also reducing their inventory of PII, where appropriate. OMB Memorandum 07-16 requires organizations to conduct both an initial review and subsequent reviews of their holdings of all PII and ensure, to the maximum extent practicable, that such holdings are accurate, relevant, timely, and complete. Organizations are also directed by OMB to reduce their holdings to the minimum necessary for the proper performance of a documented organizational business purpose. OMB Memorandum 07-16 requires organizations to develop and publicize, either through a notice in the Federal Register or on their websites, a schedule for periodic reviews of their holdings to supplement the initial review. Organizations coordinate with their federal records officers to ensure that reductions in organizational holdings of PII are consistent with NARA retention schedules.
By performing periodic evaluations, organizations reduce risk, ensure that they are collecting only the data specified in the notice, and ensure that the data collected is still relevant and necessary for the purpose(s) specified in the notice. Related controls: AP-1, AP-2, AR-4, IP-1, SE-1, SI-12, TR-1. |
The organization:
a. Identifies the minimum personally identifiable information (PII) elements that are relevant and necessary to accomplish the legally authorized purpose of collection;
b. Limits the collection and retention of PII to the minimum elements identified for the purposes described in the notice and for which the individual has provided consent; and
c. Conducts an initial evaluation of PII holdings and establishes and follows a schedule for regularly reviewing those holdings [Assignment: organization-defined frequency, at least annually] to ensure that only PII identified in the notice is collected and retained, and that the PII continues to be necessary to accomplish the legally authorized purpose. |
| CCI-003489 |
The organization defines the frequency, minimally annually, for conducting reviews of its personally identifiable information (PII) holdings. |
DoD has defines the frequency as annually as part of the agency's report under FISMA. |
DoD has defines the frequency as annually as part of the agency's report under FISMA. |
Minimization Of Personally Identifiable Information |
DM-1 |
DM-1.4 |
Organizations take appropriate steps to ensure that the collection of PII is consistent with a purpose authorized by law or regulation. The minimum set of PII elements required to support a specific organization business process may be a subset of the PII the organization is authorized to collect. Program officials consult with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) and legal counsel to identify the minimum PII elements required by the information system or activity to accomplish the legally authorized purpose.
Organizations can further reduce their privacy and security risks by also reducing their inventory of PII, where appropriate. OMB Memorandum 07-16 requires organizations to conduct both an initial review and subsequent reviews of their holdings of all PII and ensure, to the maximum extent practicable, that such holdings are accurate, relevant, timely, and complete. Organizations are also directed by OMB to reduce their holdings to the minimum necessary for the proper performance of a documented organizational business purpose. OMB Memorandum 07-16 requires organizations to develop and publicize, either through a notice in the Federal Register or on their websites, a schedule for periodic reviews of their holdings to supplement the initial review. Organizations coordinate with their federal records officers to ensure that reductions in organizational holdings of PII are consistent with NARA retention schedules.
By performing periodic evaluations, organizations reduce risk, ensure that they are collecting only the data specified in the notice, and ensure that the data collected is still relevant and necessary for the purpose(s) specified in the notice. Related controls: AP-1, AP-2, AR-4, IP-1, SE-1, SI-12, TR-1. |
The organization:
a. Identifies the minimum personally identifiable information (PII) elements that are relevant and necessary to accomplish the legally authorized purpose of collection;
b. Limits the collection and retention of PII to the minimum elements identified for the purposes described in the notice and for which the individual has provided consent; and
c. Conducts an initial evaluation of PII holdings and establishes and follows a schedule for regularly reviewing those holdings [Assignment: organization-defined frequency, at least annually] to ensure that only PII identified in the notice is collected and retained, and that the PII continues to be necessary to accomplish the legally authorized purpose. |
| CCI-003490 |
The organization conducts an initial evaluation of personally identifiable information (PII) holdings. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed conducts an initial evaluation of PII holdings |
The organization being inspected/assessed documents and implements a process to conduct an initial evaluation of PII holdings. |
Minimization Of Personally Identifiable Information |
DM-1 |
DM-1.5 |
Organizations take appropriate steps to ensure that the collection of PII is consistent with a purpose authorized by law or regulation. The minimum set of PII elements required to support a specific organization business process may be a subset of the PII the organization is authorized to collect. Program officials consult with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) and legal counsel to identify the minimum PII elements required by the information system or activity to accomplish the legally authorized purpose.
Organizations can further reduce their privacy and security risks by also reducing their inventory of PII, where appropriate. OMB Memorandum 07-16 requires organizations to conduct both an initial review and subsequent reviews of their holdings of all PII and ensure, to the maximum extent practicable, that such holdings are accurate, relevant, timely, and complete. Organizations are also directed by OMB to reduce their holdings to the minimum necessary for the proper performance of a documented organizational business purpose. OMB Memorandum 07-16 requires organizations to develop and publicize, either through a notice in the Federal Register or on their websites, a schedule for periodic reviews of their holdings to supplement the initial review. Organizations coordinate with their federal records officers to ensure that reductions in organizational holdings of PII are consistent with NARA retention schedules.
By performing periodic evaluations, organizations reduce risk, ensure that they are collecting only the data specified in the notice, and ensure that the data collected is still relevant and necessary for the purpose(s) specified in the notice. Related controls: AP-1, AP-2, AR-4, IP-1, SE-1, SI-12, TR-1. |
The organization:
a. Identifies the minimum personally identifiable information (PII) elements that are relevant and necessary to accomplish the legally authorized purpose of collection;
b. Limits the collection and retention of PII to the minimum elements identified for the purposes described in the notice and for which the individual has provided consent; and
c. Conducts an initial evaluation of PII holdings and establishes and follows a schedule for regularly reviewing those holdings [Assignment: organization-defined frequency, at least annually] to ensure that only PII identified in the notice is collected and retained, and that the PII continues to be necessary to accomplish the legally authorized purpose. |
| CCI-003491 |
The organization establishes a schedule for regularly reviewing the personally identifiable information (PII) holdings on an organization-defined frequency to ensure that only PII identified in the notice is collected and retained. |
The organization conducting the inspection/assessment obtains and examines the documented schedule to ensure the organization being inspected/assessed establishes a schedule for regularly reviewing the PII holdings at least annually as part of the agency's report under FISMA to ensure that only PII identified in the notice is collected and retained.
DoD has defined the frequency as at least annually as part of the agency's report under FISMA. |
The organization being inspected/assessed establishes and documents a schedule for regularly reviewing the PII holdings at least annually as part of the agency's report under FISMA to ensure that only PII identified in the notice is collected and retained.
DoD has defined the frequency as at least annually as part of the agency's report under FISMA. |
Minimization Of Personally Identifiable Information |
DM-1 |
DM-1.6 |
Organizations take appropriate steps to ensure that the collection of PII is consistent with a purpose authorized by law or regulation. The minimum set of PII elements required to support a specific organization business process may be a subset of the PII the organization is authorized to collect. Program officials consult with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) and legal counsel to identify the minimum PII elements required by the information system or activity to accomplish the legally authorized purpose.
Organizations can further reduce their privacy and security risks by also reducing their inventory of PII, where appropriate. OMB Memorandum 07-16 requires organizations to conduct both an initial review and subsequent reviews of their holdings of all PII and ensure, to the maximum extent practicable, that such holdings are accurate, relevant, timely, and complete. Organizations are also directed by OMB to reduce their holdings to the minimum necessary for the proper performance of a documented organizational business purpose. OMB Memorandum 07-16 requires organizations to develop and publicize, either through a notice in the Federal Register or on their websites, a schedule for periodic reviews of their holdings to supplement the initial review. Organizations coordinate with their federal records officers to ensure that reductions in organizational holdings of PII are consistent with NARA retention schedules.
By performing periodic evaluations, organizations reduce risk, ensure that they are collecting only the data specified in the notice, and ensure that the data collected is still relevant and necessary for the purpose(s) specified in the notice. Related controls: AP-1, AP-2, AR-4, IP-1, SE-1, SI-12, TR-1. |
The organization:
a. Identifies the minimum personally identifiable information (PII) elements that are relevant and necessary to accomplish the legally authorized purpose of collection;
b. Limits the collection and retention of PII to the minimum elements identified for the purposes described in the notice and for which the individual has provided consent; and
c. Conducts an initial evaluation of PII holdings and establishes and follows a schedule for regularly reviewing those holdings [Assignment: organization-defined frequency, at least annually] to ensure that only PII identified in the notice is collected and retained, and that the PII continues to be necessary to accomplish the legally authorized purpose. |
| CCI-003492 |
The organization follows a schedule for regularly reviewing the personally identifiable information (PII) holdings on an organization-defined frequency to ensure that only PII identified in the notice is collected and retained. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed follows a schedule for regularly reviewing the PII holdings per the frequency defined in DM-1, CCI 3489 to ensure that only PII identified in the notice is collected and retained. |
The organization being inspected/assessed documents and implements a process to follow a schedule for regularly reviewing the PII holdings per the frequency defined in DM-1, CCI 3489 to ensure that only PII identified in the notice is collected and retained. |
Minimization Of Personally Identifiable Information |
DM-1 |
DM-1.7 |
Organizations take appropriate steps to ensure that the collection of PII is consistent with a purpose authorized by law or regulation. The minimum set of PII elements required to support a specific organization business process may be a subset of the PII the organization is authorized to collect. Program officials consult with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) and legal counsel to identify the minimum PII elements required by the information system or activity to accomplish the legally authorized purpose.
Organizations can further reduce their privacy and security risks by also reducing their inventory of PII, where appropriate. OMB Memorandum 07-16 requires organizations to conduct both an initial review and subsequent reviews of their holdings of all PII and ensure, to the maximum extent practicable, that such holdings are accurate, relevant, timely, and complete. Organizations are also directed by OMB to reduce their holdings to the minimum necessary for the proper performance of a documented organizational business purpose. OMB Memorandum 07-16 requires organizations to develop and publicize, either through a notice in the Federal Register or on their websites, a schedule for periodic reviews of their holdings to supplement the initial review. Organizations coordinate with their federal records officers to ensure that reductions in organizational holdings of PII are consistent with NARA retention schedules.
By performing periodic evaluations, organizations reduce risk, ensure that they are collecting only the data specified in the notice, and ensure that the data collected is still relevant and necessary for the purpose(s) specified in the notice. Related controls: AP-1, AP-2, AR-4, IP-1, SE-1, SI-12, TR-1. |
The organization:
a. Identifies the minimum personally identifiable information (PII) elements that are relevant and necessary to accomplish the legally authorized purpose of collection;
b. Limits the collection and retention of PII to the minimum elements identified for the purposes described in the notice and for which the individual has provided consent; and
c. Conducts an initial evaluation of PII holdings and establishes and follows a schedule for regularly reviewing those holdings [Assignment: organization-defined frequency, at least annually] to ensure that only PII identified in the notice is collected and retained, and that the PII continues to be necessary to accomplish the legally authorized purpose. |
| CCI-003493 |
The organization establishes a schedule for regularly reviewing the personally identifiable information (PII) holdings on an organization-defined frequency to ensure the PII continues to be necessary to accomplish the legally authorized purpose. |
The organization conducting the inspection/assessment obtains and examines the documented schedule to ensure the organization being inspected/assessed establishes a schedule for regularly reviewing the PII holdings per the frequency defined in DM-1, CCI 3489 to ensure the PII continues to be necessary to accomplish the legally authorized purpose. |
The organization being inspected/assessed establishes and documents a schedule for regularly reviewing the PII holdings per the frequency defined in DM-1, CCI 3489 to ensure the PII continues to be necessary to accomplish the legally authorized purpose. |
Minimization Of Personally Identifiable Information |
DM-1 |
DM-1.8 |
Organizations take appropriate steps to ensure that the collection of PII is consistent with a purpose authorized by law or regulation. The minimum set of PII elements required to support a specific organization business process may be a subset of the PII the organization is authorized to collect. Program officials consult with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) and legal counsel to identify the minimum PII elements required by the information system or activity to accomplish the legally authorized purpose.
Organizations can further reduce their privacy and security risks by also reducing their inventory of PII, where appropriate. OMB Memorandum 07-16 requires organizations to conduct both an initial review and subsequent reviews of their holdings of all PII and ensure, to the maximum extent practicable, that such holdings are accurate, relevant, timely, and complete. Organizations are also directed by OMB to reduce their holdings to the minimum necessary for the proper performance of a documented organizational business purpose. OMB Memorandum 07-16 requires organizations to develop and publicize, either through a notice in the Federal Register or on their websites, a schedule for periodic reviews of their holdings to supplement the initial review. Organizations coordinate with their federal records officers to ensure that reductions in organizational holdings of PII are consistent with NARA retention schedules.
By performing periodic evaluations, organizations reduce risk, ensure that they are collecting only the data specified in the notice, and ensure that the data collected is still relevant and necessary for the purpose(s) specified in the notice. Related controls: AP-1, AP-2, AR-4, IP-1, SE-1, SI-12, TR-1. |
The organization:
a. Identifies the minimum personally identifiable information (PII) elements that are relevant and necessary to accomplish the legally authorized purpose of collection;
b. Limits the collection and retention of PII to the minimum elements identified for the purposes described in the notice and for which the individual has provided consent; and
c. Conducts an initial evaluation of PII holdings and establishes and follows a schedule for regularly reviewing those holdings [Assignment: organization-defined frequency, at least annually] to ensure that only PII identified in the notice is collected and retained, and that the PII continues to be necessary to accomplish the legally authorized purpose. |
| CCI-003494 |
The organization follows a schedule for regularly reviewing the personally identifiable information (PII) holdings on an organization-defined frequency to ensure the PII continues to be necessary to accomplish the legally authorized purpose. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed follows a schedule for regularly reviewing the PII holdings per the frequency defined in DM-1, CCI 3489 to ensure the PII continues to be necessary to accomplish the legally authorized purpose. |
The organization being inspected/assessed documents and implements a process to follow a schedule for regularly reviewing the PII holdings per the frequency defined in DM-1, CCI 3489 to ensure the PII continues to be necessary to accomplish the legally authorized purpose. |
Minimization Of Personally Identifiable Information |
DM-1 |
DM-1.9 |
Organizations take appropriate steps to ensure that the collection of PII is consistent with a purpose authorized by law or regulation. The minimum set of PII elements required to support a specific organization business process may be a subset of the PII the organization is authorized to collect. Program officials consult with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) and legal counsel to identify the minimum PII elements required by the information system or activity to accomplish the legally authorized purpose.
Organizations can further reduce their privacy and security risks by also reducing their inventory of PII, where appropriate. OMB Memorandum 07-16 requires organizations to conduct both an initial review and subsequent reviews of their holdings of all PII and ensure, to the maximum extent practicable, that such holdings are accurate, relevant, timely, and complete. Organizations are also directed by OMB to reduce their holdings to the minimum necessary for the proper performance of a documented organizational business purpose. OMB Memorandum 07-16 requires organizations to develop and publicize, either through a notice in the Federal Register or on their websites, a schedule for periodic reviews of their holdings to supplement the initial review. Organizations coordinate with their federal records officers to ensure that reductions in organizational holdings of PII are consistent with NARA retention schedules.
By performing periodic evaluations, organizations reduce risk, ensure that they are collecting only the data specified in the notice, and ensure that the data collected is still relevant and necessary for the purpose(s) specified in the notice. Related controls: AP-1, AP-2, AR-4, IP-1, SE-1, SI-12, TR-1. |
The organization:
a. Identifies the minimum personally identifiable information (PII) elements that are relevant and necessary to accomplish the legally authorized purpose of collection;
b. Limits the collection and retention of PII to the minimum elements identified for the purposes described in the notice and for which the individual has provided consent; and
c. Conducts an initial evaluation of PII holdings and establishes and follows a schedule for regularly reviewing those holdings [Assignment: organization-defined frequency, at least annually] to ensure that only PII identified in the notice is collected and retained, and that the PII continues to be necessary to accomplish the legally authorized purpose. |
| CCI-003495 |
The organization, where feasible and within the limits of technology, locates and removes/redacts specified personally identifiable information (PII). |
|
|
|
|
|
|
|
| CCI-003496 |
The organization, where feasible and within the limits of technology, uses anonymization and de-identification techniques to permit use of the retained Privacy Act information while reducing its sensitivity and reducing the risk resulting from disclosure. |
|
|
|
|
|
|
|
| CCI-003497 |
The organization defines the time period for retaining each collection of personally identifiable information (PII) that is required to fulfill the purpose(s) identified in the published privacy notice or required by law. |
The organization conducting the inspection/assessment obtains and examines the documented time period to ensure the organization being inspected/assessed define and document the time period IAW the NARA-approved Records Schedule and the Privacy Act System of Records Notice.
DoD has determined the time period is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed must define and document the time period IAW the NARA-approved Records Schedule and the Privacy Act System of Records Notice.
DoD has determined the time period is not appropriate to define at the Enterprise level. |
Data Retention And Disposal |
DM-2 |
DM-2.1 |
NARA provides retention schedules that govern the disposition of federal records. Program officials coordinate with records officers and with NARA to identify appropriate retention periods and disposal methods. NARA may require organizations to retain PII longer than is operationally needed. In those situations, organizations describe such requirements in the notice. Methods of storage include, for example, electronic, optical media, or paper.
Examples of ways organizations may reduce holdings include reducing the types of PII held (e.g., delete Social Security numbers if their use is no longer needed) or shortening the retention period for PII that is maintained if it is no longer necessary to keep PII for long periods of time (this effort is undertaken in consultation with an organization’s records officer to receive NARA approval). In both examples, organizations provide notice (e.g., an updated System of Records Notice) to inform the public of any changes in holdings of PII.
Certain read-only archiving techniques, such as DVDs, CDs, microfilm, or microfiche, may not permit the removal of individual records without the destruction of the entire database contained on such media. Related controls: AR-4, AU-11, DM-1, MP-1, MP-2, MP-3, MP-4, MP-5, MP-6, MP-7, MP-8, SI-12, TR-1. |
The organization:
a. Retains each collection of personally identifiable information (PII) for [Assignment: organization-defined time period] to fulfill the purpose(s) identified in the notice or as required by law;
b. Disposes of, destroys, erases, and/or anonymizes the PII, regardless of the method of storage, in accordance with a NARA-approved record retention schedule and in a manner that prevents loss, theft, misuse, or unauthorized access; and
c. Uses [Assignment: organization-defined techniques or methods] to ensure secure deletion or destruction of PII (including originals, copies, and archived records). |
| CCI-003498 |
The organization retains each collection of personally identifiable information (PII) for the organization-defined time period to fulfill the purpose(s) identified in the published privacy notice or as required by law. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed retains each collection of PII for the time period defined in DM-2, CCI 3497 to fulfill the purpose(s) identified in the published SORN and Privacy Act Statement or as required by law. |
The organization being inspected/assessed documents and implements a process to retain each collection of PII for the time period defined DM-2, CCI 3497 to fulfill the purpose(s) identified in the published SORN and Privacy Act Statement or as required by law. |
Data Retention And Disposal |
DM-2 |
DM-2.2 |
NARA provides retention schedules that govern the disposition of federal records. Program officials coordinate with records officers and with NARA to identify appropriate retention periods and disposal methods. NARA may require organizations to retain PII longer than is operationally needed. In those situations, organizations describe such requirements in the notice. Methods of storage include, for example, electronic, optical media, or paper.
Examples of ways organizations may reduce holdings include reducing the types of PII held (e.g., delete Social Security numbers if their use is no longer needed) or shortening the retention period for PII that is maintained if it is no longer necessary to keep PII for long periods of time (this effort is undertaken in consultation with an organization’s records officer to receive NARA approval). In both examples, organizations provide notice (e.g., an updated System of Records Notice) to inform the public of any changes in holdings of PII.
Certain read-only archiving techniques, such as DVDs, CDs, microfilm, or microfiche, may not permit the removal of individual records without the destruction of the entire database contained on such media. Related controls: AR-4, AU-11, DM-1, MP-1, MP-2, MP-3, MP-4, MP-5, MP-6, MP-7, MP-8, SI-12, TR-1. |
The organization:
a. Retains each collection of personally identifiable information (PII) for [Assignment: organization-defined time period] to fulfill the purpose(s) identified in the notice or as required by law;
b. Disposes of, destroys, erases, and/or anonymizes the PII, regardless of the method of storage, in accordance with a NARA-approved record retention schedule and in a manner that prevents loss, theft, misuse, or unauthorized access; and
c. Uses [Assignment: organization-defined techniques or methods] to ensure secure deletion or destruction of PII (including originals, copies, and archived records). |
| CCI-003499 |
The organization disposes of, destroys, erases, and/or anonymizes the personally identifiable information (PII), regardless of the method of storage, in accordance with a NARA-approved record retention schedule. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed disposes of, destroys, erases, and/or anonymizes the PII, regardless of the method of storage, in accordance with a NARA-approved record retention schedule. |
The organization being inspected/assessed documents and implements a process to dispose of, destroy, erase, and/or anonymize the PII, regardless of the method of storage, in accordance with a NARA-approved record retention schedule. |
Data Retention And Disposal |
DM-2 |
DM-2.3 |
NARA provides retention schedules that govern the disposition of federal records. Program officials coordinate with records officers and with NARA to identify appropriate retention periods and disposal methods. NARA may require organizations to retain PII longer than is operationally needed. In those situations, organizations describe such requirements in the notice. Methods of storage include, for example, electronic, optical media, or paper.
Examples of ways organizations may reduce holdings include reducing the types of PII held (e.g., delete Social Security numbers if their use is no longer needed) or shortening the retention period for PII that is maintained if it is no longer necessary to keep PII for long periods of time (this effort is undertaken in consultation with an organization’s records officer to receive NARA approval). In both examples, organizations provide notice (e.g., an updated System of Records Notice) to inform the public of any changes in holdings of PII.
Certain read-only archiving techniques, such as DVDs, CDs, microfilm, or microfiche, may not permit the removal of individual records without the destruction of the entire database contained on such media. Related controls: AR-4, AU-11, DM-1, MP-1, MP-2, MP-3, MP-4, MP-5, MP-6, MP-7, MP-8, SI-12, TR-1. |
The organization:
a. Retains each collection of personally identifiable information (PII) for [Assignment: organization-defined time period] to fulfill the purpose(s) identified in the notice or as required by law;
b. Disposes of, destroys, erases, and/or anonymizes the PII, regardless of the method of storage, in accordance with a NARA-approved record retention schedule and in a manner that prevents loss, theft, misuse, or unauthorized access; and
c. Uses [Assignment: organization-defined techniques or methods] to ensure secure deletion or destruction of PII (including originals, copies, and archived records). |
| CCI-003500 |
The organization disposes of, destroys, erases, and/or anonymizes the personally identifiable information (PII), regardless of the method of storage, in a manner that prevents loss, theft, misuse, or unauthorized access. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed disposes of, destroys, erases, and/or anonymizes the PII, regardless of the method of storage, in a manner that prevents loss, theft, misuse, or unauthorized access. |
The organization being inspected/assessed documents and implements a process to dispose of, destroy, erase, and/or anonymize the PII, regardless of the method of storage, in a manner that prevents loss, theft, misuse, or unauthorized access. |
Data Retention And Disposal |
DM-2 |
DM-2.4 |
NARA provides retention schedules that govern the disposition of federal records. Program officials coordinate with records officers and with NARA to identify appropriate retention periods and disposal methods. NARA may require organizations to retain PII longer than is operationally needed. In those situations, organizations describe such requirements in the notice. Methods of storage include, for example, electronic, optical media, or paper.
Examples of ways organizations may reduce holdings include reducing the types of PII held (e.g., delete Social Security numbers if their use is no longer needed) or shortening the retention period for PII that is maintained if it is no longer necessary to keep PII for long periods of time (this effort is undertaken in consultation with an organization’s records officer to receive NARA approval). In both examples, organizations provide notice (e.g., an updated System of Records Notice) to inform the public of any changes in holdings of PII.
Certain read-only archiving techniques, such as DVDs, CDs, microfilm, or microfiche, may not permit the removal of individual records without the destruction of the entire database contained on such media. Related controls: AR-4, AU-11, DM-1, MP-1, MP-2, MP-3, MP-4, MP-5, MP-6, MP-7, MP-8, SI-12, TR-1. |
The organization:
a. Retains each collection of personally identifiable information (PII) for [Assignment: organization-defined time period] to fulfill the purpose(s) identified in the notice or as required by law;
b. Disposes of, destroys, erases, and/or anonymizes the PII, regardless of the method of storage, in accordance with a NARA-approved record retention schedule and in a manner that prevents loss, theft, misuse, or unauthorized access; and
c. Uses [Assignment: organization-defined techniques or methods] to ensure secure deletion or destruction of PII (including originals, copies, and archived records). |
| CCI-003501 |
The organization defines the techniques or methods to be employed to ensure the secure deletion or destruction of personally identifiable information (PII) (including originals, copies, and archived records). |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the techniques or methods as techniques and methods IAW DoD 5400.11-R. |
DoD has defined the techniques or methods as techniques and methods IAW DoD 5400.11-R. |
Data Retention And Disposal |
DM-2 |
DM-2.5 |
NARA provides retention schedules that govern the disposition of federal records. Program officials coordinate with records officers and with NARA to identify appropriate retention periods and disposal methods. NARA may require organizations to retain PII longer than is operationally needed. In those situations, organizations describe such requirements in the notice. Methods of storage include, for example, electronic, optical media, or paper.
Examples of ways organizations may reduce holdings include reducing the types of PII held (e.g., delete Social Security numbers if their use is no longer needed) or shortening the retention period for PII that is maintained if it is no longer necessary to keep PII for long periods of time (this effort is undertaken in consultation with an organization’s records officer to receive NARA approval). In both examples, organizations provide notice (e.g., an updated System of Records Notice) to inform the public of any changes in holdings of PII.
Certain read-only archiving techniques, such as DVDs, CDs, microfilm, or microfiche, may not permit the removal of individual records without the destruction of the entire database contained on such media. Related controls: AR-4, AU-11, DM-1, MP-1, MP-2, MP-3, MP-4, MP-5, MP-6, MP-7, MP-8, SI-12, TR-1. |
The organization:
a. Retains each collection of personally identifiable information (PII) for [Assignment: organization-defined time period] to fulfill the purpose(s) identified in the notice or as required by law;
b. Disposes of, destroys, erases, and/or anonymizes the PII, regardless of the method of storage, in accordance with a NARA-approved record retention schedule and in a manner that prevents loss, theft, misuse, or unauthorized access; and
c. Uses [Assignment: organization-defined techniques or methods] to ensure secure deletion or destruction of PII (including originals, copies, and archived records). |
| CCI-003502 |
The organization uses organization-defined techniques or methods to ensure secure deletion or destruction of personally identifiable information (PII) (including originals, copies, and archived records). |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed uses techniques and methods IAW DoD 5400.11-R to ensure secure deletion or destruction of PII (including originals, copies, and archived records).
DoD has defined the techniques or methods as techniques and methods IAW DoD 5400.11-R. |
The organization being inspected/assessed documents and implements a process to use techniques and methods IAW DoD 5400.11-R to ensure secure deletion or destruction of PII (including originals, copies, and archived records).
DoD has defined the techniques or methods as techniques and methods IAW DoD 5400.11-R. |
Data Retention And Disposal |
DM-2 |
DM-2.6 |
NARA provides retention schedules that govern the disposition of federal records. Program officials coordinate with records officers and with NARA to identify appropriate retention periods and disposal methods. NARA may require organizations to retain PII longer than is operationally needed. In those situations, organizations describe such requirements in the notice. Methods of storage include, for example, electronic, optical media, or paper.
Examples of ways organizations may reduce holdings include reducing the types of PII held (e.g., delete Social Security numbers if their use is no longer needed) or shortening the retention period for PII that is maintained if it is no longer necessary to keep PII for long periods of time (this effort is undertaken in consultation with an organization’s records officer to receive NARA approval). In both examples, organizations provide notice (e.g., an updated System of Records Notice) to inform the public of any changes in holdings of PII.
Certain read-only archiving techniques, such as DVDs, CDs, microfilm, or microfiche, may not permit the removal of individual records without the destruction of the entire database contained on such media. Related controls: AR-4, AU-11, DM-1, MP-1, MP-2, MP-3, MP-4, MP-5, MP-6, MP-7, MP-8, SI-12, TR-1. |
The organization:
a. Retains each collection of personally identifiable information (PII) for [Assignment: organization-defined time period] to fulfill the purpose(s) identified in the notice or as required by law;
b. Disposes of, destroys, erases, and/or anonymizes the PII, regardless of the method of storage, in accordance with a NARA-approved record retention schedule and in a manner that prevents loss, theft, misuse, or unauthorized access; and
c. Uses [Assignment: organization-defined techniques or methods] to ensure secure deletion or destruction of PII (including originals, copies, and archived records). |
| CCI-003503 |
The organization, where feasible, configures its information systems to record the date personally identifiable information (PII) is collected, created, or updated. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed configures, where feasible, its information systems to record the date PII is collected, created, or updated. |
The organization being inspected/assessed documents and implements a process to configure, where feasible, its information systems to record the date PII is collected, created, or updated. |
Data Retention And Disposal | System Configuration |
DM-2 (1) |
DM-2(1).1 |
N/A |
The organization, where feasible, configures its information systems to record the date PII is collected, created, or updated and when PII is to be deleted or archived under an approved record retention schedule. |
| CCI-003504 |
The organization, where feasible, configures its information systems to record the date personally identifiable information (PII) is created. |
|
|
|
|
|
|
|
| CCI-003505 |
The organization, where feasible, configures its information systems to record the date personally identifiable information (PII) is updated. |
|
|
|
|
|
|
|
| CCI-003506 |
The organization, where feasible, configures its information systems to record when personally identifiable information (PII) is to be deleted or archived under an approved record retention schedule. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed, where feasible, configures its information systems to record when PII is to be deleted or archived under a NARA-approved record retention schedule. |
The organization being inspected/assessed documents and implements a process to configure, where feasible, its information systems to record when PII is to be deleted or archived under a NARA-approved record retention schedule. |
Data Retention And Disposal | System Configuration |
DM-2 (1) |
DM-2(1).2 |
N/A |
The organization, where feasible, configures its information systems to record the date PII is collected, created, or updated and when PII is to be deleted or archived under an approved record retention schedule. |
| CCI-003507 |
The organization develops policies that minimize the use of personally identifiable information (PII) for testing. |
The organization conducting the inspection/assessment obtains and examines the documented policies to ensure the organization being inspected/assessed develops policies that minimize the use of PII for testing. |
The organization being inspected/assessed develops and documents policies that minimize the use of PII for testing. |
Minimization Of PII Used In Testing, Training, And Research |
DM-3 |
DM-3.1 |
Organizations often use PII for testing new applications or information systems prior to deployment. Organizations also use PII for research purposes and for training. The use of PII in testing, research, and training increases risk of unauthorized disclosure or misuse of the information. If PII must be used, organizations take measures to minimize any associated risks and to authorize the use of and limit the amount of PII for these purposes. Organizations consult with the SAOP/CPO and legal counsel to ensure that the use of PII in testing, training, and research is compatible with the original purpose for which it was collected. |
The organization:
a. Develops policies and procedures that minimize the use of personally identifiable information (PII) for testing, training, and research; and
b. Implements controls to protect PII used for testing, training, and research. |
| CCI-003508 |
The organization develops policies that minimize the use of personally identifiable information (PII) for training. |
The organization conducting the inspection/assessment obtains and examines the documented policies to ensure the organization being inspected/assessed develops policies that minimize the use of PII for training. |
The organization being inspected/assessed develops and documents policies that minimize the use of PII for training. |
Minimization Of PII Used In Testing, Training, And Research |
DM-3 |
DM-3.2 |
Organizations often use PII for testing new applications or information systems prior to deployment. Organizations also use PII for research purposes and for training. The use of PII in testing, research, and training increases risk of unauthorized disclosure or misuse of the information. If PII must be used, organizations take measures to minimize any associated risks and to authorize the use of and limit the amount of PII for these purposes. Organizations consult with the SAOP/CPO and legal counsel to ensure that the use of PII in testing, training, and research is compatible with the original purpose for which it was collected. |
The organization:
a. Develops policies and procedures that minimize the use of personally identifiable information (PII) for testing, training, and research; and
b. Implements controls to protect PII used for testing, training, and research. |
| CCI-003509 |
The organization develops policies that minimize the use of personally identifiable information (PII) for research. |
The organization conducting the inspection/assessment obtains and examines the documented policies to ensure the organization being inspected/assessed develops policies that minimize the use of PII for research. |
The organization being inspected/assessed develops and documents policies that minimize the use of PII for research. |
Minimization Of PII Used In Testing, Training, And Research |
DM-3 |
DM-3.3 |
Organizations often use PII for testing new applications or information systems prior to deployment. Organizations also use PII for research purposes and for training. The use of PII in testing, research, and training increases risk of unauthorized disclosure or misuse of the information. If PII must be used, organizations take measures to minimize any associated risks and to authorize the use of and limit the amount of PII for these purposes. Organizations consult with the SAOP/CPO and legal counsel to ensure that the use of PII in testing, training, and research is compatible with the original purpose for which it was collected. |
The organization:
a. Develops policies and procedures that minimize the use of personally identifiable information (PII) for testing, training, and research; and
b. Implements controls to protect PII used for testing, training, and research. |
| CCI-003510 |
The organization develops procedures that minimize the use of personally identifiable information (PII) for testing. |
The organization conducting the inspection/assessment obtains and examines the documented procedures to ensure the organization being inspected/assessed develops procedures that minimize the use of PII for testing. |
The organization being inspected/assessed develops and documents procedures that minimize the use of PII for testing. |
Minimization Of PII Used In Testing, Training, And Research |
DM-3 |
DM-3.4 |
Organizations often use PII for testing new applications or information systems prior to deployment. Organizations also use PII for research purposes and for training. The use of PII in testing, research, and training increases risk of unauthorized disclosure or misuse of the information. If PII must be used, organizations take measures to minimize any associated risks and to authorize the use of and limit the amount of PII for these purposes. Organizations consult with the SAOP/CPO and legal counsel to ensure that the use of PII in testing, training, and research is compatible with the original purpose for which it was collected. |
The organization:
a. Develops policies and procedures that minimize the use of personally identifiable information (PII) for testing, training, and research; and
b. Implements controls to protect PII used for testing, training, and research. |
| CCI-003511 |
The organization develops procedures that minimize the use of personally identifiable information (PII) for training. |
The organization conducting the inspection/assessment obtains and examines the documented procedures to ensure the organization being inspected/assessed develops procedures that minimize the use of PII for training. |
The organization being inspected/assessed develops and documents procedures that minimize the use of PII for training. |
Minimization Of PII Used In Testing, Training, And Research |
DM-3 |
DM-3.5 |
Organizations often use PII for testing new applications or information systems prior to deployment. Organizations also use PII for research purposes and for training. The use of PII in testing, research, and training increases risk of unauthorized disclosure or misuse of the information. If PII must be used, organizations take measures to minimize any associated risks and to authorize the use of and limit the amount of PII for these purposes. Organizations consult with the SAOP/CPO and legal counsel to ensure that the use of PII in testing, training, and research is compatible with the original purpose for which it was collected. |
The organization:
a. Develops policies and procedures that minimize the use of personally identifiable information (PII) for testing, training, and research; and
b. Implements controls to protect PII used for testing, training, and research. |
| CCI-003512 |
The organization develops procedures that minimize the use of personally identifiable information (PII) for research. |
The organization conducting the inspection/assessment obtains and examines the documented procedures to ensure the organization being inspected/assessed develops procedures that minimize the use of PII for research. |
The organization being inspected/assessed develops and documents procedures that minimize the use of PII for research. |
Minimization Of PII Used In Testing, Training, And Research |
DM-3 |
DM-3.6 |
Organizations often use PII for testing new applications or information systems prior to deployment. Organizations also use PII for research purposes and for training. The use of PII in testing, research, and training increases risk of unauthorized disclosure or misuse of the information. If PII must be used, organizations take measures to minimize any associated risks and to authorize the use of and limit the amount of PII for these purposes. Organizations consult with the SAOP/CPO and legal counsel to ensure that the use of PII in testing, training, and research is compatible with the original purpose for which it was collected. |
The organization:
a. Develops policies and procedures that minimize the use of personally identifiable information (PII) for testing, training, and research; and
b. Implements controls to protect PII used for testing, training, and research. |
| CCI-003513 |
The organization implements controls to protect personally identifiable information (PII) used for testing. |
The organization conducting the inspection/assessment obtains and examines the PIA for all information systems using PII for testing to ensure the PIA is completed and approved. The organization conducting the inspection/assessment inspects the information system to ensure the organization being inspected/assessed has properly implemented the controls identified in the PIA to protect PII. |
The organization being inspected/assessed will complete a Privacy Impact Assessment (PIA) for any information system that uses PII for testing and implement the identified controls. |
Minimization Of PII Used In Testing, Training, And Research |
DM-3 |
DM-3.7 |
Organizations often use PII for testing new applications or information systems prior to deployment. Organizations also use PII for research purposes and for training. The use of PII in testing, research, and training increases risk of unauthorized disclosure or misuse of the information. If PII must be used, organizations take measures to minimize any associated risks and to authorize the use of and limit the amount of PII for these purposes. Organizations consult with the SAOP/CPO and legal counsel to ensure that the use of PII in testing, training, and research is compatible with the original purpose for which it was collected. |
The organization:
a. Develops policies and procedures that minimize the use of personally identifiable information (PII) for testing, training, and research; and
b. Implements controls to protect PII used for testing, training, and research. |
| CCI-003514 |
The organization implements controls to protect personally identifiable information (PII) used for training. |
The organization conducting the inspection/assessment obtains and examines the PIA for all information systems using PII for training to ensure the PIA is completed and approved. The organization conducting the inspection/assessment inspects the information system to ensure the organization being inspected/assessed has properly implemented the controls identified in the PIA to protect PII. |
The organization being inspected/assessed will complete a Privacy Impact Assessment (PIA) for any information system that uses PII for training and implement the identified controls. |
Minimization Of PII Used In Testing, Training, And Research |
DM-3 |
DM-3.8 |
Organizations often use PII for testing new applications or information systems prior to deployment. Organizations also use PII for research purposes and for training. The use of PII in testing, research, and training increases risk of unauthorized disclosure or misuse of the information. If PII must be used, organizations take measures to minimize any associated risks and to authorize the use of and limit the amount of PII for these purposes. Organizations consult with the SAOP/CPO and legal counsel to ensure that the use of PII in testing, training, and research is compatible with the original purpose for which it was collected. |
The organization:
a. Develops policies and procedures that minimize the use of personally identifiable information (PII) for testing, training, and research; and
b. Implements controls to protect PII used for testing, training, and research. |
| CCI-003515 |
The organization implements controls to protect personally identifiable information (PII) used for research. |
The organization conducting the inspection/assessment obtains and examines the PIA for all information systems using PII for research to ensure the PIA is completed and approved. The organization conducting the inspection/assessment inspects the information system to ensure the organization being inspected/assessed has properly implemented the controls identified in the PIA to protect PII. |
The organization being inspected/assessed will complete a Privacy Impact Assessment (PIA) for any information system that uses PII for research and implement the identified controls. |
Minimization Of PII Used In Testing, Training, And Research |
DM-3 |
DM-3.9 |
Organizations often use PII for testing new applications or information systems prior to deployment. Organizations also use PII for research purposes and for training. The use of PII in testing, research, and training increases risk of unauthorized disclosure or misuse of the information. If PII must be used, organizations take measures to minimize any associated risks and to authorize the use of and limit the amount of PII for these purposes. Organizations consult with the SAOP/CPO and legal counsel to ensure that the use of PII in testing, training, and research is compatible with the original purpose for which it was collected. |
The organization:
a. Develops policies and procedures that minimize the use of personally identifiable information (PII) for testing, training, and research; and
b. Implements controls to protect PII used for testing, training, and research. |
| CCI-003516 |
The organization, where feasible, uses techniques to minimize the risk to privacy of using personally identifiable information (PII) for research. |
The organization conducting the inspection/assessment obtains and examines the documented techniques to minimize the risk to privacy of using PII for research and verifies that these techniques are being used or that the justifications for not using them are documented. |
The organization being inspected/assessed documents and implements techniques (such as de-identification or anonymization) to minimize the risk to privacy of using PII for research. Where such techniques aren't feasible due to the parameters of the research, the organization will document the justification for not implementing such techniques. |
Minimization Of PII Used In Testing, Training, And Research | Risk Minimization Techniques |
DM-3 (1) |
DM-3(1).1 |
Organizations can minimize risk to privacy of PII by using techniques such as de-identification. |
The organization, where feasible, uses techniques to minimize the risk to privacy of using PII for research, testing, or training. |
| CCI-003517 |
The organization, where feasible, uses techniques to minimize the risk to privacy of using personally identifiable information (PII) for testing. |
The organization conducting the inspection/assessment obtains and examines the documented techniques to minimize the risk to privacy of using PII for testing and verifies that these techniques are being used or that the justifications for not using them are documented. |
The organization being inspected/assessed documents and implements techniques (such as de-identification or anonymization) to minimize the risk to privacy of using PII for testing. Where such techniques aren't feasible due to the parameters of the testing, the organization will document the justification for not implementing such techniques. |
Minimization Of PII Used In Testing, Training, And Research | Risk Minimization Techniques |
DM-3 (1) |
DM-3(1).2 |
Organizations can minimize risk to privacy of PII by using techniques such as de-identification. |
The organization, where feasible, uses techniques to minimize the risk to privacy of using PII for research, testing, or training. |
| CCI-003518 |
The organization, where feasible, uses techniques to minimize the risk to privacy of using personally identifiable information (PII) for training. |
The organization conducting the inspection/assessment obtains and examines the documented techniques to minimize the risk to privacy of using PII for training and verifies that these techniques are being used or that the justifications for not using them are documented. |
The organization being inspected/assessed documents and implements techniques (such as de-identification or anonymization) to minimize the risk to privacy of using PII for training. Where such techniques aren't feasible due to the parameters of the training, the organization will document the justification for not implementing such training. |
Minimization Of PII Used In Testing, Training, And Research | Risk Minimization Techniques |
DM-3 (1) |
DM-3(1).3 |
Organizations can minimize risk to privacy of PII by using techniques such as de-identification. |
The organization, where feasible, uses techniques to minimize the risk to privacy of using PII for research, testing, or training. |
| CCI-003519 |
The organization provides means, where feasible and appropriate, for individuals to authorize the collection of personally identifiable information (PII) prior to its collection. |
The organization conducting the inspection/assessment obtains and examines the documented procedure as well as a sampling of artifacts related to the authorization of collection of PII to ensure the organization being inspected/assessed provides means, where feasible and appropriate, for individuals to authorize the collection of PII prior to its collection. Where authorization is not feasible or appropriate, the organization conducting the inspection/assessment ensures that the organization notifies users that PII is being collected. |
The organization being inspected/assessed documents and implements a procedure for individuals to authorize the collection of personally identifiable information (PII) prior to its collection. Minimally, where individual authorization is not feasible or appropriate, the organization will notify users that PII is being collected. |
Consent |
IP-1 |
IP-1.1 |
Consent is fundamental to the participation of individuals in the decision-making process regarding the collection and use of their PII and the use of technologies that may increase risk to personal privacy. To obtain consent, organizations provide individuals appropriate notice of the purposes of the PII collection or technology use and a means for individuals to consent to the activity. Organizations tailor the public notice and consent mechanisms to meet operational needs. Organizations achieve awareness and consent, for example, through updated public notices.
Organizations may obtain consent through opt-in, opt-out, or implied consent. Opt-in consent is the preferred method, but it is not always feasible. Opt-in requires that individuals take affirmative action to allow organizations to collect or use PII. For example, opt-in consent may require an individual to click a radio button on a website, or sign a document providing consent. In contrast, opt-out requires individuals to take action to prevent the new or continued collection or use of such PII. For example, the Federal Trade Commission’s Do-Not-Call Registry allows individuals to opt-out of receiving unsolicited telemarketing calls by requesting to be added to a list. Implied consent is the least preferred method and should be used in limited circumstances. Implied consent occurs where individuals’ behavior or failure to object indicates agreement with the collection or use of PII (e.g., by entering and remaining in a building where notice has been posted that security cameras are in use, the individual implies consent to the video recording). Depending upon the nature of the program or information system, it may be appropriate to allow individuals to limit the types of PII they provide and subsequent uses of that PII. Organizational consent mechanisms include a discussion of the consequences to individuals of failure to provide PII. Consequences can vary from organization to organization. Related controls: AC-2, AP-1, TR-1, TR-2. |
The organization:
a. Provides means, where feasible and appropriate, for individuals to authorize the collection, use, maintaining, and sharing of personally identifiable information (PII) prior to its collection;
b. Provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the collection, use, dissemination, and retention of PII;
c. Obtains consent, where feasible and appropriate, from individuals prior to any new uses or disclosure of previously collected PII; and
d. Ensures that individuals are aware of and, where feasible, consent to all uses of PII not initially described in the public notice that was in effect at the time the organization collected the PII. |
| CCI-003520 |
The organization provides means, where feasible and appropriate, for individuals to authorize the use of personally identifiable information (PII) prior to its collection. |
The organization conducting the inspection/assessment obtains and examines the documented procedure as well as a sampling of artifacts related to the authorization of the use of PII to ensure the organization being inspected/assessed provides means, where feasible and appropriate, for individuals to authorize the use of PII prior to its collection. Where authorization is not feasible or appropriate, the organization conducting the inspection/assessment ensures that the organization notifies users that PII is being used. |
The organization being inspected/assessed documents and implements a procedure for individuals to authorize the use of personally identifiable information (PII) prior to its collection. Minimally, where individual authorization is not feasible or appropriate, the organization will notify users that PII is being used. |
Consent |
IP-1 |
IP-1.2 |
Consent is fundamental to the participation of individuals in the decision-making process regarding the collection and use of their PII and the use of technologies that may increase risk to personal privacy. To obtain consent, organizations provide individuals appropriate notice of the purposes of the PII collection or technology use and a means for individuals to consent to the activity. Organizations tailor the public notice and consent mechanisms to meet operational needs. Organizations achieve awareness and consent, for example, through updated public notices.
Organizations may obtain consent through opt-in, opt-out, or implied consent. Opt-in consent is the preferred method, but it is not always feasible. Opt-in requires that individuals take affirmative action to allow organizations to collect or use PII. For example, opt-in consent may require an individual to click a radio button on a website, or sign a document providing consent. In contrast, opt-out requires individuals to take action to prevent the new or continued collection or use of such PII. For example, the Federal Trade Commission’s Do-Not-Call Registry allows individuals to opt-out of receiving unsolicited telemarketing calls by requesting to be added to a list. Implied consent is the least preferred method and should be used in limited circumstances. Implied consent occurs where individuals’ behavior or failure to object indicates agreement with the collection or use of PII (e.g., by entering and remaining in a building where notice has been posted that security cameras are in use, the individual implies consent to the video recording). Depending upon the nature of the program or information system, it may be appropriate to allow individuals to limit the types of PII they provide and subsequent uses of that PII. Organizational consent mechanisms include a discussion of the consequences to individuals of failure to provide PII. Consequences can vary from organization to organization. Related controls: AC-2, AP-1, TR-1, TR-2. |
The organization:
a. Provides means, where feasible and appropriate, for individuals to authorize the collection, use, maintaining, and sharing of personally identifiable information (PII) prior to its collection;
b. Provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the collection, use, dissemination, and retention of PII;
c. Obtains consent, where feasible and appropriate, from individuals prior to any new uses or disclosure of previously collected PII; and
d. Ensures that individuals are aware of and, where feasible, consent to all uses of PII not initially described in the public notice that was in effect at the time the organization collected the PII. |
| CCI-003521 |
The organization provides means, where feasible and appropriate, for individuals to authorize the maintaining of personally identifiable information (PII) prior to its collection. |
The organization conducting the inspection/assessment obtains and examines the documented procedure as well as a sampling of artifacts related to the authorization of the maintaining of PII to ensure the organization being inspected/assessed provides means, where feasible and appropriate, for individuals to authorize the maintaining of PII prior to its collection. Where authorization is not feasible or appropriate, the organization conducting the inspection/assessment ensures that the organization notifies users that PII is being maintained. |
The organization being inspected/assessed documents and implements a procedure for individuals to authorize the maintaining of personally identifiable information (PII) prior to its collection. Minimally, where individual authorization is not feasible or appropriate, the organization will notify users that PII is being maintained. |
Consent |
IP-1 |
IP-1.3 |
Consent is fundamental to the participation of individuals in the decision-making process regarding the collection and use of their PII and the use of technologies that may increase risk to personal privacy. To obtain consent, organizations provide individuals appropriate notice of the purposes of the PII collection or technology use and a means for individuals to consent to the activity. Organizations tailor the public notice and consent mechanisms to meet operational needs. Organizations achieve awareness and consent, for example, through updated public notices.
Organizations may obtain consent through opt-in, opt-out, or implied consent. Opt-in consent is the preferred method, but it is not always feasible. Opt-in requires that individuals take affirmative action to allow organizations to collect or use PII. For example, opt-in consent may require an individual to click a radio button on a website, or sign a document providing consent. In contrast, opt-out requires individuals to take action to prevent the new or continued collection or use of such PII. For example, the Federal Trade Commission’s Do-Not-Call Registry allows individuals to opt-out of receiving unsolicited telemarketing calls by requesting to be added to a list. Implied consent is the least preferred method and should be used in limited circumstances. Implied consent occurs where individuals’ behavior or failure to object indicates agreement with the collection or use of PII (e.g., by entering and remaining in a building where notice has been posted that security cameras are in use, the individual implies consent to the video recording). Depending upon the nature of the program or information system, it may be appropriate to allow individuals to limit the types of PII they provide and subsequent uses of that PII. Organizational consent mechanisms include a discussion of the consequences to individuals of failure to provide PII. Consequences can vary from organization to organization. Related controls: AC-2, AP-1, TR-1, TR-2. |
The organization:
a. Provides means, where feasible and appropriate, for individuals to authorize the collection, use, maintaining, and sharing of personally identifiable information (PII) prior to its collection;
b. Provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the collection, use, dissemination, and retention of PII;
c. Obtains consent, where feasible and appropriate, from individuals prior to any new uses or disclosure of previously collected PII; and
d. Ensures that individuals are aware of and, where feasible, consent to all uses of PII not initially described in the public notice that was in effect at the time the organization collected the PII. |
| CCI-003522 |
The organization provides means, where feasible and appropriate, for individuals to authorize sharing of personally identifiable information (PII) prior to its collection. |
The organization conducting the inspection/assessment obtains and examines the documented procedure as well as a sampling of artifacts related to the authorization of the sharing of PII to ensure the organization being inspected/assessed provides means, where feasible and appropriate, for individuals to authorize the sharing of PII prior to its collection. Where authorization is not feasible or appropriate, the organization conducting the inspection/assessment ensures that the organization notifies users that PII is being shared. |
The organization being inspected/assessed documents and implements a procedure for individuals to authorize the sharing of personally identifiable information (PII) prior to its collection. Minimally, where individual authorization is not feasible or appropriate, the organization will notify users that PII is being shared. |
Consent |
IP-1 |
IP-1.4 |
Consent is fundamental to the participation of individuals in the decision-making process regarding the collection and use of their PII and the use of technologies that may increase risk to personal privacy. To obtain consent, organizations provide individuals appropriate notice of the purposes of the PII collection or technology use and a means for individuals to consent to the activity. Organizations tailor the public notice and consent mechanisms to meet operational needs. Organizations achieve awareness and consent, for example, through updated public notices.
Organizations may obtain consent through opt-in, opt-out, or implied consent. Opt-in consent is the preferred method, but it is not always feasible. Opt-in requires that individuals take affirmative action to allow organizations to collect or use PII. For example, opt-in consent may require an individual to click a radio button on a website, or sign a document providing consent. In contrast, opt-out requires individuals to take action to prevent the new or continued collection or use of such PII. For example, the Federal Trade Commission’s Do-Not-Call Registry allows individuals to opt-out of receiving unsolicited telemarketing calls by requesting to be added to a list. Implied consent is the least preferred method and should be used in limited circumstances. Implied consent occurs where individuals’ behavior or failure to object indicates agreement with the collection or use of PII (e.g., by entering and remaining in a building where notice has been posted that security cameras are in use, the individual implies consent to the video recording). Depending upon the nature of the program or information system, it may be appropriate to allow individuals to limit the types of PII they provide and subsequent uses of that PII. Organizational consent mechanisms include a discussion of the consequences to individuals of failure to provide PII. Consequences can vary from organization to organization. Related controls: AC-2, AP-1, TR-1, TR-2. |
The organization:
a. Provides means, where feasible and appropriate, for individuals to authorize the collection, use, maintaining, and sharing of personally identifiable information (PII) prior to its collection;
b. Provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the collection, use, dissemination, and retention of PII;
c. Obtains consent, where feasible and appropriate, from individuals prior to any new uses or disclosure of previously collected PII; and
d. Ensures that individuals are aware of and, where feasible, consent to all uses of PII not initially described in the public notice that was in effect at the time the organization collected the PII. |
| CCI-003523 |
The organization provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the collection of personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented procedure to ensure the organization being inspected/assessed provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the collection of PII. |
The organization being inspected/assessed documents and implements a procedure for individuals to understand the consequences of decisions to approve or decline the authorization of the collection of PII. |
Consent |
IP-1 |
IP-1.5 |
Consent is fundamental to the participation of individuals in the decision-making process regarding the collection and use of their PII and the use of technologies that may increase risk to personal privacy. To obtain consent, organizations provide individuals appropriate notice of the purposes of the PII collection or technology use and a means for individuals to consent to the activity. Organizations tailor the public notice and consent mechanisms to meet operational needs. Organizations achieve awareness and consent, for example, through updated public notices.
Organizations may obtain consent through opt-in, opt-out, or implied consent. Opt-in consent is the preferred method, but it is not always feasible. Opt-in requires that individuals take affirmative action to allow organizations to collect or use PII. For example, opt-in consent may require an individual to click a radio button on a website, or sign a document providing consent. In contrast, opt-out requires individuals to take action to prevent the new or continued collection or use of such PII. For example, the Federal Trade Commission’s Do-Not-Call Registry allows individuals to opt-out of receiving unsolicited telemarketing calls by requesting to be added to a list. Implied consent is the least preferred method and should be used in limited circumstances. Implied consent occurs where individuals’ behavior or failure to object indicates agreement with the collection or use of PII (e.g., by entering and remaining in a building where notice has been posted that security cameras are in use, the individual implies consent to the video recording). Depending upon the nature of the program or information system, it may be appropriate to allow individuals to limit the types of PII they provide and subsequent uses of that PII. Organizational consent mechanisms include a discussion of the consequences to individuals of failure to provide PII. Consequences can vary from organization to organization. Related controls: AC-2, AP-1, TR-1, TR-2. |
The organization:
a. Provides means, where feasible and appropriate, for individuals to authorize the collection, use, maintaining, and sharing of personally identifiable information (PII) prior to its collection;
b. Provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the collection, use, dissemination, and retention of PII;
c. Obtains consent, where feasible and appropriate, from individuals prior to any new uses or disclosure of previously collected PII; and
d. Ensures that individuals are aware of and, where feasible, consent to all uses of PII not initially described in the public notice that was in effect at the time the organization collected the PII. |
| CCI-003524 |
The organization provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the use of personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented procedure to ensure the organization being inspected/assessed provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the use of PII. |
The organization being inspected/assessed documents and implements a procedure for individuals to understand the consequences of decisions to approve or decline the authorization of the use of PII. |
Consent |
IP-1 |
IP-1.6 |
Consent is fundamental to the participation of individuals in the decision-making process regarding the collection and use of their PII and the use of technologies that may increase risk to personal privacy. To obtain consent, organizations provide individuals appropriate notice of the purposes of the PII collection or technology use and a means for individuals to consent to the activity. Organizations tailor the public notice and consent mechanisms to meet operational needs. Organizations achieve awareness and consent, for example, through updated public notices.
Organizations may obtain consent through opt-in, opt-out, or implied consent. Opt-in consent is the preferred method, but it is not always feasible. Opt-in requires that individuals take affirmative action to allow organizations to collect or use PII. For example, opt-in consent may require an individual to click a radio button on a website, or sign a document providing consent. In contrast, opt-out requires individuals to take action to prevent the new or continued collection or use of such PII. For example, the Federal Trade Commission’s Do-Not-Call Registry allows individuals to opt-out of receiving unsolicited telemarketing calls by requesting to be added to a list. Implied consent is the least preferred method and should be used in limited circumstances. Implied consent occurs where individuals’ behavior or failure to object indicates agreement with the collection or use of PII (e.g., by entering and remaining in a building where notice has been posted that security cameras are in use, the individual implies consent to the video recording). Depending upon the nature of the program or information system, it may be appropriate to allow individuals to limit the types of PII they provide and subsequent uses of that PII. Organizational consent mechanisms include a discussion of the consequences to individuals of failure to provide PII. Consequences can vary from organization to organization. Related controls: AC-2, AP-1, TR-1, TR-2. |
The organization:
a. Provides means, where feasible and appropriate, for individuals to authorize the collection, use, maintaining, and sharing of personally identifiable information (PII) prior to its collection;
b. Provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the collection, use, dissemination, and retention of PII;
c. Obtains consent, where feasible and appropriate, from individuals prior to any new uses or disclosure of previously collected PII; and
d. Ensures that individuals are aware of and, where feasible, consent to all uses of PII not initially described in the public notice that was in effect at the time the organization collected the PII. |
| CCI-003525 |
The organization provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the dissemination of personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented procedure to ensure the organization being inspected/assessed provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the dissemination of PII. |
The organization being inspected/assessed documents and implements a procedure for individuals to understand the consequences of decisions to approve or decline the authorization of the dissemination of PII. |
Consent |
IP-1 |
IP-1.7 |
Consent is fundamental to the participation of individuals in the decision-making process regarding the collection and use of their PII and the use of technologies that may increase risk to personal privacy. To obtain consent, organizations provide individuals appropriate notice of the purposes of the PII collection or technology use and a means for individuals to consent to the activity. Organizations tailor the public notice and consent mechanisms to meet operational needs. Organizations achieve awareness and consent, for example, through updated public notices.
Organizations may obtain consent through opt-in, opt-out, or implied consent. Opt-in consent is the preferred method, but it is not always feasible. Opt-in requires that individuals take affirmative action to allow organizations to collect or use PII. For example, opt-in consent may require an individual to click a radio button on a website, or sign a document providing consent. In contrast, opt-out requires individuals to take action to prevent the new or continued collection or use of such PII. For example, the Federal Trade Commission’s Do-Not-Call Registry allows individuals to opt-out of receiving unsolicited telemarketing calls by requesting to be added to a list. Implied consent is the least preferred method and should be used in limited circumstances. Implied consent occurs where individuals’ behavior or failure to object indicates agreement with the collection or use of PII (e.g., by entering and remaining in a building where notice has been posted that security cameras are in use, the individual implies consent to the video recording). Depending upon the nature of the program or information system, it may be appropriate to allow individuals to limit the types of PII they provide and subsequent uses of that PII. Organizational consent mechanisms include a discussion of the consequences to individuals of failure to provide PII. Consequences can vary from organization to organization. Related controls: AC-2, AP-1, TR-1, TR-2. |
The organization:
a. Provides means, where feasible and appropriate, for individuals to authorize the collection, use, maintaining, and sharing of personally identifiable information (PII) prior to its collection;
b. Provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the collection, use, dissemination, and retention of PII;
c. Obtains consent, where feasible and appropriate, from individuals prior to any new uses or disclosure of previously collected PII; and
d. Ensures that individuals are aware of and, where feasible, consent to all uses of PII not initially described in the public notice that was in effect at the time the organization collected the PII. |
| CCI-003526 |
The organization provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the retention of personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented procedure to ensure the organization being inspected/assessed provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the retention of PII. |
The organization being inspected/assessed documents and implements a procedure for individuals to understand the consequences of decisions to approve or decline the authorization of the retention of PII. |
Consent |
IP-1 |
IP-1.8 |
Consent is fundamental to the participation of individuals in the decision-making process regarding the collection and use of their PII and the use of technologies that may increase risk to personal privacy. To obtain consent, organizations provide individuals appropriate notice of the purposes of the PII collection or technology use and a means for individuals to consent to the activity. Organizations tailor the public notice and consent mechanisms to meet operational needs. Organizations achieve awareness and consent, for example, through updated public notices.
Organizations may obtain consent through opt-in, opt-out, or implied consent. Opt-in consent is the preferred method, but it is not always feasible. Opt-in requires that individuals take affirmative action to allow organizations to collect or use PII. For example, opt-in consent may require an individual to click a radio button on a website, or sign a document providing consent. In contrast, opt-out requires individuals to take action to prevent the new or continued collection or use of such PII. For example, the Federal Trade Commission’s Do-Not-Call Registry allows individuals to opt-out of receiving unsolicited telemarketing calls by requesting to be added to a list. Implied consent is the least preferred method and should be used in limited circumstances. Implied consent occurs where individuals’ behavior or failure to object indicates agreement with the collection or use of PII (e.g., by entering and remaining in a building where notice has been posted that security cameras are in use, the individual implies consent to the video recording). Depending upon the nature of the program or information system, it may be appropriate to allow individuals to limit the types of PII they provide and subsequent uses of that PII. Organizational consent mechanisms include a discussion of the consequences to individuals of failure to provide PII. Consequences can vary from organization to organization. Related controls: AC-2, AP-1, TR-1, TR-2. |
The organization:
a. Provides means, where feasible and appropriate, for individuals to authorize the collection, use, maintaining, and sharing of personally identifiable information (PII) prior to its collection;
b. Provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the collection, use, dissemination, and retention of PII;
c. Obtains consent, where feasible and appropriate, from individuals prior to any new uses or disclosure of previously collected PII; and
d. Ensures that individuals are aware of and, where feasible, consent to all uses of PII not initially described in the public notice that was in effect at the time the organization collected the PII. |
| CCI-003527 |
The organization obtains consent, where feasible and appropriate, from individuals prior to any new uses or disclosure of previously collected personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed obtains consent, where feasible and appropriate, from individuals prior to any new uses or disclosure of previously collected PII. Where consent is not feasible or appropriate, the organization conducting the inspection/assessment ensures that the organization notifies users of new uses or disclosure of previously collected PII. |
The organization being inspected/assessed documents and implements a process to obtain consent, where feasible and appropriate, from individuals prior to any new uses or disclosure of previously collected PII. Minimally, where consent is not feasible or appropriate, the organization will notify users of new uses or disclosure of previously collected PII. |
Consent |
IP-1 |
IP-1.9 |
Consent is fundamental to the participation of individuals in the decision-making process regarding the collection and use of their PII and the use of technologies that may increase risk to personal privacy. To obtain consent, organizations provide individuals appropriate notice of the purposes of the PII collection or technology use and a means for individuals to consent to the activity. Organizations tailor the public notice and consent mechanisms to meet operational needs. Organizations achieve awareness and consent, for example, through updated public notices.
Organizations may obtain consent through opt-in, opt-out, or implied consent. Opt-in consent is the preferred method, but it is not always feasible. Opt-in requires that individuals take affirmative action to allow organizations to collect or use PII. For example, opt-in consent may require an individual to click a radio button on a website, or sign a document providing consent. In contrast, opt-out requires individuals to take action to prevent the new or continued collection or use of such PII. For example, the Federal Trade Commission’s Do-Not-Call Registry allows individuals to opt-out of receiving unsolicited telemarketing calls by requesting to be added to a list. Implied consent is the least preferred method and should be used in limited circumstances. Implied consent occurs where individuals’ behavior or failure to object indicates agreement with the collection or use of PII (e.g., by entering and remaining in a building where notice has been posted that security cameras are in use, the individual implies consent to the video recording). Depending upon the nature of the program or information system, it may be appropriate to allow individuals to limit the types of PII they provide and subsequent uses of that PII. Organizational consent mechanisms include a discussion of the consequences to individuals of failure to provide PII. Consequences can vary from organization to organization. Related controls: AC-2, AP-1, TR-1, TR-2. |
The organization:
a. Provides means, where feasible and appropriate, for individuals to authorize the collection, use, maintaining, and sharing of personally identifiable information (PII) prior to its collection;
b. Provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the collection, use, dissemination, and retention of PII;
c. Obtains consent, where feasible and appropriate, from individuals prior to any new uses or disclosure of previously collected PII; and
d. Ensures that individuals are aware of and, where feasible, consent to all uses of PII not initially described in the public notice that was in effect at the time the organization collected the PII. |
| CCI-003528 |
The organization ensures that individuals are aware of all uses of personally identifiable information (PII) not initially described in the public notice that was in effect at the time the organization collected the PII. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed ensures that individuals are aware of all uses of PII not initially described in the SORN and Privacy Act Statement that was in effect at the time the organization collected the PII. |
The organization being inspected/assessed documents and implements a process to ensure that individuals are aware of all uses of PII not initially described in the SORN and Privacy Act Statement that was in effect at the time the organization collected the PII. |
Consent |
IP-1 |
IP-1.10 |
Consent is fundamental to the participation of individuals in the decision-making process regarding the collection and use of their PII and the use of technologies that may increase risk to personal privacy. To obtain consent, organizations provide individuals appropriate notice of the purposes of the PII collection or technology use and a means for individuals to consent to the activity. Organizations tailor the public notice and consent mechanisms to meet operational needs. Organizations achieve awareness and consent, for example, through updated public notices.
Organizations may obtain consent through opt-in, opt-out, or implied consent. Opt-in consent is the preferred method, but it is not always feasible. Opt-in requires that individuals take affirmative action to allow organizations to collect or use PII. For example, opt-in consent may require an individual to click a radio button on a website, or sign a document providing consent. In contrast, opt-out requires individuals to take action to prevent the new or continued collection or use of such PII. For example, the Federal Trade Commission’s Do-Not-Call Registry allows individuals to opt-out of receiving unsolicited telemarketing calls by requesting to be added to a list. Implied consent is the least preferred method and should be used in limited circumstances. Implied consent occurs where individuals’ behavior or failure to object indicates agreement with the collection or use of PII (e.g., by entering and remaining in a building where notice has been posted that security cameras are in use, the individual implies consent to the video recording). Depending upon the nature of the program or information system, it may be appropriate to allow individuals to limit the types of PII they provide and subsequent uses of that PII. Organizational consent mechanisms include a discussion of the consequences to individuals of failure to provide PII. Consequences can vary from organization to organization. Related controls: AC-2, AP-1, TR-1, TR-2. |
The organization:
a. Provides means, where feasible and appropriate, for individuals to authorize the collection, use, maintaining, and sharing of personally identifiable information (PII) prior to its collection;
b. Provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the collection, use, dissemination, and retention of PII;
c. Obtains consent, where feasible and appropriate, from individuals prior to any new uses or disclosure of previously collected PII; and
d. Ensures that individuals are aware of and, where feasible, consent to all uses of PII not initially described in the public notice that was in effect at the time the organization collected the PII. |
| CCI-003529 |
The organization ensures that individuals, where feasible, consent to all uses of personally identifiable information (PII) not initially described in the public notice that was in effect at the time the organization collected the PII. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed ensures that individuals, where feasible, consent to all uses of PII not initially described in the SORN and Privacy Act Statement that was in effect at the time the organization collected the PII. Where consent is not feasible or appropriate, the organization conducting the inspection/assessment ensures that the organization notifies users of PII not initially described in the SORN and Privacy Act Statement that was in effect at the time the organization collected the PII. |
The organization being inspected/assessed documents and implements a process to ensure that individuals, where feasible, consent to all uses of PII not initially described in the SORN and Privacy Act Statement that was in effect at the time the organization collected the PII. Minimally, where consent is not feasible or appropriate, the organization will notify users of all uses of PII not initially described in the SORN and Privacy Act Statement that was in effect at the time the organization collected the PII. |
Consent |
IP-1 |
IP-1.11 |
Consent is fundamental to the participation of individuals in the decision-making process regarding the collection and use of their PII and the use of technologies that may increase risk to personal privacy. To obtain consent, organizations provide individuals appropriate notice of the purposes of the PII collection or technology use and a means for individuals to consent to the activity. Organizations tailor the public notice and consent mechanisms to meet operational needs. Organizations achieve awareness and consent, for example, through updated public notices.
Organizations may obtain consent through opt-in, opt-out, or implied consent. Opt-in consent is the preferred method, but it is not always feasible. Opt-in requires that individuals take affirmative action to allow organizations to collect or use PII. For example, opt-in consent may require an individual to click a radio button on a website, or sign a document providing consent. In contrast, opt-out requires individuals to take action to prevent the new or continued collection or use of such PII. For example, the Federal Trade Commission’s Do-Not-Call Registry allows individuals to opt-out of receiving unsolicited telemarketing calls by requesting to be added to a list. Implied consent is the least preferred method and should be used in limited circumstances. Implied consent occurs where individuals’ behavior or failure to object indicates agreement with the collection or use of PII (e.g., by entering and remaining in a building where notice has been posted that security cameras are in use, the individual implies consent to the video recording). Depending upon the nature of the program or information system, it may be appropriate to allow individuals to limit the types of PII they provide and subsequent uses of that PII. Organizational consent mechanisms include a discussion of the consequences to individuals of failure to provide PII. Consequences can vary from organization to organization. Related controls: AC-2, AP-1, TR-1, TR-2. |
The organization:
a. Provides means, where feasible and appropriate, for individuals to authorize the collection, use, maintaining, and sharing of personally identifiable information (PII) prior to its collection;
b. Provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the collection, use, dissemination, and retention of PII;
c. Obtains consent, where feasible and appropriate, from individuals prior to any new uses or disclosure of previously collected PII; and
d. Ensures that individuals are aware of and, where feasible, consent to all uses of PII not initially described in the public notice that was in effect at the time the organization collected the PII. |
| CCI-003530 |
The organization implements mechanisms to support itemized or tiered consent for specific uses of personally identifiable information (PII) data. |
The organization conducting the inspection/assessment obtains and examines documentation of the itemized or tiered consent methods used by the organization to ensure the organization being inspected/assessed provides individuals, where feasible, consent to each tier of use requested. |
The organization implements mechanisms to support itemized or tiered consent for specific uses of PII data. |
Consent | Mechanisms Supporting Itemized Or Tiered Consent |
IP-1 (1) |
IP-1(1).1 |
Organizations can provide, for example, individuals’ itemized choices as to whether they wish to be contacted for any of a variety of purposes. In this situation, organizations construct consent mechanisms to ensure that organizational operations comply with individual choices. |
The organization implements mechanisms to support itemized or tiered consent for specific uses of data. |
| CCI-003531 |
The organization provides individuals the ability to have access to their personally identifiable information (PII) maintained in its system(s) of records. |
The organization conducting the inspection/assessment obtains and examines documentation of how the organization provides an individual with access to his own PII to ensure the organization being inspected/assessed provides individuals access to his own PII IAW DoDD 5400.11 and DoD 5400.11-R. |
The organization being inspected/assessed provides for public access to records in systems of records IAW the SORN. PII not included in the Privacy Act System of Records may be accessed through a Freedom of Information Act Request. At a mininum the organization shall provide access to an individuals own PII IAW both DoDD 5400.11 and DoD 5400.11-R. |
Individual Access |
IP-2 |
IP-2.1 |
Access affords individuals the ability to review PII about them held within organizational systems of records. Access includes timely, simplified, and inexpensive access to data. Organizational processes for allowing access to records may differ based on resources, legal requirements, or other factors. The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of Privacy Act regulations and record request processing, in consultation with legal counsel. Access to certain types of records may not be appropriate, however, and heads of agencies may promulgate rules exempting particular systems from the access provision of the Privacy Act. In addition, individuals are not entitled to access to information compiled in reasonable anticipation of a civil action or proceeding. Related controls: AR-8, IP-3, TR-1, TR-2. |
The organization:
a. Provides individuals the ability to have access to their personally identifiable information (PII) maintained in its system(s) of records;
b. Publishes rules and regulations governing how individuals may request access to records maintained in a Privacy Act system of records;
c. Publishes access procedures in System of Records Notices (SORNs); and
d. Adheres to Privacy Act requirements and OMB policies and guidance for the proper processing of Privacy Act requests. |
| CCI-003532 |
The organization publishes rules and regulations governing how individuals may request access to records maintained in a Privacy Act system of records. |
The organization conducting the inspection/assessment obtains and examines documentation of how the organization provides an individual with access to his own PII to ensure the organization being inspected/assessed provides individuals access to his own PII IAW DoDD 5400.11 and DoD 5400.11-R. |
The organization being inspected/assessed provides for public access to records in systems of records IAW the SORN. PII not included in the Privacy Act System of Records may be accessed through a Freedom of Information Act Request. At a mininum the organization shall provide access to an individuals own PII IAW both DoDD 5400.11 and DoD 5400.11-R. |
Individual Access |
IP-2 |
IP-2.2 |
Access affords individuals the ability to review PII about them held within organizational systems of records. Access includes timely, simplified, and inexpensive access to data. Organizational processes for allowing access to records may differ based on resources, legal requirements, or other factors. The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of Privacy Act regulations and record request processing, in consultation with legal counsel. Access to certain types of records may not be appropriate, however, and heads of agencies may promulgate rules exempting particular systems from the access provision of the Privacy Act. In addition, individuals are not entitled to access to information compiled in reasonable anticipation of a civil action or proceeding. Related controls: AR-8, IP-3, TR-1, TR-2. |
The organization:
a. Provides individuals the ability to have access to their personally identifiable information (PII) maintained in its system(s) of records;
b. Publishes rules and regulations governing how individuals may request access to records maintained in a Privacy Act system of records;
c. Publishes access procedures in System of Records Notices (SORNs); and
d. Adheres to Privacy Act requirements and OMB policies and guidance for the proper processing of Privacy Act requests. |
| CCI-003533 |
The organization publishes regulations governing how individuals may request access to records maintained in a Privacy Act system of records. |
The organization conducting the inspection/assessment obtains and examines documentation of how the organization provides an individual with access to his own PII to ensure the organization being inspected/assessed provides individuals access to his own PII IAW DoDD 5400.11 and DoD 5400.11-R. |
The organization being inspected/assessed provides for public access to records in systems of records IAW the SORN. PII not included in the Privacy Act System of Records may be accessed through a Freedom of Information Act Request. At a mininum the organization shall provide access to an individuals own PII IAW both DoDD 5400.11 and DoD 5400.11-R. |
Individual Access |
IP-2 |
IP-2.3 |
Access affords individuals the ability to review PII about them held within organizational systems of records. Access includes timely, simplified, and inexpensive access to data. Organizational processes for allowing access to records may differ based on resources, legal requirements, or other factors. The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of Privacy Act regulations and record request processing, in consultation with legal counsel. Access to certain types of records may not be appropriate, however, and heads of agencies may promulgate rules exempting particular systems from the access provision of the Privacy Act. In addition, individuals are not entitled to access to information compiled in reasonable anticipation of a civil action or proceeding. Related controls: AR-8, IP-3, TR-1, TR-2. |
The organization:
a. Provides individuals the ability to have access to their personally identifiable information (PII) maintained in its system(s) of records;
b. Publishes rules and regulations governing how individuals may request access to records maintained in a Privacy Act system of records;
c. Publishes access procedures in System of Records Notices (SORNs); and
d. Adheres to Privacy Act requirements and OMB policies and guidance for the proper processing of Privacy Act requests. |
| CCI-003534 |
The organization publishes access procedures for Privacy Act systems of records in System of Records Notices (SORNs). |
The organization conducting the inspection/assessment obtains and examines documentation of how the organization provides an individual with access to his own PII to ensure the organization being inspected/assessed provides individuals access to his own PII IAW DoDD 5400.11 and DoD 5400.11-R. |
The organization being inspected/assessed provides for public access to records in systems of records IAW the SORN. PII not included in the Privacy Act System of Records may be accessed through a Freedom of Information Act Request. At a mininum the organization shall provide access to an individuals own PII IAW both DoDD 5400.11 and DoD 5400.11-R. |
Individual Access |
IP-2 |
IP-2.4 |
Access affords individuals the ability to review PII about them held within organizational systems of records. Access includes timely, simplified, and inexpensive access to data. Organizational processes for allowing access to records may differ based on resources, legal requirements, or other factors. The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of Privacy Act regulations and record request processing, in consultation with legal counsel. Access to certain types of records may not be appropriate, however, and heads of agencies may promulgate rules exempting particular systems from the access provision of the Privacy Act. In addition, individuals are not entitled to access to information compiled in reasonable anticipation of a civil action or proceeding. Related controls: AR-8, IP-3, TR-1, TR-2. |
The organization:
a. Provides individuals the ability to have access to their personally identifiable information (PII) maintained in its system(s) of records;
b. Publishes rules and regulations governing how individuals may request access to records maintained in a Privacy Act system of records;
c. Publishes access procedures in System of Records Notices (SORNs); and
d. Adheres to Privacy Act requirements and OMB policies and guidance for the proper processing of Privacy Act requests. |
| CCI-003535 |
The organization adheres to Privacy Act requirements for the proper processing of Privacy Act requests. |
The organization conducting the inspection/assessment obtains and examines documentation of how the organization provides an individual with access to his own PII to ensure the organization being inspected/assessed provides individuals access to his own PII IAW DoDD 5400.11 and DoD 5400.11-R. |
The organization being inspected/assessed provides for public access to records in systems of records IAW the SORN. PII not included in the Privacy Act System of Records may be accessed through a Freedom of Information Act Request. At a mininum the organization shall provide access to an individuals own PII IAW both DoDD 5400.11 and DoD 5400.11-R. |
Individual Access |
IP-2 |
IP-2.5 |
Access affords individuals the ability to review PII about them held within organizational systems of records. Access includes timely, simplified, and inexpensive access to data. Organizational processes for allowing access to records may differ based on resources, legal requirements, or other factors. The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of Privacy Act regulations and record request processing, in consultation with legal counsel. Access to certain types of records may not be appropriate, however, and heads of agencies may promulgate rules exempting particular systems from the access provision of the Privacy Act. In addition, individuals are not entitled to access to information compiled in reasonable anticipation of a civil action or proceeding. Related controls: AR-8, IP-3, TR-1, TR-2. |
The organization:
a. Provides individuals the ability to have access to their personally identifiable information (PII) maintained in its system(s) of records;
b. Publishes rules and regulations governing how individuals may request access to records maintained in a Privacy Act system of records;
c. Publishes access procedures in System of Records Notices (SORNs); and
d. Adheres to Privacy Act requirements and OMB policies and guidance for the proper processing of Privacy Act requests. |
| CCI-003536 |
The organization adheres to OMB policies and guidance for the proper processing of Privacy Act requests. |
The organization conducting the inspection/assessment obtains and examines documentation of how the organization provides an individual with access to his own PII to ensure the organization being inspected/assessed provides individuals access to his own PII IAW DoDD 5400.11 and DoD 5400.11-R. |
The organization being inspected/assessed provides for public access to records in systems of records IAW the SORN. PII not included in the Privacy Act System of Records may be accessed through a Freedom of Information Act Request. At a mininum the organization shall provide access to an individuals own PII IAW both DoDD 5400.11 and DoD 5400.11-R. |
Individual Access |
IP-2 |
IP-2.6 |
Access affords individuals the ability to review PII about them held within organizational systems of records. Access includes timely, simplified, and inexpensive access to data. Organizational processes for allowing access to records may differ based on resources, legal requirements, or other factors. The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of Privacy Act regulations and record request processing, in consultation with legal counsel. Access to certain types of records may not be appropriate, however, and heads of agencies may promulgate rules exempting particular systems from the access provision of the Privacy Act. In addition, individuals are not entitled to access to information compiled in reasonable anticipation of a civil action or proceeding. Related controls: AR-8, IP-3, TR-1, TR-2. |
The organization:
a. Provides individuals the ability to have access to their personally identifiable information (PII) maintained in its system(s) of records;
b. Publishes rules and regulations governing how individuals may request access to records maintained in a Privacy Act system of records;
c. Publishes access procedures in System of Records Notices (SORNs); and
d. Adheres to Privacy Act requirements and OMB policies and guidance for the proper processing of Privacy Act requests. |
| CCI-003537 |
The organization provides a process for individuals to have inaccurate personally identifiable information (PII) maintained by the organization corrected or amended, as appropriate. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed provides a process IAW DoDD 5400.11 and DoD 5400.11-R for individuals to have inaccurate PII maintained by the organization corrected or amended, as appropriate. |
The organization being inspected/assessed documents and implements a process IAW DoDD 5400.11 and DoD 5400.11-R for individuals to have inaccurate PII maintained by the organization corrected or amended, as appropriate. |
Redress |
IP-3 |
IP-3.1 |
Redress supports the ability of individuals to ensure the accuracy of PII held by organizations. Effective redress processes demonstrate organizational commitment to data quality especially in those business functions where inaccurate data may result in inappropriate decisions or denial of benefits and services to individuals. Organizations use discretion in determining if records are to be corrected or amended, based on the scope of redress requests, the changes sought, and the impact of the changes. Individuals may appeal an adverse decision and have incorrect information amended, where appropriate.
To provide effective redress, organizations: (i) provide effective notice of the existence of a PII collection; (ii) provide plain language explanations of the processes and mechanisms for requesting access to records; (iii) establish criteria for submitting requests for correction or amendment; (iv) implement resources to analyze and adjudicate requests; (v) implement means of correcting or amending data collections; and (vi) review any decisions that may have been the result of inaccurate information.
Organizational redress processes provide responses to individuals of decisions to deny requests for correction or amendment, including the reasons for those decisions, a means to record individual objections to the organizational decisions, and a means of requesting organizational reviews of the initial determinations. Where PII is corrected or amended, organizations take steps to ensure that all authorized recipients of that PII are informed of the corrected or amended information. In instances where redress involves information obtained from other organizations, redress processes include coordination with organizations that originally collected the information. Related controls: IP-2, TR-1, TR-2, UL-2. |
The organization:
a. Provides a process for individuals to have inaccurate personally identifiable information (PII) maintained by the organization corrected or amended, as appropriate; and
b. Establishes a process for disseminating corrections or amendments of the PII to other authorized users of the PII, such as external information sharing partners and, where feasible and appropriate, notifies affected individuals that their information has been corrected or amended. |
| CCI-003538 |
The organization establishes a process for disseminating corrections or amendments of the personally identifiable information (PII) to other authorized users of the PII, such as external information-sharing partners. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed establishes a process IAW DoDD 5400.11 and DoD 5400.11-R for disseminating corrections or amendments of the PII to other authorized users of the PII, such as external information-sharing partners. |
The organization being inspected/assessed establishes and documents a process IAW DoDD 5400.11 and DoD 5400.11-R for disseminating corrections or amendments of the PII to other authorized users of the PII, such as external information-sharing partners. |
Redress |
IP-3 |
IP-3.2 |
Redress supports the ability of individuals to ensure the accuracy of PII held by organizations. Effective redress processes demonstrate organizational commitment to data quality especially in those business functions where inaccurate data may result in inappropriate decisions or denial of benefits and services to individuals. Organizations use discretion in determining if records are to be corrected or amended, based on the scope of redress requests, the changes sought, and the impact of the changes. Individuals may appeal an adverse decision and have incorrect information amended, where appropriate.
To provide effective redress, organizations: (i) provide effective notice of the existence of a PII collection; (ii) provide plain language explanations of the processes and mechanisms for requesting access to records; (iii) establish criteria for submitting requests for correction or amendment; (iv) implement resources to analyze and adjudicate requests; (v) implement means of correcting or amending data collections; and (vi) review any decisions that may have been the result of inaccurate information.
Organizational redress processes provide responses to individuals of decisions to deny requests for correction or amendment, including the reasons for those decisions, a means to record individual objections to the organizational decisions, and a means of requesting organizational reviews of the initial determinations. Where PII is corrected or amended, organizations take steps to ensure that all authorized recipients of that PII are informed of the corrected or amended information. In instances where redress involves information obtained from other organizations, redress processes include coordination with organizations that originally collected the information. Related controls: IP-2, TR-1, TR-2, UL-2. |
The organization:
a. Provides a process for individuals to have inaccurate personally identifiable information (PII) maintained by the organization corrected or amended, as appropriate; and
b. Establishes a process for disseminating corrections or amendments of the PII to other authorized users of the PII, such as external information sharing partners and, where feasible and appropriate, notifies affected individuals that their information has been corrected or amended. |
| CCI-003539 |
The organization establishes a process, where feasible and appropriate, to notify affected individuals that their personally identifiable information (PII) information has been corrected or amended. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed establishes a process IAW DoDD 5400.11 and DoD 5400.11-R, where feasible and appropriate, to notify affected individuals that their PII information has been corrected or amended. |
The organization being inspected/assessed establishes and documents a process IAW DoDD 5400.11 and DoD 5400.11-R where feasible and appropriate, to notify affected individuals that their PII information has been corrected or amended. |
Redress |
IP-3 |
IP-3.3 |
Redress supports the ability of individuals to ensure the accuracy of PII held by organizations. Effective redress processes demonstrate organizational commitment to data quality especially in those business functions where inaccurate data may result in inappropriate decisions or denial of benefits and services to individuals. Organizations use discretion in determining if records are to be corrected or amended, based on the scope of redress requests, the changes sought, and the impact of the changes. Individuals may appeal an adverse decision and have incorrect information amended, where appropriate.
To provide effective redress, organizations: (i) provide effective notice of the existence of a PII collection; (ii) provide plain language explanations of the processes and mechanisms for requesting access to records; (iii) establish criteria for submitting requests for correction or amendment; (iv) implement resources to analyze and adjudicate requests; (v) implement means of correcting or amending data collections; and (vi) review any decisions that may have been the result of inaccurate information.
Organizational redress processes provide responses to individuals of decisions to deny requests for correction or amendment, including the reasons for those decisions, a means to record individual objections to the organizational decisions, and a means of requesting organizational reviews of the initial determinations. Where PII is corrected or amended, organizations take steps to ensure that all authorized recipients of that PII are informed of the corrected or amended information. In instances where redress involves information obtained from other organizations, redress processes include coordination with organizations that originally collected the information. Related controls: IP-2, TR-1, TR-2, UL-2. |
The organization:
a. Provides a process for individuals to have inaccurate personally identifiable information (PII) maintained by the organization corrected or amended, as appropriate; and
b. Establishes a process for disseminating corrections or amendments of the PII to other authorized users of the PII, such as external information sharing partners and, where feasible and appropriate, notifies affected individuals that their information has been corrected or amended. |
| CCI-003540 |
The organization implements a process for receiving complaints, concerns, or questions from individuals about the organizational privacy practices. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed implements a process IAW DoD 5400.11-R and OMB Memorandum M-08-09 for receiving complaints, grievances, concerns, or questions from individuals about: (1) organizational privacy process and procedural issues (consent, collection, and appropriate notice); (2) redress issues (non-Privacy Act inquiries seeking resolution of difficulties or concerns about privacy matters); (3) operational issues (inquiries regarding Privacy Act matters not including Privacy Act requests for access and/or corrections); and (4) a complaint or grievance against the organization or one of its employees concerning any right granted by DoD 5400.11-R. |
The organization being inspected/assessed documents and implements a process IAW DoD 5400.11-R and for receiving privacy-related complaints, grievances, concerns, or questions from individuals |
Complaint Management |
IP-4 |
IP-4.1 |
Complaints, concerns, and questions from individuals can serve as a valuable source of external input that ultimately improves operational models, uses of technology, data collection practices, and privacy and security safeguards. Organizations provide complaint mechanisms that are readily accessible by the public, include all information necessary for successfully filing complaints (including contact information for the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) or other official designated to receive complaints), and are easy to use. Organizational complaint management processes include tracking mechanisms to ensure that all complaints received are reviewed and appropriately addressed in a timely manner. Related controls: AR-6, IP-3. |
The organization implements a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices. |
| CCI-003541 |
The organization implements a process for responding to complaints, concerns, or questions from individuals about the organizational privacy practices. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed implements a process IAW DoD 5400.11-R and OMB Memorandum M-08-09 for processing complaints, grievances, concerns, or questions from individuals about: (1) organizational privacy process and procedural issues (consent, collection, and appropriate notice); (2) redress issues (non-Privacy Act inquiries seeking resolution of difficulties or concerns about privacy matters); (3) operational issues (inquiries regarding Privacy Act matters not including Privacy Act requests for access and/or corrections); and (4) a complaint or grievance against the organization or one of its employees concerning any right granted by DoD 5400.11-R. |
The organization being inspected/assessed documents and implements a process IAW DoD 5400.11-R and for responding to privacy-related complaints, grievances, concerns, or questions from individuals |
Complaint Management |
IP-4 |
IP-4.2 |
Complaints, concerns, and questions from individuals can serve as a valuable source of external input that ultimately improves operational models, uses of technology, data collection practices, and privacy and security safeguards. Organizations provide complaint mechanisms that are readily accessible by the public, include all information necessary for successfully filing complaints (including contact information for the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) or other official designated to receive complaints), and are easy to use. Organizational complaint management processes include tracking mechanisms to ensure that all complaints received are reviewed and appropriately addressed in a timely manner. Related controls: AR-6, IP-3. |
The organization implements a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices. |
| CCI-003542 |
The organization defines the time period within which it must respond to complaints, concerns, or questions from individuals about the organizational privacy practices. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 30 days within receipt of the initial complaint. |
DoD has defined the time period as 30 days within receipt of the initial complaint. |
Complaint Management | Response Times |
IP-4 (1) |
IP-4(1).1 |
N/A |
The organization responds to complaints, concerns, or questions from individuals within [Assignment: organization-defined time period]. |
| CCI-003543 |
The organization responds to complaints, concerns, or questions from individuals about the organizational privacy practices within the organization-defined time period. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed responds to complaints, concerns, or questions from individuals about the organizational privacy practices within 30 days within receipt of the initial complaint.
DoD has defined the time period as 30 days within receipt of the initial complaint. |
The organization being inspected/assessed documents and implements a process to respond to complaints, concerns, or questions from individuals about the organizational privacy practices within 30 days within receipt of the initial complaint.
DoD has defined the time period as 30 days within receipt of the initial complaint. |
Complaint Management | Response Times |
IP-4 (1) |
IP-4(1).2 |
N/A |
The organization responds to complaints, concerns, or questions from individuals within [Assignment: organization-defined time period]. |
| CCI-003544 |
The organization defines the frequency on which it will update the inventory that contains a listing of all programs and information systems identified as collecting, using, maintaining, or sharing personally identifiable information (PII). |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as within three years of PIA approval and when a significant system change or a change in privacy or security posture occurs. |
DoD has defined the frequency as within three years of PIA approval and when a significant system change or a change in privacy or security posture occurs. |
Inventory Of Personally Identifiable Information |
SE-1 |
SE-1.1 |
The PII inventory enables organizations to implement effective administrative, technical, and physical security policies and procedures to protect PII consistent with Appendix F, and to mitigate risks of PII exposure. As one method of gathering information for their PII inventories, organizations may extract the following information elements from Privacy Impact Assessments (PIA) for information systems containing PII: (i) the name and acronym for each system identified; (ii) the types of PII contained in that system; (iii) classification of level of sensitivity of all types of PII, as combined in that information system; and (iv) classification of level of potential risk of substantial harm, embarrassment, inconvenience, or unfairness to affected individuals, as well as the financial or reputational risks to organizations, if PII is exposed. Organizations take due care in updating the inventories by identifying linkable data that could create PII. Related controls: AR-1, AR-4, AR-5, AT-1, DM-1, PM-5, UL-3. |
The organization:
c. Establishes, maintains, and updates [Assignment: organization-defined frequency] an inventory that contains a listing of all programs and information systems identified as
collecting, using, maintaining, or sharing personally identifiable information (PII); and
d. Provides each update of the PII inventory to the CIO or information security official [Assignment: organization-defined frequency] to support the establishment of information security requirements for all new or modified information systems containing PII. |
| CCI-003545 |
The organization establishes an inventory that contains a listing of all programs identified as collecting, using, maintaining, or sharing personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented inventory to ensure the organization being inspected/assessed establishes an inventory that contains a listing of all programs identified as collecting, using, maintaining, or sharing PII. |
The organization being inspected/assessed establishes and documents an inventory that contains a listing of all programs identified as collecting, using, maintaining, or sharing PII. |
Inventory Of Personally Identifiable Information |
SE-1 |
SE-1.2 |
The PII inventory enables organizations to implement effective administrative, technical, and physical security policies and procedures to protect PII consistent with Appendix F, and to mitigate risks of PII exposure. As one method of gathering information for their PII inventories, organizations may extract the following information elements from Privacy Impact Assessments (PIA) for information systems containing PII: (i) the name and acronym for each system identified; (ii) the types of PII contained in that system; (iii) classification of level of sensitivity of all types of PII, as combined in that information system; and (iv) classification of level of potential risk of substantial harm, embarrassment, inconvenience, or unfairness to affected individuals, as well as the financial or reputational risks to organizations, if PII is exposed. Organizations take due care in updating the inventories by identifying linkable data that could create PII. Related controls: AR-1, AR-4, AR-5, AT-1, DM-1, PM-5, UL-3. |
The organization:
c. Establishes, maintains, and updates [Assignment: organization-defined frequency] an inventory that contains a listing of all programs and information systems identified as
collecting, using, maintaining, or sharing personally identifiable information (PII); and
d. Provides each update of the PII inventory to the CIO or information security official [Assignment: organization-defined frequency] to support the establishment of information security requirements for all new or modified information systems containing PII. |
| CCI-003546 |
The organization establishes an inventory that contains a listing of all information systems identified as collecting, using, maintaining, or sharing personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented inventory to ensure the organization being inspected/assessed establishes an inventory that contains a listing of all information systems identified as collecting, using, maintaining, or sharing PII. |
The organization being inspected/assessed establishes and documents an inventory that contains a listing of all information systems identified as collecting, using, maintaining, or sharing PII. |
Inventory Of Personally Identifiable Information |
SE-1 |
SE-1.3 |
The PII inventory enables organizations to implement effective administrative, technical, and physical security policies and procedures to protect PII consistent with Appendix F, and to mitigate risks of PII exposure. As one method of gathering information for their PII inventories, organizations may extract the following information elements from Privacy Impact Assessments (PIA) for information systems containing PII: (i) the name and acronym for each system identified; (ii) the types of PII contained in that system; (iii) classification of level of sensitivity of all types of PII, as combined in that information system; and (iv) classification of level of potential risk of substantial harm, embarrassment, inconvenience, or unfairness to affected individuals, as well as the financial or reputational risks to organizations, if PII is exposed. Organizations take due care in updating the inventories by identifying linkable data that could create PII. Related controls: AR-1, AR-4, AR-5, AT-1, DM-1, PM-5, UL-3. |
The organization:
c. Establishes, maintains, and updates [Assignment: organization-defined frequency] an inventory that contains a listing of all programs and information systems identified as
collecting, using, maintaining, or sharing personally identifiable information (PII); and
d. Provides each update of the PII inventory to the CIO or information security official [Assignment: organization-defined frequency] to support the establishment of information security requirements for all new or modified information systems containing PII. |
| CCI-003547 |
The organization maintains an inventory that contains a listing of all programs identified as collecting, using, maintaining, or sharing personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed maintains an inventory that contains a listing of all programs identified as collecting, using, maintaining, or sharing PII. |
The organization being inspected/assessed documents and implements a process to maintain an inventory that contains a listing of all programs identified as collecting, using, maintaining, or sharing PII. |
Inventory Of Personally Identifiable Information |
SE-1 |
SE-1.4 |
The PII inventory enables organizations to implement effective administrative, technical, and physical security policies and procedures to protect PII consistent with Appendix F, and to mitigate risks of PII exposure. As one method of gathering information for their PII inventories, organizations may extract the following information elements from Privacy Impact Assessments (PIA) for information systems containing PII: (i) the name and acronym for each system identified; (ii) the types of PII contained in that system; (iii) classification of level of sensitivity of all types of PII, as combined in that information system; and (iv) classification of level of potential risk of substantial harm, embarrassment, inconvenience, or unfairness to affected individuals, as well as the financial or reputational risks to organizations, if PII is exposed. Organizations take due care in updating the inventories by identifying linkable data that could create PII. Related controls: AR-1, AR-4, AR-5, AT-1, DM-1, PM-5, UL-3. |
The organization:
c. Establishes, maintains, and updates [Assignment: organization-defined frequency] an inventory that contains a listing of all programs and information systems identified as
collecting, using, maintaining, or sharing personally identifiable information (PII); and
d. Provides each update of the PII inventory to the CIO or information security official [Assignment: organization-defined frequency] to support the establishment of information security requirements for all new or modified information systems containing PII. |
| CCI-003548 |
The organization maintains an inventory that contains a listing of all information systems identified as collecting, using, maintaining, or sharing personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed maintains an inventory that contains a listing of all information systems identified as collecting, using, maintaining, or sharing PII. |
The organization being inspected/assessed documents and implements a process to maintain an inventory that contains a listing of all information systems identified as collecting, using, maintaining, or sharing PII. |
Inventory Of Personally Identifiable Information |
SE-1 |
SE-1.5 |
The PII inventory enables organizations to implement effective administrative, technical, and physical security policies and procedures to protect PII consistent with Appendix F, and to mitigate risks of PII exposure. As one method of gathering information for their PII inventories, organizations may extract the following information elements from Privacy Impact Assessments (PIA) for information systems containing PII: (i) the name and acronym for each system identified; (ii) the types of PII contained in that system; (iii) classification of level of sensitivity of all types of PII, as combined in that information system; and (iv) classification of level of potential risk of substantial harm, embarrassment, inconvenience, or unfairness to affected individuals, as well as the financial or reputational risks to organizations, if PII is exposed. Organizations take due care in updating the inventories by identifying linkable data that could create PII. Related controls: AR-1, AR-4, AR-5, AT-1, DM-1, PM-5, UL-3. |
The organization:
c. Establishes, maintains, and updates [Assignment: organization-defined frequency] an inventory that contains a listing of all programs and information systems identified as
collecting, using, maintaining, or sharing personally identifiable information (PII); and
d. Provides each update of the PII inventory to the CIO or information security official [Assignment: organization-defined frequency] to support the establishment of information security requirements for all new or modified information systems containing PII. |
| CCI-003549 |
The organization updates, per organization-defined frequency, an inventory that contains a listing of all programs identified as collecting, using, maintaining, or sharing personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of updates to ensure the organization being inspected/assessed updates, within three years of PIA approval and when a significant system change or a change in privacy or security posture occurs, an inventory that contains a listing of all programs identified as collecting, using, maintaining, or sharing PII.
DoD has defined the frequency as within three years of PIA approval and when a significant system change or a change in privacy or security posture occurs. |
The organization being inspected/assessed documents and implements a process to update, within three years of PIA approval and when a significant system change or a change in privacy or security posture occurs, an inventory that contains a listing of all programs identified as collecting, using, maintaining, or sharing PII.
The organization must maintain an audit trail of updates.
DoD has defined the frequency as within three years of PIA approval and when a significant system change or a change in privacy or security posture occurs. |
Inventory Of Personally Identifiable Information |
SE-1 |
SE-1.6 |
The PII inventory enables organizations to implement effective administrative, technical, and physical security policies and procedures to protect PII consistent with Appendix F, and to mitigate risks of PII exposure. As one method of gathering information for their PII inventories, organizations may extract the following information elements from Privacy Impact Assessments (PIA) for information systems containing PII: (i) the name and acronym for each system identified; (ii) the types of PII contained in that system; (iii) classification of level of sensitivity of all types of PII, as combined in that information system; and (iv) classification of level of potential risk of substantial harm, embarrassment, inconvenience, or unfairness to affected individuals, as well as the financial or reputational risks to organizations, if PII is exposed. Organizations take due care in updating the inventories by identifying linkable data that could create PII. Related controls: AR-1, AR-4, AR-5, AT-1, DM-1, PM-5, UL-3. |
The organization:
c. Establishes, maintains, and updates [Assignment: organization-defined frequency] an inventory that contains a listing of all programs and information systems identified as
collecting, using, maintaining, or sharing personally identifiable information (PII); and
d. Provides each update of the PII inventory to the CIO or information security official [Assignment: organization-defined frequency] to support the establishment of information security requirements for all new or modified information systems containing PII. |
| CCI-003550 |
The organization updates, per organization-defined frequency, an inventory that contains a listing of all information systems identified as collecting, using, maintaining, or sharing personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of updates to ensure the organization being inspected/assessed updates, within three years of PIA approval and when a significant system change or a change in privacy or security posture occurs, an inventory that contains a listing of all information systems identified as collecting, using, maintaining, or sharing PII.
DoD has defined the frequency as within three years of PIA approval and when a significant system change or a change in privacy or security posture occurs. |
The organization being inspected/assessed documents and implements a process to update, within three years of PIA approval and when a significant system change or a change in privacy or security posture occurs, an inventory that contains a listing of all information systems identified as collecting, using, maintaining, or sharing PII.
The organization must maintain an audit trail of updates.
DoD has defined the frequency as within three years of PIA approval and when a significant system change or a change in privacy or security posture occurs. |
Inventory Of Personally Identifiable Information |
SE-1 |
SE-1.7 |
The PII inventory enables organizations to implement effective administrative, technical, and physical security policies and procedures to protect PII consistent with Appendix F, and to mitigate risks of PII exposure. As one method of gathering information for their PII inventories, organizations may extract the following information elements from Privacy Impact Assessments (PIA) for information systems containing PII: (i) the name and acronym for each system identified; (ii) the types of PII contained in that system; (iii) classification of level of sensitivity of all types of PII, as combined in that information system; and (iv) classification of level of potential risk of substantial harm, embarrassment, inconvenience, or unfairness to affected individuals, as well as the financial or reputational risks to organizations, if PII is exposed. Organizations take due care in updating the inventories by identifying linkable data that could create PII. Related controls: AR-1, AR-4, AR-5, AT-1, DM-1, PM-5, UL-3. |
The organization:
c. Establishes, maintains, and updates [Assignment: organization-defined frequency] an inventory that contains a listing of all programs and information systems identified as
collecting, using, maintaining, or sharing personally identifiable information (PII); and
d. Provides each update of the PII inventory to the CIO or information security official [Assignment: organization-defined frequency] to support the establishment of information security requirements for all new or modified information systems containing PII. |
| CCI-003551 |
The organization defines the frequency for providing each update of the personally identifiable information (PII) inventory to the CIO or information security official. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as within three years of PIA approval and when a significant system change or a change in privacy or security posture occurs. |
DoD has defined the frequency as within three years of PIA approval and when a significant system change or a change in privacy or security posture occurs. |
Inventory Of Personally Identifiable Information |
SE-1 |
SE-1.8 |
The PII inventory enables organizations to implement effective administrative, technical, and physical security policies and procedures to protect PII consistent with Appendix F, and to mitigate risks of PII exposure. As one method of gathering information for their PII inventories, organizations may extract the following information elements from Privacy Impact Assessments (PIA) for information systems containing PII: (i) the name and acronym for each system identified; (ii) the types of PII contained in that system; (iii) classification of level of sensitivity of all types of PII, as combined in that information system; and (iv) classification of level of potential risk of substantial harm, embarrassment, inconvenience, or unfairness to affected individuals, as well as the financial or reputational risks to organizations, if PII is exposed. Organizations take due care in updating the inventories by identifying linkable data that could create PII. Related controls: AR-1, AR-4, AR-5, AT-1, DM-1, PM-5, UL-3. |
The organization:
c. Establishes, maintains, and updates [Assignment: organization-defined frequency] an inventory that contains a listing of all programs and information systems identified as
collecting, using, maintaining, or sharing personally identifiable information (PII); and
d. Provides each update of the PII inventory to the CIO or information security official [Assignment: organization-defined frequency] to support the establishment of information security requirements for all new or modified information systems containing PII. |
| CCI-003552 |
The organization provides each update of the personally identifiable information (PII) inventory to the CIO or information security official, per organization-defined frequency, to support the establishment of information security requirements for all new or modified information systems containing PII. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed provides each update of the PII inventory to the CIO or information security official, within three years of PIA approval and when a significant system change or a change in privacy or security posture occurs, to support the establishment of information security requirements for all new or modified information systems containing PII.
DoD has defined the frequency as within three years of PIA approval and when a significant system change or a change in privacy or security posture occurs. |
The organization being inspected/assessed documents and implements a process to provide each update of the PII inventory to the CIO or information security official, within three years of PIA approval and when a significant system change or a change in privacy or security posture occurs, to support the establishment of information security requirements for all new or modified information systems containing PII.
DoD has defined the frequency as within three years of PIA approval and when a significant system change or a change in privacy or security posture occurs. |
Inventory Of Personally Identifiable Information |
SE-1 |
SE-1.9 |
The PII inventory enables organizations to implement effective administrative, technical, and physical security policies and procedures to protect PII consistent with Appendix F, and to mitigate risks of PII exposure. As one method of gathering information for their PII inventories, organizations may extract the following information elements from Privacy Impact Assessments (PIA) for information systems containing PII: (i) the name and acronym for each system identified; (ii) the types of PII contained in that system; (iii) classification of level of sensitivity of all types of PII, as combined in that information system; and (iv) classification of level of potential risk of substantial harm, embarrassment, inconvenience, or unfairness to affected individuals, as well as the financial or reputational risks to organizations, if PII is exposed. Organizations take due care in updating the inventories by identifying linkable data that could create PII. Related controls: AR-1, AR-4, AR-5, AT-1, DM-1, PM-5, UL-3. |
The organization:
c. Establishes, maintains, and updates [Assignment: organization-defined frequency] an inventory that contains a listing of all programs and information systems identified as
collecting, using, maintaining, or sharing personally identifiable information (PII); and
d. Provides each update of the PII inventory to the CIO or information security official [Assignment: organization-defined frequency] to support the establishment of information security requirements for all new or modified information systems containing PII. |
| CCI-003553 |
The organization develops a Privacy Incident Response Plan. |
The organization conducting the inspection/assessment obtains and examines the documented Privacy Incident Response Plan to ensure the organization being inspected/assessed develops a Privacy Incident Response Plan. |
The organization being inspected/assessed develops and documents a Privacy Incident Response Plan. The revision of DoD 5400.11-R into a manual provides DoD-enterprise-level guidance on breach reporting. Components may decide to augment this with their own incident response plan. The privacy incident response plan may be included as a part of the organization's existing response plan. |
Privacy Incident Response |
SE-2 |
SE-2.1 |
In contrast to the Incident Response (IR) family in Appendix F, which concerns a broader range of incidents affecting information security, this control uses the term Privacy Incident to describe only those incidents that relate to personally identifiable information (PII). The organization Privacy Incident Response Plan is developed under the leadership of the SAOP/CPO. The plan includes: (i) the establishment of a cross-functional Privacy Incident Response Team that reviews, approves, and participates in the execution of the Privacy Incident Response Plan; (ii) a process to determine whether notice to oversight organizations or affected individuals is appropriate and to provide that notice accordingly; (iii) a privacy risk assessment process to determine the extent of harm, embarrassment, inconvenience, or unfairness to affected individuals and, where appropriate, to take steps to mitigate any such risks; (iv) internal procedures to ensure prompt reporting by employees and contractors of any privacy incident to information security officials and the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO), consistent with organizational incident management structures; and (v) internal procedures for reporting noncompliance with organizational privacy policy by employees or contractors to appropriate management or oversight officials. Some organizations may be required by law or policy to provide notice to oversight organizations in the event of a breach. Organizations may also choose to integrate Privacy Incident Response Plans with Security Incident Response Plans, or keep the plans separate. Related controls: AR-1, AR-4, AR-5, AR-6, AU-1 through 14, IR-1 through IR-8, RA-1. |
The organization:
a. Develops and implements a Privacy Incident Response Plan; and
b. Provides an organized and effective response to privacy incidents in accordance with the organizational Privacy Incident Response Plan. |
| CCI-003554 |
The organization implements a Privacy Incident Response Plan. |
The organization conducting the inspection/assessment obtains and examines the documented Privacy Incident Response Plan to ensure the organization being inspected/assessed implements a Privacy Incident Response Plan. |
The organization being inspected/assessed implements a Privacy Incident Response Plan. The revision of DoD 5400.11-R into a manual provides DoD-enterprise-level guidance on breach reporting. Components may decide to augment this with their own incident response plan. |
Privacy Incident Response |
SE-2 |
SE-2.2 |
In contrast to the Incident Response (IR) family in Appendix F, which concerns a broader range of incidents affecting information security, this control uses the term Privacy Incident to describe only those incidents that relate to personally identifiable information (PII). The organization Privacy Incident Response Plan is developed under the leadership of the SAOP/CPO. The plan includes: (i) the establishment of a cross-functional Privacy Incident Response Team that reviews, approves, and participates in the execution of the Privacy Incident Response Plan; (ii) a process to determine whether notice to oversight organizations or affected individuals is appropriate and to provide that notice accordingly; (iii) a privacy risk assessment process to determine the extent of harm, embarrassment, inconvenience, or unfairness to affected individuals and, where appropriate, to take steps to mitigate any such risks; (iv) internal procedures to ensure prompt reporting by employees and contractors of any privacy incident to information security officials and the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO), consistent with organizational incident management structures; and (v) internal procedures for reporting noncompliance with organizational privacy policy by employees or contractors to appropriate management or oversight officials. Some organizations may be required by law or policy to provide notice to oversight organizations in the event of a breach. Organizations may also choose to integrate Privacy Incident Response Plans with Security Incident Response Plans, or keep the plans separate. Related controls: AR-1, AR-4, AR-5, AR-6, AU-1 through 14, IR-1 through IR-8, RA-1. |
The organization:
a. Develops and implements a Privacy Incident Response Plan; and
b. Provides an organized and effective response to privacy incidents in accordance with the organizational Privacy Incident Response Plan. |
| CCI-003555 |
The organization provides an organized and effective response to privacy incidents in accordance with the organizational Privacy Incident Response Plan. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed provides an organized and effective response to privacy incidents in accordance with the organizational Privacy Incident Response Plan. |
The organization being inspected/assessed documents and implements a process to provides an organized and effective response to privacy incidents in accordance with the organizational Privacy Incident Response Plan. The revision of DoD 5400.11-R into a manual provides DoD-enterprise-level guidance on breach reporting. Components may decide to augment this with their own incident response plan. The privacy incident response plan, which may be included as a part of your existing response plan. |
Privacy Incident Response |
SE-2 |
SE-2.3 |
In contrast to the Incident Response (IR) family in Appendix F, which concerns a broader range of incidents affecting information security, this control uses the term Privacy Incident to describe only those incidents that relate to personally identifiable information (PII). The organization Privacy Incident Response Plan is developed under the leadership of the SAOP/CPO. The plan includes: (i) the establishment of a cross-functional Privacy Incident Response Team that reviews, approves, and participates in the execution of the Privacy Incident Response Plan; (ii) a process to determine whether notice to oversight organizations or affected individuals is appropriate and to provide that notice accordingly; (iii) a privacy risk assessment process to determine the extent of harm, embarrassment, inconvenience, or unfairness to affected individuals and, where appropriate, to take steps to mitigate any such risks; (iv) internal procedures to ensure prompt reporting by employees and contractors of any privacy incident to information security officials and the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO), consistent with organizational incident management structures; and (v) internal procedures for reporting noncompliance with organizational privacy policy by employees or contractors to appropriate management or oversight officials. Some organizations may be required by law or policy to provide notice to oversight organizations in the event of a breach. Organizations may also choose to integrate Privacy Incident Response Plans with Security Incident Response Plans, or keep the plans separate. Related controls: AR-1, AR-4, AR-5, AR-6, AU-1 through 14, IR-1 through IR-8, RA-1. |
The organization:
a. Develops and implements a Privacy Incident Response Plan; and
b. Provides an organized and effective response to privacy incidents in accordance with the organizational Privacy Incident Response Plan. |
| CCI-003556 |
The organization provides effective notice to the public regarding its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed provides effective notice to the public IAW DoD 5400.11-R and DoDI 5400.16 regarding its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII). |
The organization being inspected/assessed documents and implements a process IAW DoD 5400.11-R and DoDI 5400.16 to provide effective notice to the public regarding its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII). |
Privacy Notice |
TR-1 |
TR-1.1 |
Effective notice, by virtue of its clarity, readability, and comprehensiveness, enables individuals to understand how an organization uses PII generally and, where appropriate, to make an informed decision prior to providing PII to an organization. Effective notice also demonstrates the privacy considerations that the organization has addressed in implementing its information practices. The organization may provide general public notice through a variety of means, as required by law or policy, including System of Records Notices (SORNs), Privacy Impact Assessments (PIAs), or in a website privacy policy. As required by the Privacy Act, the organization also provides direct notice to individuals via Privacy Act Statements on the paper and electronic forms it uses to collect PII, or on separate forms that can be retained by the individuals.
The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of the organization’s public notices, in consultation with legal counsel and relevant program managers. The public notice requirement in this control is satisfied by an organization’s compliance with the public notice provisions of the Privacy Act, the E-Government Act’s PIA requirement, with OMB guidance related to federal agency privacy notices, and, where applicable, with policy pertaining to participation in the Information Sharing Environment (ISE).124 Changing PII practice or policy without prior notice is disfavored and should only be undertaken in consultation with the SAOP/CPO and counsel. Related controls: AP-1, AP-2, AR-1, AR-2, IP-1, IP-2, IP-3, UL-1, UL-2. |
The organization:
a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary;
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and
c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change. |
| CCI-003557 |
The organization provides effective notice to individuals regarding its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed provides effective notice IAW DoD 5400.11-R and DoDI 5400.16 to individuals regarding its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of PII. |
The organization being inspected/assessed documents and implements a process IAW DoD 5400.11-R and DoDI 5400.16 to provide effective information to individuals regarding its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of PII. The process may include use of the SORN, PIA, or through the Privacy Act Statement on forms used to collect PII. |
Privacy Notice |
TR-1 |
TR-1.2 |
Effective notice, by virtue of its clarity, readability, and comprehensiveness, enables individuals to understand how an organization uses PII generally and, where appropriate, to make an informed decision prior to providing PII to an organization. Effective notice also demonstrates the privacy considerations that the organization has addressed in implementing its information practices. The organization may provide general public notice through a variety of means, as required by law or policy, including System of Records Notices (SORNs), Privacy Impact Assessments (PIAs), or in a website privacy policy. As required by the Privacy Act, the organization also provides direct notice to individuals via Privacy Act Statements on the paper and electronic forms it uses to collect PII, or on separate forms that can be retained by the individuals.
The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of the organization’s public notices, in consultation with legal counsel and relevant program managers. The public notice requirement in this control is satisfied by an organization’s compliance with the public notice provisions of the Privacy Act, the E-Government Act’s PIA requirement, with OMB guidance related to federal agency privacy notices, and, where applicable, with policy pertaining to participation in the Information Sharing Environment (ISE).124 Changing PII practice or policy without prior notice is disfavored and should only be undertaken in consultation with the SAOP/CPO and counsel. Related controls: AP-1, AP-2, AR-1, AR-2, IP-1, IP-2, IP-3, UL-1, UL-2. |
The organization:
a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary;
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and
c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change. |
| CCI-003558 |
The organization provides effective notice to the public regarding its authority for collecting personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed provides effective notice IAW DoD 5400.11-R and DoDI 5400.16 to the public regarding its authority for collecting PII. |
The organization being inspected/assessed documents and implements a process IAW DoD 5400.11-R and DoDI 5400.16 to provide effective notice to the public regarding its authority for collecting PII. |
Privacy Notice |
TR-1 |
TR-1.3 |
Effective notice, by virtue of its clarity, readability, and comprehensiveness, enables individuals to understand how an organization uses PII generally and, where appropriate, to make an informed decision prior to providing PII to an organization. Effective notice also demonstrates the privacy considerations that the organization has addressed in implementing its information practices. The organization may provide general public notice through a variety of means, as required by law or policy, including System of Records Notices (SORNs), Privacy Impact Assessments (PIAs), or in a website privacy policy. As required by the Privacy Act, the organization also provides direct notice to individuals via Privacy Act Statements on the paper and electronic forms it uses to collect PII, or on separate forms that can be retained by the individuals.
The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of the organization’s public notices, in consultation with legal counsel and relevant program managers. The public notice requirement in this control is satisfied by an organization’s compliance with the public notice provisions of the Privacy Act, the E-Government Act’s PIA requirement, with OMB guidance related to federal agency privacy notices, and, where applicable, with policy pertaining to participation in the Information Sharing Environment (ISE).124 Changing PII practice or policy without prior notice is disfavored and should only be undertaken in consultation with the SAOP/CPO and counsel. Related controls: AP-1, AP-2, AR-1, AR-2, IP-1, IP-2, IP-3, UL-1, UL-2. |
The organization:
a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary;
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and
c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change. |
| CCI-003559 |
The organization provides effective notice to individuals regarding its authority for collecting personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed provides effective notice IAWIAW DoD 5400.11-R and DoDI 5400.16 to individuals regarding its authority for collecting PII. |
The organization being inspected/assessed documents and implements a process IAW DoD 5400.11-R and DoDI 5400.16 to provide effective notice to individuals regarding its authority for collecting PII. |
Privacy Notice |
TR-1 |
TR-1.4 |
Effective notice, by virtue of its clarity, readability, and comprehensiveness, enables individuals to understand how an organization uses PII generally and, where appropriate, to make an informed decision prior to providing PII to an organization. Effective notice also demonstrates the privacy considerations that the organization has addressed in implementing its information practices. The organization may provide general public notice through a variety of means, as required by law or policy, including System of Records Notices (SORNs), Privacy Impact Assessments (PIAs), or in a website privacy policy. As required by the Privacy Act, the organization also provides direct notice to individuals via Privacy Act Statements on the paper and electronic forms it uses to collect PII, or on separate forms that can be retained by the individuals.
The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of the organization’s public notices, in consultation with legal counsel and relevant program managers. The public notice requirement in this control is satisfied by an organization’s compliance with the public notice provisions of the Privacy Act, the E-Government Act’s PIA requirement, with OMB guidance related to federal agency privacy notices, and, where applicable, with policy pertaining to participation in the Information Sharing Environment (ISE).124 Changing PII practice or policy without prior notice is disfavored and should only be undertaken in consultation with the SAOP/CPO and counsel. Related controls: AP-1, AP-2, AR-1, AR-2, IP-1, IP-2, IP-3, UL-1, UL-2. |
The organization:
a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary;
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and
c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change. |
| CCI-003560 |
The organization provides effective notice to the public regarding the choices, if any, individuals may have regarding how the organization uses personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed provides effective notice IAW DoD 5400.11-R and DoDI 5400.16 to the public regarding the choices, if any, individuals may have regarding how the organization uses PII. |
The organization being inspected/assessed documents and implements a process IAW DoD 5400.11-R and DoDI 5400.16 to provide effective notice to the public regarding the choices, if any, individuals may have regarding how the organization uses PII. |
Privacy Notice |
TR-1 |
TR-1.5 |
Effective notice, by virtue of its clarity, readability, and comprehensiveness, enables individuals to understand how an organization uses PII generally and, where appropriate, to make an informed decision prior to providing PII to an organization. Effective notice also demonstrates the privacy considerations that the organization has addressed in implementing its information practices. The organization may provide general public notice through a variety of means, as required by law or policy, including System of Records Notices (SORNs), Privacy Impact Assessments (PIAs), or in a website privacy policy. As required by the Privacy Act, the organization also provides direct notice to individuals via Privacy Act Statements on the paper and electronic forms it uses to collect PII, or on separate forms that can be retained by the individuals.
The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of the organization’s public notices, in consultation with legal counsel and relevant program managers. The public notice requirement in this control is satisfied by an organization’s compliance with the public notice provisions of the Privacy Act, the E-Government Act’s PIA requirement, with OMB guidance related to federal agency privacy notices, and, where applicable, with policy pertaining to participation in the Information Sharing Environment (ISE).124 Changing PII practice or policy without prior notice is disfavored and should only be undertaken in consultation with the SAOP/CPO and counsel. Related controls: AP-1, AP-2, AR-1, AR-2, IP-1, IP-2, IP-3, UL-1, UL-2. |
The organization:
a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary;
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and
c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change. |
| CCI-003561 |
The organization provides effective notice to individuals regarding the choices, if any, individuals may have regarding how the organization uses personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed provides effective notice IAW DoD 5400.11-R and DoDI 5400.16 to individuals regarding the choices, if any, individuals may have regarding how the organization uses PII. |
The organization being inspected/assessed documents and implements a process to provide IAW DoD 5400.11-R and DoDI 5400.16 effective notice to individuals regarding the choices, if any, individuals may have regarding how the organization uses PII. |
Privacy Notice |
TR-1 |
TR-1.6 |
Effective notice, by virtue of its clarity, readability, and comprehensiveness, enables individuals to understand how an organization uses PII generally and, where appropriate, to make an informed decision prior to providing PII to an organization. Effective notice also demonstrates the privacy considerations that the organization has addressed in implementing its information practices. The organization may provide general public notice through a variety of means, as required by law or policy, including System of Records Notices (SORNs), Privacy Impact Assessments (PIAs), or in a website privacy policy. As required by the Privacy Act, the organization also provides direct notice to individuals via Privacy Act Statements on the paper and electronic forms it uses to collect PII, or on separate forms that can be retained by the individuals.
The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of the organization’s public notices, in consultation with legal counsel and relevant program managers. The public notice requirement in this control is satisfied by an organization’s compliance with the public notice provisions of the Privacy Act, the E-Government Act’s PIA requirement, with OMB guidance related to federal agency privacy notices, and, where applicable, with policy pertaining to participation in the Information Sharing Environment (ISE).124 Changing PII practice or policy without prior notice is disfavored and should only be undertaken in consultation with the SAOP/CPO and counsel. Related controls: AP-1, AP-2, AR-1, AR-2, IP-1, IP-2, IP-3, UL-1, UL-2. |
The organization:
a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary;
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and
c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change. |
| CCI-003562 |
The organization provides effective notice to the public regarding the consequences of exercising or not exercising the choices regarding how the organization uses personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed provides effective notice IAW DoD 5400.11-R and DoDI 5400.16 to the public regarding the consequences of exercising or not exercising the choices regarding how the organization uses PII. |
The organization being inspected/assessed documents and implements a process IAW DoD 5400.11-R and DoDI 5400.16 to provide effective notice to the public regarding the consequences of exercising or not exercising the choices regarding how the organization uses PII. |
Privacy Notice |
TR-1 |
TR-1.7 |
Effective notice, by virtue of its clarity, readability, and comprehensiveness, enables individuals to understand how an organization uses PII generally and, where appropriate, to make an informed decision prior to providing PII to an organization. Effective notice also demonstrates the privacy considerations that the organization has addressed in implementing its information practices. The organization may provide general public notice through a variety of means, as required by law or policy, including System of Records Notices (SORNs), Privacy Impact Assessments (PIAs), or in a website privacy policy. As required by the Privacy Act, the organization also provides direct notice to individuals via Privacy Act Statements on the paper and electronic forms it uses to collect PII, or on separate forms that can be retained by the individuals.
The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of the organization’s public notices, in consultation with legal counsel and relevant program managers. The public notice requirement in this control is satisfied by an organization’s compliance with the public notice provisions of the Privacy Act, the E-Government Act’s PIA requirement, with OMB guidance related to federal agency privacy notices, and, where applicable, with policy pertaining to participation in the Information Sharing Environment (ISE).124 Changing PII practice or policy without prior notice is disfavored and should only be undertaken in consultation with the SAOP/CPO and counsel. Related controls: AP-1, AP-2, AR-1, AR-2, IP-1, IP-2, IP-3, UL-1, UL-2. |
The organization:
a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary;
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and
c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change. |
| CCI-003563 |
The organization provides effective notice to individuals regarding the consequences of exercising or not exercising the choices regarding how the organization uses personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed provides effective notice IAW DoD 5400.11-R and DoDI 5400.16 to individuals regarding the consequences of exercising or not exercising the choices regarding how the organization uses PII. |
The organization being inspected/assessed documents and implements a process IAW DoD 5400.11-R and DoDI 5400.16 to provide effective notice to individuals regarding the consequences of exercising or not exercising the choices regarding how the organization uses PII. |
Privacy Notice |
TR-1 |
TR-1.8 |
Effective notice, by virtue of its clarity, readability, and comprehensiveness, enables individuals to understand how an organization uses PII generally and, where appropriate, to make an informed decision prior to providing PII to an organization. Effective notice also demonstrates the privacy considerations that the organization has addressed in implementing its information practices. The organization may provide general public notice through a variety of means, as required by law or policy, including System of Records Notices (SORNs), Privacy Impact Assessments (PIAs), or in a website privacy policy. As required by the Privacy Act, the organization also provides direct notice to individuals via Privacy Act Statements on the paper and electronic forms it uses to collect PII, or on separate forms that can be retained by the individuals.
The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of the organization’s public notices, in consultation with legal counsel and relevant program managers. The public notice requirement in this control is satisfied by an organization’s compliance with the public notice provisions of the Privacy Act, the E-Government Act’s PIA requirement, with OMB guidance related to federal agency privacy notices, and, where applicable, with policy pertaining to participation in the Information Sharing Environment (ISE).124 Changing PII practice or policy without prior notice is disfavored and should only be undertaken in consultation with the SAOP/CPO and counsel. Related controls: AP-1, AP-2, AR-1, AR-2, IP-1, IP-2, IP-3, UL-1, UL-2. |
The organization:
a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary;
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and
c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change. |
| CCI-003564 |
The organization provides effective notice to the public regarding the ability of individuals to access personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed provides effective notice IAW DoD 5400.11-R and DoDI 5400.16 to the public regarding the ability to access PII. |
The organization being inspected/assessed documents and implements a process IAW DoD 5400.11-R and DoDI 5400.16 to provide effective notice to the public regarding the ability to access PII. |
Privacy Notice |
TR-1 |
TR-1.9 |
Effective notice, by virtue of its clarity, readability, and comprehensiveness, enables individuals to understand how an organization uses PII generally and, where appropriate, to make an informed decision prior to providing PII to an organization. Effective notice also demonstrates the privacy considerations that the organization has addressed in implementing its information practices. The organization may provide general public notice through a variety of means, as required by law or policy, including System of Records Notices (SORNs), Privacy Impact Assessments (PIAs), or in a website privacy policy. As required by the Privacy Act, the organization also provides direct notice to individuals via Privacy Act Statements on the paper and electronic forms it uses to collect PII, or on separate forms that can be retained by the individuals.
The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of the organization’s public notices, in consultation with legal counsel and relevant program managers. The public notice requirement in this control is satisfied by an organization’s compliance with the public notice provisions of the Privacy Act, the E-Government Act’s PIA requirement, with OMB guidance related to federal agency privacy notices, and, where applicable, with policy pertaining to participation in the Information Sharing Environment (ISE).124 Changing PII practice or policy without prior notice is disfavored and should only be undertaken in consultation with the SAOP/CPO and counsel. Related controls: AP-1, AP-2, AR-1, AR-2, IP-1, IP-2, IP-3, UL-1, UL-2. |
The organization:
a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary;
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and
c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change. |
| CCI-003565 |
The organization provides effective notice to individuals regarding the ability to access personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed provides effective notice IAW DoD 5400.11-R and DoDI 5400.16 to individuals regarding the ability to access PII. |
The organization being inspected/assessed documents and implements a process IAW DoD 5400.11-R and DoDI 5400.16 to provide effective notice to individuals regarding the ability to access PII. |
Privacy Notice |
TR-1 |
TR-1.10 |
Effective notice, by virtue of its clarity, readability, and comprehensiveness, enables individuals to understand how an organization uses PII generally and, where appropriate, to make an informed decision prior to providing PII to an organization. Effective notice also demonstrates the privacy considerations that the organization has addressed in implementing its information practices. The organization may provide general public notice through a variety of means, as required by law or policy, including System of Records Notices (SORNs), Privacy Impact Assessments (PIAs), or in a website privacy policy. As required by the Privacy Act, the organization also provides direct notice to individuals via Privacy Act Statements on the paper and electronic forms it uses to collect PII, or on separate forms that can be retained by the individuals.
The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of the organization’s public notices, in consultation with legal counsel and relevant program managers. The public notice requirement in this control is satisfied by an organization’s compliance with the public notice provisions of the Privacy Act, the E-Government Act’s PIA requirement, with OMB guidance related to federal agency privacy notices, and, where applicable, with policy pertaining to participation in the Information Sharing Environment (ISE).124 Changing PII practice or policy without prior notice is disfavored and should only be undertaken in consultation with the SAOP/CPO and counsel. Related controls: AP-1, AP-2, AR-1, AR-2, IP-1, IP-2, IP-3, UL-1, UL-2. |
The organization:
a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary;
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and
c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change. |
| CCI-003566 |
The organization provides effective notice to the public regarding the ability to have personally identifiable information (PII) amended or corrected if necessary. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed provides effective notice IAW DoD 5400.11-R and DoDI 5400.16 to the public regarding the ability to have PII amended or corrected if necessary. |
The organization being inspected/assessed documents and implements a process IAW DoD 5400.11-R and DoDI 5400.16 to provide effective notice to the public regarding the ability to have PII amended or corrected if necessary. |
Privacy Notice |
TR-1 |
TR-1.11 |
Effective notice, by virtue of its clarity, readability, and comprehensiveness, enables individuals to understand how an organization uses PII generally and, where appropriate, to make an informed decision prior to providing PII to an organization. Effective notice also demonstrates the privacy considerations that the organization has addressed in implementing its information practices. The organization may provide general public notice through a variety of means, as required by law or policy, including System of Records Notices (SORNs), Privacy Impact Assessments (PIAs), or in a website privacy policy. As required by the Privacy Act, the organization also provides direct notice to individuals via Privacy Act Statements on the paper and electronic forms it uses to collect PII, or on separate forms that can be retained by the individuals.
The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of the organization’s public notices, in consultation with legal counsel and relevant program managers. The public notice requirement in this control is satisfied by an organization’s compliance with the public notice provisions of the Privacy Act, the E-Government Act’s PIA requirement, with OMB guidance related to federal agency privacy notices, and, where applicable, with policy pertaining to participation in the Information Sharing Environment (ISE).124 Changing PII practice or policy without prior notice is disfavored and should only be undertaken in consultation with the SAOP/CPO and counsel. Related controls: AP-1, AP-2, AR-1, AR-2, IP-1, IP-2, IP-3, UL-1, UL-2. |
The organization:
a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary;
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and
c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change. |
| CCI-003567 |
The organization provides effective notice to individuals regarding the ability to have personally identifiable information (PII) amended or corrected if necessary. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed provides effective notice IAW DoD 5400.11-R and DoDI 5400.16 to individuals regarding the ability to have PII amended or corrected if necessary. |
The organization being inspected/assessed documents and implements a process IAW DoD 5400.11-R and DoDI 5400.16 to provide effective notice to individuals regarding the ability to have PII amended or corrected if necessary. |
Privacy Notice |
TR-1 |
TR-1.12 |
Effective notice, by virtue of its clarity, readability, and comprehensiveness, enables individuals to understand how an organization uses PII generally and, where appropriate, to make an informed decision prior to providing PII to an organization. Effective notice also demonstrates the privacy considerations that the organization has addressed in implementing its information practices. The organization may provide general public notice through a variety of means, as required by law or policy, including System of Records Notices (SORNs), Privacy Impact Assessments (PIAs), or in a website privacy policy. As required by the Privacy Act, the organization also provides direct notice to individuals via Privacy Act Statements on the paper and electronic forms it uses to collect PII, or on separate forms that can be retained by the individuals.
The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of the organization’s public notices, in consultation with legal counsel and relevant program managers. The public notice requirement in this control is satisfied by an organization’s compliance with the public notice provisions of the Privacy Act, the E-Government Act’s PIA requirement, with OMB guidance related to federal agency privacy notices, and, where applicable, with policy pertaining to participation in the Information Sharing Environment (ISE).124 Changing PII practice or policy without prior notice is disfavored and should only be undertaken in consultation with the SAOP/CPO and counsel. Related controls: AP-1, AP-2, AR-1, AR-2, IP-1, IP-2, IP-3, UL-1, UL-2. |
The organization:
a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary;
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and
c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change. |
| CCI-003568 |
The organization describes the personally identifiable information (PII) the organization collects. |
The organization conducting the inspection/assessment obtains and examines the documented description to ensure the organization being inspected/assessed describes the PII the organization collects IAW DoD 5400.11-R and DoDI 5400.16 |
The organization being inspected/assessed describes and documents IAW DoD 5400.11-R and DoDI 5400.16 the PII the organization collects. |
Privacy Notice |
TR-1 |
TR-1.13 |
Effective notice, by virtue of its clarity, readability, and comprehensiveness, enables individuals to understand how an organization uses PII generally and, where appropriate, to make an informed decision prior to providing PII to an organization. Effective notice also demonstrates the privacy considerations that the organization has addressed in implementing its information practices. The organization may provide general public notice through a variety of means, as required by law or policy, including System of Records Notices (SORNs), Privacy Impact Assessments (PIAs), or in a website privacy policy. As required by the Privacy Act, the organization also provides direct notice to individuals via Privacy Act Statements on the paper and electronic forms it uses to collect PII, or on separate forms that can be retained by the individuals.
The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of the organization’s public notices, in consultation with legal counsel and relevant program managers. The public notice requirement in this control is satisfied by an organization’s compliance with the public notice provisions of the Privacy Act, the E-Government Act’s PIA requirement, with OMB guidance related to federal agency privacy notices, and, where applicable, with policy pertaining to participation in the Information Sharing Environment (ISE).124 Changing PII practice or policy without prior notice is disfavored and should only be undertaken in consultation with the SAOP/CPO and counsel. Related controls: AP-1, AP-2, AR-1, AR-2, IP-1, IP-2, IP-3, UL-1, UL-2. |
The organization:
a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary;
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and
c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change. |
| CCI-003569 |
The organization describes the purpose(s) for which it collects the personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented description to ensure the organization being inspected/assessed describes the purpose(s) for which it collects the PII information IAW DoD 5400.11-R and DoDI 5400.16 |
The organization being inspected/assessed describes and documents IAW DoD 5400.11-R and DoDI 5400.16 the purpose(s) for which it collects the PII information. |
Privacy Notice |
TR-1 |
TR-1.14 |
Effective notice, by virtue of its clarity, readability, and comprehensiveness, enables individuals to understand how an organization uses PII generally and, where appropriate, to make an informed decision prior to providing PII to an organization. Effective notice also demonstrates the privacy considerations that the organization has addressed in implementing its information practices. The organization may provide general public notice through a variety of means, as required by law or policy, including System of Records Notices (SORNs), Privacy Impact Assessments (PIAs), or in a website privacy policy. As required by the Privacy Act, the organization also provides direct notice to individuals via Privacy Act Statements on the paper and electronic forms it uses to collect PII, or on separate forms that can be retained by the individuals.
The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of the organization’s public notices, in consultation with legal counsel and relevant program managers. The public notice requirement in this control is satisfied by an organization’s compliance with the public notice provisions of the Privacy Act, the E-Government Act’s PIA requirement, with OMB guidance related to federal agency privacy notices, and, where applicable, with policy pertaining to participation in the Information Sharing Environment (ISE).124 Changing PII practice or policy without prior notice is disfavored and should only be undertaken in consultation with the SAOP/CPO and counsel. Related controls: AP-1, AP-2, AR-1, AR-2, IP-1, IP-2, IP-3, UL-1, UL-2. |
The organization:
a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary;
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and
c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change. |
| CCI-003570 |
The organization describes how the organization uses personally identifiable information (PII) internally. |
The organization conducting the inspection/assessment obtains and examines the documented description to ensure the organization being inspected/assessed describes how the organization uses PII internally IAW DoD 5400.11-R and DoDI 5400.16 |
The organization being inspected/assessed describes and documents IAW DoD 5400.11-R and DoDI 5400.16 how the organization uses PII internally. |
Privacy Notice |
TR-1 |
TR-1.15 |
Effective notice, by virtue of its clarity, readability, and comprehensiveness, enables individuals to understand how an organization uses PII generally and, where appropriate, to make an informed decision prior to providing PII to an organization. Effective notice also demonstrates the privacy considerations that the organization has addressed in implementing its information practices. The organization may provide general public notice through a variety of means, as required by law or policy, including System of Records Notices (SORNs), Privacy Impact Assessments (PIAs), or in a website privacy policy. As required by the Privacy Act, the organization also provides direct notice to individuals via Privacy Act Statements on the paper and electronic forms it uses to collect PII, or on separate forms that can be retained by the individuals.
The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of the organization’s public notices, in consultation with legal counsel and relevant program managers. The public notice requirement in this control is satisfied by an organization’s compliance with the public notice provisions of the Privacy Act, the E-Government Act’s PIA requirement, with OMB guidance related to federal agency privacy notices, and, where applicable, with policy pertaining to participation in the Information Sharing Environment (ISE).124 Changing PII practice or policy without prior notice is disfavored and should only be undertaken in consultation with the SAOP/CPO and counsel. Related controls: AP-1, AP-2, AR-1, AR-2, IP-1, IP-2, IP-3, UL-1, UL-2. |
The organization:
a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary;
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and
c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change. |
| CCI-003571 |
The organization describes whether the organization shares personally identifiable information (PII) with external entities. |
The organization conducting the inspection/assessment obtains and examines the documented description to ensure the organization being inspected/assessed describes whether the organization shares PII with external entities IAW DoD 5400.11-R and DoDI 5400.16. |
The organization being inspected/assessed describes and documents IAW DoD 5400.11-R and DoDI 5400.16 whether the organization shares PII with external entities. |
Privacy Notice |
TR-1 |
TR-1.16 |
Effective notice, by virtue of its clarity, readability, and comprehensiveness, enables individuals to understand how an organization uses PII generally and, where appropriate, to make an informed decision prior to providing PII to an organization. Effective notice also demonstrates the privacy considerations that the organization has addressed in implementing its information practices. The organization may provide general public notice through a variety of means, as required by law or policy, including System of Records Notices (SORNs), Privacy Impact Assessments (PIAs), or in a website privacy policy. As required by the Privacy Act, the organization also provides direct notice to individuals via Privacy Act Statements on the paper and electronic forms it uses to collect PII, or on separate forms that can be retained by the individuals.
The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of the organization’s public notices, in consultation with legal counsel and relevant program managers. The public notice requirement in this control is satisfied by an organization’s compliance with the public notice provisions of the Privacy Act, the E-Government Act’s PIA requirement, with OMB guidance related to federal agency privacy notices, and, where applicable, with policy pertaining to participation in the Information Sharing Environment (ISE).124 Changing PII practice or policy without prior notice is disfavored and should only be undertaken in consultation with the SAOP/CPO and counsel. Related controls: AP-1, AP-2, AR-1, AR-2, IP-1, IP-2, IP-3, UL-1, UL-2. |
The organization:
a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary;
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and
c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change. |
| CCI-003572 |
The organization describes the categories of those external entities with whom personally identifiable information (PII) is shared. |
The organization conducting the inspection/assessment obtains and examines the documented description to ensure the organization being inspected/assessed describes the categories of those external entities with whom PII is shared IAW DoD 5400.11-R and DoDI 5400.16 |
The organization being inspected/assessed describes and documents IAW DoD 5400.11-R and DoDI 5400.16 the categories of those external entities with whom PII is shared. |
Privacy Notice |
TR-1 |
TR-1.17 |
Effective notice, by virtue of its clarity, readability, and comprehensiveness, enables individuals to understand how an organization uses PII generally and, where appropriate, to make an informed decision prior to providing PII to an organization. Effective notice also demonstrates the privacy considerations that the organization has addressed in implementing its information practices. The organization may provide general public notice through a variety of means, as required by law or policy, including System of Records Notices (SORNs), Privacy Impact Assessments (PIAs), or in a website privacy policy. As required by the Privacy Act, the organization also provides direct notice to individuals via Privacy Act Statements on the paper and electronic forms it uses to collect PII, or on separate forms that can be retained by the individuals.
The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of the organization’s public notices, in consultation with legal counsel and relevant program managers. The public notice requirement in this control is satisfied by an organization’s compliance with the public notice provisions of the Privacy Act, the E-Government Act’s PIA requirement, with OMB guidance related to federal agency privacy notices, and, where applicable, with policy pertaining to participation in the Information Sharing Environment (ISE).124 Changing PII practice or policy without prior notice is disfavored and should only be undertaken in consultation with the SAOP/CPO and counsel. Related controls: AP-1, AP-2, AR-1, AR-2, IP-1, IP-2, IP-3, UL-1, UL-2. |
The organization:
a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary;
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and
c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change. |
| CCI-003573 |
The organization describes the purposes for sharing personally identifiable information (PII) with external entities. |
The organization conducting the inspection/assessment obtains and examines the documented description to ensure the organization being inspected/assessed describes the purposes for sharing PII with external entities IAW DoD 5400.11-R and DoDI 5400.16 |
The organization being inspected/assessed describes and documents IAW DoD 5400.11-R and DoDI 5400.16 the purposes for sharing PII with external entities. |
Privacy Notice |
TR-1 |
TR-1.18 |
Effective notice, by virtue of its clarity, readability, and comprehensiveness, enables individuals to understand how an organization uses PII generally and, where appropriate, to make an informed decision prior to providing PII to an organization. Effective notice also demonstrates the privacy considerations that the organization has addressed in implementing its information practices. The organization may provide general public notice through a variety of means, as required by law or policy, including System of Records Notices (SORNs), Privacy Impact Assessments (PIAs), or in a website privacy policy. As required by the Privacy Act, the organization also provides direct notice to individuals via Privacy Act Statements on the paper and electronic forms it uses to collect PII, or on separate forms that can be retained by the individuals.
The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of the organization’s public notices, in consultation with legal counsel and relevant program managers. The public notice requirement in this control is satisfied by an organization’s compliance with the public notice provisions of the Privacy Act, the E-Government Act’s PIA requirement, with OMB guidance related to federal agency privacy notices, and, where applicable, with policy pertaining to participation in the Information Sharing Environment (ISE).124 Changing PII practice or policy without prior notice is disfavored and should only be undertaken in consultation with the SAOP/CPO and counsel. Related controls: AP-1, AP-2, AR-1, AR-2, IP-1, IP-2, IP-3, UL-1, UL-2. |
The organization:
a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary;
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and
c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change. |
| CCI-003574 |
The organization describes whether individuals have the ability to consent to specific uses or sharing of personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented description to ensure the organization being inspected/assessed describes whether individuals have the ability to consent to specific uses or sharing of PII IAW DoD 5400.11-R and DoDI 5400.16 |
The organization being inspected/assessed describes and documents IAW DoD 5400.11-R and DoDI 5400.16 whether individuals have the ability to consent to specific uses or sharing of PII. |
Privacy Notice |
TR-1 |
TR-1.19 |
Effective notice, by virtue of its clarity, readability, and comprehensiveness, enables individuals to understand how an organization uses PII generally and, where appropriate, to make an informed decision prior to providing PII to an organization. Effective notice also demonstrates the privacy considerations that the organization has addressed in implementing its information practices. The organization may provide general public notice through a variety of means, as required by law or policy, including System of Records Notices (SORNs), Privacy Impact Assessments (PIAs), or in a website privacy policy. As required by the Privacy Act, the organization also provides direct notice to individuals via Privacy Act Statements on the paper and electronic forms it uses to collect PII, or on separate forms that can be retained by the individuals.
The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of the organization’s public notices, in consultation with legal counsel and relevant program managers. The public notice requirement in this control is satisfied by an organization’s compliance with the public notice provisions of the Privacy Act, the E-Government Act’s PIA requirement, with OMB guidance related to federal agency privacy notices, and, where applicable, with policy pertaining to participation in the Information Sharing Environment (ISE).124 Changing PII practice or policy without prior notice is disfavored and should only be undertaken in consultation with the SAOP/CPO and counsel. Related controls: AP-1, AP-2, AR-1, AR-2, IP-1, IP-2, IP-3, UL-1, UL-2. |
The organization:
a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary;
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and
c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change. |
| CCI-003575 |
The organization describes how individuals may exercise their consent regarding specific uses or sharing of personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented description to ensure the organization being inspected/assessed describes how individuals may exercise their consent regarding specific uses or sharing of PII IAW DoD 5400.11-R and DoDI 5400.16. |
The organization being inspected/assessed describes and documents IAW DoD 5400.11-R and DoDI 5400.16 how individuals may exercise their consent regarding specific uses or sharing of PII. |
Privacy Notice |
TR-1 |
TR-1.20 |
Effective notice, by virtue of its clarity, readability, and comprehensiveness, enables individuals to understand how an organization uses PII generally and, where appropriate, to make an informed decision prior to providing PII to an organization. Effective notice also demonstrates the privacy considerations that the organization has addressed in implementing its information practices. The organization may provide general public notice through a variety of means, as required by law or policy, including System of Records Notices (SORNs), Privacy Impact Assessments (PIAs), or in a website privacy policy. As required by the Privacy Act, the organization also provides direct notice to individuals via Privacy Act Statements on the paper and electronic forms it uses to collect PII, or on separate forms that can be retained by the individuals.
The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of the organization’s public notices, in consultation with legal counsel and relevant program managers. The public notice requirement in this control is satisfied by an organization’s compliance with the public notice provisions of the Privacy Act, the E-Government Act’s PIA requirement, with OMB guidance related to federal agency privacy notices, and, where applicable, with policy pertaining to participation in the Information Sharing Environment (ISE).124 Changing PII practice or policy without prior notice is disfavored and should only be undertaken in consultation with the SAOP/CPO and counsel. Related controls: AP-1, AP-2, AR-1, AR-2, IP-1, IP-2, IP-3, UL-1, UL-2. |
The organization:
a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary;
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and
c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change. |
| CCI-003576 |
The organization describes how individuals may obtain access to personally identifiable information (PII). |
The organization being inspected/assessed obtains and examines the documented description to ensure the organization being inspected/assessed describes how individuals may obtain access to PII IAW DoD 5400.11-R and DoDI 5400.16. |
The organization being inspected/assessed describes and documents IAW DoD 5400.11-R and DoDI 5400.16 how individuals may obtain access to PII. |
Privacy Notice |
TR-1 |
TR-1.21 |
Effective notice, by virtue of its clarity, readability, and comprehensiveness, enables individuals to understand how an organization uses PII generally and, where appropriate, to make an informed decision prior to providing PII to an organization. Effective notice also demonstrates the privacy considerations that the organization has addressed in implementing its information practices. The organization may provide general public notice through a variety of means, as required by law or policy, including System of Records Notices (SORNs), Privacy Impact Assessments (PIAs), or in a website privacy policy. As required by the Privacy Act, the organization also provides direct notice to individuals via Privacy Act Statements on the paper and electronic forms it uses to collect PII, or on separate forms that can be retained by the individuals.
The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of the organization’s public notices, in consultation with legal counsel and relevant program managers. The public notice requirement in this control is satisfied by an organization’s compliance with the public notice provisions of the Privacy Act, the E-Government Act’s PIA requirement, with OMB guidance related to federal agency privacy notices, and, where applicable, with policy pertaining to participation in the Information Sharing Environment (ISE).124 Changing PII practice or policy without prior notice is disfavored and should only be undertaken in consultation with the SAOP/CPO and counsel. Related controls: AP-1, AP-2, AR-1, AR-2, IP-1, IP-2, IP-3, UL-1, UL-2. |
The organization:
a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary;
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and
c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change. |
| CCI-003577 |
The organization describes how the personally identifiable information (PII) will be protected. |
The organization conducting the inspection/assessment obtains and examines the documented description to ensure the organization being inspected/assessed describes how the PII will be protected IAW DoD 5400.11-R and DoDI 5400.16. |
The organization being inspected/assessed describes and documents IAW DoD 5400.11-R and DoDI 5400.16 how the PII will be protected. |
Privacy Notice |
TR-1 |
TR-1.22 |
Effective notice, by virtue of its clarity, readability, and comprehensiveness, enables individuals to understand how an organization uses PII generally and, where appropriate, to make an informed decision prior to providing PII to an organization. Effective notice also demonstrates the privacy considerations that the organization has addressed in implementing its information practices. The organization may provide general public notice through a variety of means, as required by law or policy, including System of Records Notices (SORNs), Privacy Impact Assessments (PIAs), or in a website privacy policy. As required by the Privacy Act, the organization also provides direct notice to individuals via Privacy Act Statements on the paper and electronic forms it uses to collect PII, or on separate forms that can be retained by the individuals.
The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of the organization’s public notices, in consultation with legal counsel and relevant program managers. The public notice requirement in this control is satisfied by an organization’s compliance with the public notice provisions of the Privacy Act, the E-Government Act’s PIA requirement, with OMB guidance related to federal agency privacy notices, and, where applicable, with policy pertaining to participation in the Information Sharing Environment (ISE).124 Changing PII practice or policy without prior notice is disfavored and should only be undertaken in consultation with the SAOP/CPO and counsel. Related controls: AP-1, AP-2, AR-1, AR-2, IP-1, IP-2, IP-3, UL-1, UL-2. |
The organization:
a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary;
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and
c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change. |
| CCI-003578 |
The organization revises its public notices to reflect changes in practice or policy that affect personally identifiable information (PII), before or as soon as practicable after the change. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of revisions to ensure the organization being inspected/assessed revises its public notices, IAW DoD 5400.11-R and DoDI 5400.16, to reflect changes in practice or policy that affect PII, before or as soon as practicable after the change. |
The organization being inspected/assessed documents and implements a process IAW DoD 5400.11-R and DoDI 5400.16 to revise its public notices to reflect changes in practice or policy that affect PII, before or as soon as practicable after the change.
The organization must maintain an audit trail of revisions. |
Privacy Notice |
TR-1 |
TR-1.23 |
Effective notice, by virtue of its clarity, readability, and comprehensiveness, enables individuals to understand how an organization uses PII generally and, where appropriate, to make an informed decision prior to providing PII to an organization. Effective notice also demonstrates the privacy considerations that the organization has addressed in implementing its information practices. The organization may provide general public notice through a variety of means, as required by law or policy, including System of Records Notices (SORNs), Privacy Impact Assessments (PIAs), or in a website privacy policy. As required by the Privacy Act, the organization also provides direct notice to individuals via Privacy Act Statements on the paper and electronic forms it uses to collect PII, or on separate forms that can be retained by the individuals.
The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of the organization’s public notices, in consultation with legal counsel and relevant program managers. The public notice requirement in this control is satisfied by an organization’s compliance with the public notice provisions of the Privacy Act, the E-Government Act’s PIA requirement, with OMB guidance related to federal agency privacy notices, and, where applicable, with policy pertaining to participation in the Information Sharing Environment (ISE).124 Changing PII practice or policy without prior notice is disfavored and should only be undertaken in consultation with the SAOP/CPO and counsel. Related controls: AP-1, AP-2, AR-1, AR-2, IP-1, IP-2, IP-3, UL-1, UL-2. |
The organization:
a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary;
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and
c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change. |
| CCI-003579 |
The organization revises its public notices to reflect changes in practice or policy that impact privacy, before or as soon as practicable after the change. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of revisions to ensure the organization being inspected/assessed revises its public notices IAW DoD 5400.11-R and DoDI 5400.16 to reflect changes in practice or policy that impact privacy, before or as soon as practicable after the change. |
The organization being inspected/assessed documents and implements a process IAW DoD 5400.11-R and DoDI 5400.16 to revise its public notices to reflect changes in practice or policy that impact privacy, before or as soon as practicable after the change.
The organization must maintain an audit trail of revisions. |
Privacy Notice |
TR-1 |
TR-1.24 |
Effective notice, by virtue of its clarity, readability, and comprehensiveness, enables individuals to understand how an organization uses PII generally and, where appropriate, to make an informed decision prior to providing PII to an organization. Effective notice also demonstrates the privacy considerations that the organization has addressed in implementing its information practices. The organization may provide general public notice through a variety of means, as required by law or policy, including System of Records Notices (SORNs), Privacy Impact Assessments (PIAs), or in a website privacy policy. As required by the Privacy Act, the organization also provides direct notice to individuals via Privacy Act Statements on the paper and electronic forms it uses to collect PII, or on separate forms that can be retained by the individuals.
The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of the organization’s public notices, in consultation with legal counsel and relevant program managers. The public notice requirement in this control is satisfied by an organization’s compliance with the public notice provisions of the Privacy Act, the E-Government Act’s PIA requirement, with OMB guidance related to federal agency privacy notices, and, where applicable, with policy pertaining to participation in the Information Sharing Environment (ISE).124 Changing PII practice or policy without prior notice is disfavored and should only be undertaken in consultation with the SAOP/CPO and counsel. Related controls: AP-1, AP-2, AR-1, AR-2, IP-1, IP-2, IP-3, UL-1, UL-2. |
The organization:
a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary;
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and
c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change. |
| CCI-003580 |
The organization provides real-time notice and/or layered notice when it collects personally identifiable information (PII). |
|
|
|
|
|
|
|
| CCI-003581 |
The organization publishes System of Records Notices (SORNs) in the Federal Register, subject to required oversight processes, for systems containing personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed publishes IAW DoDD 5400.11 and DoD 5400.11-R System of Records Notices (SORNs) in the Federal Register, subject to required oversight processes, for systems containing PII. |
The organization being inspected/assessed documents and implements a process IAW DoDD 5400.11 and DoD 5400.11-R to publish System of Records Notices (SORNs) in the Federal Register, subject to required oversight processes, for systems containing PII. |
System Of Records Notices And Privacy Act Statements |
TR-2 |
TR-2.1 |
Organizations issue SORNs to provide the public notice regarding PII collected in a system of records, which the Privacy Act defines as “a group of any records under the control of any agency from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifier.” SORNs explain how the information is used, retained, and may be corrected, and whether certain portions of the system are subject to Privacy Act exemptions for law enforcement or national security reasons. Privacy Act Statements provide notice of: (i) the authority of organizations to collect PII; (ii) whether providing PII is mandatory or optional; (iii) the principal purpose(s) for which the PII is to be used; (iv) the intended disclosures (routine uses) of the information; and (v) the consequences of not providing all or some portion of the information requested. When information is collected verbally, organizations read a Privacy Act Statement prior to initiating the collection of PII (for example, when conducting telephone interviews or surveys). Related control: DI-2. |
The organization:
a. Publishes System of Records Notices (SORNs) in the Federal Register, subject to required oversight processes, for systems containing personally identifiable information (PII);
b. Keeps SORNs current; and
c. Includes Privacy Act Statements on its forms that collect PII, or on separate forms that can be retained by individuals, to provide additional formal notice to individuals from whom the information is being collected. |
| CCI-003582 |
The organization keeps System of Records Notices (SORNs) current. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed keeps System of Records Notices (SORNs) current IAW DoDD 5400.11 and DoD 5400.11-R by reviewing the SORNs every two years and updating as necessary. |
The organization being inspected/assessed documents and implements a process IAW DoDD 5400.11 and DoD 5400.11-R to review System of Records Notices (SORNs) every two years and to updated as necessary to keep current. |
System Of Records Notices And Privacy Act Statements |
TR-2 |
TR-2.2 |
Organizations issue SORNs to provide the public notice regarding PII collected in a system of records, which the Privacy Act defines as “a group of any records under the control of any agency from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifier.” SORNs explain how the information is used, retained, and may be corrected, and whether certain portions of the system are subject to Privacy Act exemptions for law enforcement or national security reasons. Privacy Act Statements provide notice of: (i) the authority of organizations to collect PII; (ii) whether providing PII is mandatory or optional; (iii) the principal purpose(s) for which the PII is to be used; (iv) the intended disclosures (routine uses) of the information; and (v) the consequences of not providing all or some portion of the information requested. When information is collected verbally, organizations read a Privacy Act Statement prior to initiating the collection of PII (for example, when conducting telephone interviews or surveys). Related control: DI-2. |
The organization:
a. Publishes System of Records Notices (SORNs) in the Federal Register, subject to required oversight processes, for systems containing personally identifiable information (PII);
b. Keeps SORNs current; and
c. Includes Privacy Act Statements on its forms that collect PII, or on separate forms that can be retained by individuals, to provide additional formal notice to individuals from whom the information is being collected. |
| CCI-003583 |
The organization includes Privacy Act Statements on its forms that collect personally identifiable information (PII), or on separate forms that can be retained by individuals, to provide additional formal notice to individuals from whom the information is being collected. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed, IAW DoDD 5400.11 and DoD 5400.11-R, includes Privacy Act Statements on its forms that collect PII, or on separate forms that can be retained by individuals, to provide additional formal notice to individuals from whom the information is being collected. |
The organization being inspected/assesse documents and implements a process IAW DoDD 5400.11 and DoD 5400.11-R to include Privacy Act Statements on its forms that collect PII, or on separate forms that can be retained by individuals, to provide additional formal notice to individuals from whom the information is being collected. |
System Of Records Notices And Privacy Act Statements |
TR-2 |
TR-2.3 |
Organizations issue SORNs to provide the public notice regarding PII collected in a system of records, which the Privacy Act defines as “a group of any records under the control of any agency from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifier.” SORNs explain how the information is used, retained, and may be corrected, and whether certain portions of the system are subject to Privacy Act exemptions for law enforcement or national security reasons. Privacy Act Statements provide notice of: (i) the authority of organizations to collect PII; (ii) whether providing PII is mandatory or optional; (iii) the principal purpose(s) for which the PII is to be used; (iv) the intended disclosures (routine uses) of the information; and (v) the consequences of not providing all or some portion of the information requested. When information is collected verbally, organizations read a Privacy Act Statement prior to initiating the collection of PII (for example, when conducting telephone interviews or surveys). Related control: DI-2. |
The organization:
a. Publishes System of Records Notices (SORNs) in the Federal Register, subject to required oversight processes, for systems containing personally identifiable information (PII);
b. Keeps SORNs current; and
c. Includes Privacy Act Statements on its forms that collect PII, or on separate forms that can be retained by individuals, to provide additional formal notice to individuals from whom the information is being collected. |
| CCI-003584 |
The organization publishes System of Records Notices (SORNs) on its public website. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed publishes their Component level System of Records Notices (SORNs) on its public websites IAW DoDD 5400.11 and DoD 5400.11-R. |
The organization being inspected/assessed documents and implements a process IAW DoDD 5400.11 and DoD 5400.11-R to publish their Component level System of Records Notices (SORNs) on its public website. |
System Of Records Notices And Privacy Act Statements | Public Website Publication |
TR-2 (1) |
TR-2(1).1 |
|
The organization publishes SORNs on its public website. |
| CCI-003585 |
The organization ensures the public has access to information about its privacy activities. |
DoDD 5400.11, DoD 5400.11-R, DoDI 5400.16, publication of both Privacy Impact Assessments and System of Records Notices, as well as, if published, Service or DoD Component level privacy regulations, meet this control's to make publicly accessible information about the organizations' privacy activities.
The organization conducting the inspection/assessment obtains and examines the published Service or Component level privacy regulations to ensure the organization being inspected/assessed, has made those regulations public. |
DoDD 5400.11, DoD 5400.11-R, DoDI 5400.16, publication of both Privacy Impact Assessments and System of Records Notices, as well as, if published, Service or DoD Component level privacy regulations, meet this control's requirement to make public information about the organizations' privacy activities.
The organization being inspected/assessed documents any Service or Component level privacy regulations it has published. |
Dissemination Of Privacy Program Information |
TR-3 |
TR-3.1 |
Organizations employ different mechanisms for informing the public about their privacy practices including, but not limited to, Privacy Impact Assessments (PIAs), System of Records Notices (SORNs), privacy reports, publicly available web pages, email distributions, blogs, and periodic publications (e.g., quarterly newsletters). Organizations also employ publicly facing email addresses and/or phone lines that enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices. Related control: AR-6. |
The organization:
a. Ensures that the public has access to information about its privacy activities and is able to communicate with its Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO); and
b. Ensures that its privacy practices are publicly available through organizational websites or otherwise. |
| CCI-003586 |
The organization ensures the public is able to communicate with its Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO). |
The organization conducting the inspection/assessment obtains and examines the documented web site to ensure the organization being inspected/assessed, has provided a phone number and e-mail address that permits the public to communicate with its Chief Privacy Officer. |
If the DoD Component has identified a Chief Privacy Officer, the DoD Component shall provide a phone number and e-mail address on its web site to enable the public to communicate with its Chief Privacy Officer. If the DoD Component is serviced by another DoD Component's Chief Privacy Officer, the DoD Component will provide a phone number and e-mail address for that Officer.
The organization being inspected/assessed documents the web site on which it has published a phone number and e-mail address on its web site to enable the public to communicate with its Chief Privacy Officer. |
Dissemination Of Privacy Program Information |
TR-3 |
TR-3.2 |
Organizations employ different mechanisms for informing the public about their privacy practices including, but not limited to, Privacy Impact Assessments (PIAs), System of Records Notices (SORNs), privacy reports, publicly available web pages, email distributions, blogs, and periodic publications (e.g., quarterly newsletters). Organizations also employ publicly facing email addresses and/or phone lines that enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices. Related control: AR-6. |
The organization:
a. Ensures that the public has access to information about its privacy activities and is able to communicate with its Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO); and
b. Ensures that its privacy practices are publicly available through organizational websites or otherwise. |
| CCI-003587 |
The organization ensures its privacy practices are publicly available through organizational websites or otherwise. |
If the DoD Component has a Component level Privacy regulation, the DoD Component shall provide public access to that regulation on the Component's web site.
The organization conducting the inspection/assessment obtains and examines the documented web site to ensure the organization being inspected/assessed, has provided public access to the Component level privacy regulation. |
If the DoD Component has a Component level Privacy regulation, the DoD Component shall provide public access to that regulation on the Component's web site.
The organization being inspected/assessed documents the web site on which it has published its Component level privacy regulation. |
Dissemination Of Privacy Program Information |
TR-3 |
TR-3.3 |
Organizations employ different mechanisms for informing the public about their privacy practices including, but not limited to, Privacy Impact Assessments (PIAs), System of Records Notices (SORNs), privacy reports, publicly available web pages, email distributions, blogs, and periodic publications (e.g., quarterly newsletters). Organizations also employ publicly facing email addresses and/or phone lines that enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices. Related control: AR-6. |
The organization:
a. Ensures that the public has access to information about its privacy activities and is able to communicate with its Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO); and
b. Ensures that its privacy practices are publicly available through organizational websites or otherwise. |
| CCI-003588 |
The organization uses personally identifiable information (PII) internally only for the authorized purpose(s) identified in the Privacy Act and/or in public notices. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed uses personally identifiable information (PII) internally only for the authorized purpose(s) identified in the Privacy Act and/or in public notices. |
The organization being inspected/assessed documents and implements a process to use personally identifiable information (PII) internally only for the authorized purpose(s) identified in the Privacy Act and/or in public notices. |
Internal Use |
UL-1 |
UL-1.1 |
Organizations take steps to ensure that they use PII only for legally authorized purposes and in a manner compatible with uses identified in the Privacy Act and/or in public notices. These steps include monitoring and auditing organizational use of PII and training organizational personnel on the authorized uses of PII. With guidance from the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) and where appropriate, legal counsel, organizations document processes and procedures for evaluating any proposed new uses of PII to assess whether they fall within the scope of the organizational authorities. Where appropriate, organizations obtain consent from individuals for the new use(s) of PII. Related controls: AP-2, AR-2, AR-3, AR-4, AR-5, IP-1, TR-1, TR-2. |
The organization uses personally identifiable information (PII) internally only for the authorized purpose(s) identified in the Privacy Act and/or in public notices. |
| CCI-003589 |
The organization shares personally identifiable information (PII) externally, only for the authorized purposes identified in the Privacy Act and/or described in its notice(s) or for a purpose that is compatible with those purposes. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed shares IAW DoD 5400.11, PII externally, only for the authorized purposes or for a purpose that is compatible with those purposes. Planned use of PII must be identified and documented as an authorized purposes in the corresponding SORN, PIA, security plan, or other system-specific document. |
The organization being inspected/assessed documents and implements a process to share IAW DoDD 5400.11 and DoD 5400.11-R, PII externally, only for the authorized purposes or for a purpose that is compatible with those purposes. Planned use of PII must be identified and documented as an authorized purposes in the corresponding SORN, PIA, security plan, or other system-specific document. |
Information Sharing With Third Parties |
UL-2 |
UL-2.1 |
Privacy Officer (CPO) and, where appropriate, legal counsel review and approve any proposed external sharing of PII, including with other public, international, or private sector entities, for consistency with uses described in the existing organizational public notice(s). When a proposed new instance of external sharing of PII is not currently authorized by the Privacy Act and/or specified in a notice, organizations evaluate whether the proposed external sharing is compatible with the purpose(s) specified in the notice. If the proposed sharing is compatible, organizations review, update, and republish their Privacy Impact Assessments (PIAs), System of Records Notices (SORNs), website privacy policies, and other public notices, if any, to include specific descriptions of the new uses(s) and obtain consent where appropriate and feasible. Information-sharing agreements also include security protections consistent with the sensitivity of the information being shared. Related controls: AR-3, AR-4, AR-5, AR-8, AP-2, DI-1, DI-2, IP-1, TR-1. |
The organization:
a. Shares personally identifiable information (PII) externally, only for the authorized purposes identified in the Privacy Act and/or described in its notice(s) or for a purpose that is compatible with those purposes;
b. Where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically describe the PII covered and specifically enumerate the purposes for which the PII may be used;
c. Monitors, audits, and trains its staff on the authorized sharing of PII with third parties and on the consequences of unauthorized use or sharing of PII; and
d. Evaluates any proposed new instances of sharing PII with third parties to assess whether the sharing is authorized and whether additional or new public notice is required. |
| CCI-003590 |
The organization, where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically describe the personally identifiable information (PII) covered. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed, IAW DoDD 5400.11 and DoD 5400.11-R, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, where appropriate, with third parties that specifically describe the PII covered. |
The organization being inspected/assessed documents and implements a process IAW DoDD 5400.11 and DoD 5400.11-R to enter into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, where appropriate, with third parties that specifically describe the PII covered. |
Information Sharing With Third Parties |
UL-2 |
UL-2.2 |
Privacy Officer (CPO) and, where appropriate, legal counsel review and approve any proposed external sharing of PII, including with other public, international, or private sector entities, for consistency with uses described in the existing organizational public notice(s). When a proposed new instance of external sharing of PII is not currently authorized by the Privacy Act and/or specified in a notice, organizations evaluate whether the proposed external sharing is compatible with the purpose(s) specified in the notice. If the proposed sharing is compatible, organizations review, update, and republish their Privacy Impact Assessments (PIAs), System of Records Notices (SORNs), website privacy policies, and other public notices, if any, to include specific descriptions of the new uses(s) and obtain consent where appropriate and feasible. Information-sharing agreements also include security protections consistent with the sensitivity of the information being shared. Related controls: AR-3, AR-4, AR-5, AR-8, AP-2, DI-1, DI-2, IP-1, TR-1. |
The organization:
a. Shares personally identifiable information (PII) externally, only for the authorized purposes identified in the Privacy Act and/or described in its notice(s) or for a purpose that is compatible with those purposes;
b. Where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically describe the PII covered and specifically enumerate the purposes for which the PII may be used;
c. Monitors, audits, and trains its staff on the authorized sharing of PII with third parties and on the consequences of unauthorized use or sharing of PII; and
d. Evaluates any proposed new instances of sharing PII with third parties to assess whether the sharing is authorized and whether additional or new public notice is required. |
| CCI-003591 |
The organization, where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically enumerate the purposes for which the personally identifiable information (PII) may be used. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed, IAW DoDD 5400.11 and DoD 5400.11-R, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, where appropriate, with third parties that specifically enumerate the purposes for which the PII may be used. |
The organization being inspected/assessed documents and implements a process IAW DoDD 5400.11 and DoD 5400.11-R to enter into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, where appropriate, with third parties that specifically enumerate the purposes for which the PII may be used. |
Information Sharing With Third Parties |
UL-2 |
UL-2.3 |
Privacy Officer (CPO) and, where appropriate, legal counsel review and approve any proposed external sharing of PII, including with other public, international, or private sector entities, for consistency with uses described in the existing organizational public notice(s). When a proposed new instance of external sharing of PII is not currently authorized by the Privacy Act and/or specified in a notice, organizations evaluate whether the proposed external sharing is compatible with the purpose(s) specified in the notice. If the proposed sharing is compatible, organizations review, update, and republish their Privacy Impact Assessments (PIAs), System of Records Notices (SORNs), website privacy policies, and other public notices, if any, to include specific descriptions of the new uses(s) and obtain consent where appropriate and feasible. Information-sharing agreements also include security protections consistent with the sensitivity of the information being shared. Related controls: AR-3, AR-4, AR-5, AR-8, AP-2, DI-1, DI-2, IP-1, TR-1. |
The organization:
a. Shares personally identifiable information (PII) externally, only for the authorized purposes identified in the Privacy Act and/or described in its notice(s) or for a purpose that is compatible with those purposes;
b. Where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically describe the PII covered and specifically enumerate the purposes for which the PII may be used;
c. Monitors, audits, and trains its staff on the authorized sharing of PII with third parties and on the consequences of unauthorized use or sharing of PII; and
d. Evaluates any proposed new instances of sharing PII with third parties to assess whether the sharing is authorized and whether additional or new public notice is required. |
| CCI-003592 |
The organization monitors its staff on the authorized sharing of personally identifiable information (PII) with third parties. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of monitoring to ensure the organization being inspected/assessed monitors its staff, IAW DoDD 5400.11 and DoD 5400.11-R, on the authorized sharing of PII with third parties. |
The organization being inspected/assessed documents and implements a process IAW DoDD 5400.11 and DoD 5400.11-R to monitor its staff on the authorized sharing of PII with third parties.
The organization must maintain an audit trail of monitoring. |
Information Sharing With Third Parties |
UL-2 |
UL-2.4 |
Privacy Officer (CPO) and, where appropriate, legal counsel review and approve any proposed external sharing of PII, including with other public, international, or private sector entities, for consistency with uses described in the existing organizational public notice(s). When a proposed new instance of external sharing of PII is not currently authorized by the Privacy Act and/or specified in a notice, organizations evaluate whether the proposed external sharing is compatible with the purpose(s) specified in the notice. If the proposed sharing is compatible, organizations review, update, and republish their Privacy Impact Assessments (PIAs), System of Records Notices (SORNs), website privacy policies, and other public notices, if any, to include specific descriptions of the new uses(s) and obtain consent where appropriate and feasible. Information-sharing agreements also include security protections consistent with the sensitivity of the information being shared. Related controls: AR-3, AR-4, AR-5, AR-8, AP-2, DI-1, DI-2, IP-1, TR-1. |
The organization:
a. Shares personally identifiable information (PII) externally, only for the authorized purposes identified in the Privacy Act and/or described in its notice(s) or for a purpose that is compatible with those purposes;
b. Where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically describe the PII covered and specifically enumerate the purposes for which the PII may be used;
c. Monitors, audits, and trains its staff on the authorized sharing of PII with third parties and on the consequences of unauthorized use or sharing of PII; and
d. Evaluates any proposed new instances of sharing PII with third parties to assess whether the sharing is authorized and whether additional or new public notice is required. |
| CCI-003593 |
The organization audits its staff on the authorized sharing of personally identifiable information (PII) with third parties. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the records of audits to ensure the organization being inspected/assessed audits its staff, IAW DoDD 5400.11 and DoD 5400.11-R, on the authorized sharing of PII with third parties. |
The organization being inspected/assessed documents and implements a process IAW DoDD 5400.11 and DoD 5400.11-R, to audit its staff on the authorized sharing of PII with third parties.
The organization must maintain records of audits. |
Information Sharing With Third Parties |
UL-2 |
UL-2.5 |
Privacy Officer (CPO) and, where appropriate, legal counsel review and approve any proposed external sharing of PII, including with other public, international, or private sector entities, for consistency with uses described in the existing organizational public notice(s). When a proposed new instance of external sharing of PII is not currently authorized by the Privacy Act and/or specified in a notice, organizations evaluate whether the proposed external sharing is compatible with the purpose(s) specified in the notice. If the proposed sharing is compatible, organizations review, update, and republish their Privacy Impact Assessments (PIAs), System of Records Notices (SORNs), website privacy policies, and other public notices, if any, to include specific descriptions of the new uses(s) and obtain consent where appropriate and feasible. Information-sharing agreements also include security protections consistent with the sensitivity of the information being shared. Related controls: AR-3, AR-4, AR-5, AR-8, AP-2, DI-1, DI-2, IP-1, TR-1. |
The organization:
a. Shares personally identifiable information (PII) externally, only for the authorized purposes identified in the Privacy Act and/or described in its notice(s) or for a purpose that is compatible with those purposes;
b. Where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically describe the PII covered and specifically enumerate the purposes for which the PII may be used;
c. Monitors, audits, and trains its staff on the authorized sharing of PII with third parties and on the consequences of unauthorized use or sharing of PII; and
d. Evaluates any proposed new instances of sharing PII with third parties to assess whether the sharing is authorized and whether additional or new public notice is required. |
| CCI-003594 |
The organization trains its staff on the authorized sharing of personally identifiable information (PII) with third parties. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed trains its staff, IAW DoDD 5400.11 and DoD 5400.11-R, on the authorized sharing of PII with third parties. |
The organization being inspected/assessed documents and implements a process IAW DoDD 5400.11 and DoD 5400.11-R to train its staff on the authorized sharing of PII with third parties. |
Information Sharing With Third Parties |
UL-2 |
UL-2.6 |
Privacy Officer (CPO) and, where appropriate, legal counsel review and approve any proposed external sharing of PII, including with other public, international, or private sector entities, for consistency with uses described in the existing organizational public notice(s). When a proposed new instance of external sharing of PII is not currently authorized by the Privacy Act and/or specified in a notice, organizations evaluate whether the proposed external sharing is compatible with the purpose(s) specified in the notice. If the proposed sharing is compatible, organizations review, update, and republish their Privacy Impact Assessments (PIAs), System of Records Notices (SORNs), website privacy policies, and other public notices, if any, to include specific descriptions of the new uses(s) and obtain consent where appropriate and feasible. Information-sharing agreements also include security protections consistent with the sensitivity of the information being shared. Related controls: AR-3, AR-4, AR-5, AR-8, AP-2, DI-1, DI-2, IP-1, TR-1. |
The organization:
a. Shares personally identifiable information (PII) externally, only for the authorized purposes identified in the Privacy Act and/or described in its notice(s) or for a purpose that is compatible with those purposes;
b. Where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically describe the PII covered and specifically enumerate the purposes for which the PII may be used;
c. Monitors, audits, and trains its staff on the authorized sharing of PII with third parties and on the consequences of unauthorized use or sharing of PII; and
d. Evaluates any proposed new instances of sharing PII with third parties to assess whether the sharing is authorized and whether additional or new public notice is required. |
| CCI-003595 |
The organization trains its staff on the consequences of unauthorized use or sharing of personally identifiable information (PII). |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed trains its staff, IAW DoDD 5400.11 and DoD 5400.11-R, on the consequences of unauthorized use or sharing of PII. |
The organization being inspected/assessed documents and implements a process IAW DoDD 5400.11 and DoD 5400.11-R to train its staff on the consequences of unauthorized use or sharing of PII. |
Information Sharing With Third Parties |
UL-2 |
UL-2.7 |
Privacy Officer (CPO) and, where appropriate, legal counsel review and approve any proposed external sharing of PII, including with other public, international, or private sector entities, for consistency with uses described in the existing organizational public notice(s). When a proposed new instance of external sharing of PII is not currently authorized by the Privacy Act and/or specified in a notice, organizations evaluate whether the proposed external sharing is compatible with the purpose(s) specified in the notice. If the proposed sharing is compatible, organizations review, update, and republish their Privacy Impact Assessments (PIAs), System of Records Notices (SORNs), website privacy policies, and other public notices, if any, to include specific descriptions of the new uses(s) and obtain consent where appropriate and feasible. Information-sharing agreements also include security protections consistent with the sensitivity of the information being shared. Related controls: AR-3, AR-4, AR-5, AR-8, AP-2, DI-1, DI-2, IP-1, TR-1. |
The organization:
a. Shares personally identifiable information (PII) externally, only for the authorized purposes identified in the Privacy Act and/or described in its notice(s) or for a purpose that is compatible with those purposes;
b. Where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically describe the PII covered and specifically enumerate the purposes for which the PII may be used;
c. Monitors, audits, and trains its staff on the authorized sharing of PII with third parties and on the consequences of unauthorized use or sharing of PII; and
d. Evaluates any proposed new instances of sharing PII with third parties to assess whether the sharing is authorized and whether additional or new public notice is required. |
| CCI-003596 |
The organization evaluates any proposed new instances of sharing personally identifiable information (PII) with third parties to assess whether the sharing is authorized. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed evaluates IAW DoDD 5400.11 and DoD 5400.11-R any proposed new instances of sharing PII with third parties to assess whether the sharing is authorized. |
The organization being inspected/assessed documents and implements a process IAW DoDD 5400.11 and DoD 5400.11-R to evaluate any proposed new instances of sharing PII with third parties to assess whether the sharing is authorized. |
Information Sharing With Third Parties |
UL-2 |
UL-2.8 |
Privacy Officer (CPO) and, where appropriate, legal counsel review and approve any proposed external sharing of PII, including with other public, international, or private sector entities, for consistency with uses described in the existing organizational public notice(s). When a proposed new instance of external sharing of PII is not currently authorized by the Privacy Act and/or specified in a notice, organizations evaluate whether the proposed external sharing is compatible with the purpose(s) specified in the notice. If the proposed sharing is compatible, organizations review, update, and republish their Privacy Impact Assessments (PIAs), System of Records Notices (SORNs), website privacy policies, and other public notices, if any, to include specific descriptions of the new uses(s) and obtain consent where appropriate and feasible. Information-sharing agreements also include security protections consistent with the sensitivity of the information being shared. Related controls: AR-3, AR-4, AR-5, AR-8, AP-2, DI-1, DI-2, IP-1, TR-1. |
The organization:
a. Shares personally identifiable information (PII) externally, only for the authorized purposes identified in the Privacy Act and/or described in its notice(s) or for a purpose that is compatible with those purposes;
b. Where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically describe the PII covered and specifically enumerate the purposes for which the PII may be used;
c. Monitors, audits, and trains its staff on the authorized sharing of PII with third parties and on the consequences of unauthorized use or sharing of PII; and
d. Evaluates any proposed new instances of sharing PII with third parties to assess whether the sharing is authorized and whether additional or new public notice is required. |
| CCI-003597 |
The organization evaluates any proposed new instances of sharing personally identifiable information (PII) with third parties to assess whether additional or new public notice is required. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed evaluates IAW DoDD 5400.11 and DoD 5400.11-R any proposed new instances of sharing PII with third parties to assess whether additional or new public notice is required. |
The organization being inspected/assessed documents and implements a process IAW DoDD 5400.11 and DoD 5400.11-R to evaluate any proposed new instances of sharing PII with third parties to assess whether additional or new public notice is required. |
Information Sharing With Third Parties |
UL-2 |
UL-2.9 |
Privacy Officer (CPO) and, where appropriate, legal counsel review and approve any proposed external sharing of PII, including with other public, international, or private sector entities, for consistency with uses described in the existing organizational public notice(s). When a proposed new instance of external sharing of PII is not currently authorized by the Privacy Act and/or specified in a notice, organizations evaluate whether the proposed external sharing is compatible with the purpose(s) specified in the notice. If the proposed sharing is compatible, organizations review, update, and republish their Privacy Impact Assessments (PIAs), System of Records Notices (SORNs), website privacy policies, and other public notices, if any, to include specific descriptions of the new uses(s) and obtain consent where appropriate and feasible. Information-sharing agreements also include security protections consistent with the sensitivity of the information being shared. Related controls: AR-3, AR-4, AR-5, AR-8, AP-2, DI-1, DI-2, IP-1, TR-1. |
The organization:
a. Shares personally identifiable information (PII) externally, only for the authorized purposes identified in the Privacy Act and/or described in its notice(s) or for a purpose that is compatible with those purposes;
b. Where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically describe the PII covered and specifically enumerate the purposes for which the PII may be used;
c. Monitors, audits, and trains its staff on the authorized sharing of PII with third parties and on the consequences of unauthorized use or sharing of PII; and
d. Evaluates any proposed new instances of sharing PII with third parties to assess whether the sharing is authorized and whether additional or new public notice is required. |
| CCI-002254 |
The organization defines the conditions or trigger events requiring session disconnect to be employed by the information system when automatically terminating a user session. |
|
|
|
|
|
|
|
| CCI-002360 |
The organization defines the conditions or trigger events requiring session disconnect to be employed by the information system when automatically terminating a user session. |
The organization conducting the inspection/assessment obtains and examines the documented conditions or trigger events to ensure the organization being inspected/assessed defines the conditions or trigger events requiring session disconnect to be employed by the information system when automatically terminating a user session.
DoD has determined the conditions or trigger events are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the conditions or trigger events requiring session disconnect to be employed by the information system when automatically terminating a user session.
DoD has determined the conditions or trigger events are not appropriate to define at the Enterprise level. |
Session Termination |
AC-12 |
AC-12.1 |
This control addresses the termination of user-initiated logical sessions in contrast to SC-10 which addresses the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, time-of-day restrictions on information system use. Related controls: SC-10, SC-23. |
The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect]. |
| CCI-002361 |
The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to automatically terminate a user session after conditions or trigger events requiring session disconnect, as defined in AC-12, CCI 2360.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2361. |
The organization being inspected/assessed configures the information system to automatically terminate a user session after conditions or trigger events requiring session disconnect, as defined in AC-12, CCI 2360.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2361. |
Session Termination |
AC-12 |
AC-12.2 |
This control addresses the termination of user-initiated logical sessions in contrast to SC-10 which addresses the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, time-of-day restrictions on information system use. Related controls: SC-10, SC-23. |
The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect]. |
| CCI-002362 |
The organization defines the resources requiring information system authentication in order to gain access. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the resources as all. |
DoD has defined the resources as all. |
Session Termination | User-Initiated Logouts/ Message Displays |
AC-12 (1) |
AC-12(1).1 |
Information resources to which users gain access via authentication include, for example, local workstations, databases, and password-protected websites/web-based services. Logout messages for web page access, for example, can be displayed after authenticated sessions have been terminated. However, for some types of interactive sessions including, for example, file transfer protocol (FTP) sessions, information systems typically send logout messages as final messages prior to terminating sessions. |
The information system:
(a) Provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources]; and
(b) Displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions. |
| CCI-002363 |
The information system provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to organization-defined information resources. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to all information resources.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2363.
DoD has defined the resources as all. |
The organization being inspected/assessed configures the information system to provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to all information resources.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2363.
DoD has defined the resources as all. |
Session Termination | User-Initiated Logouts/ Message Displays |
AC-12 (1) |
AC-12(1).2 |
Information resources to which users gain access via authentication include, for example, local workstations, databases, and password-protected websites/web-based services. Logout messages for web page access, for example, can be displayed after authenticated sessions have been terminated. However, for some types of interactive sessions including, for example, file transfer protocol (FTP) sessions, information systems typically send logout messages as final messages prior to terminating sessions. |
The information system:
(a) Provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources]; and
(b) Displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions. |
| CCI-002364 |
The information system displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2364. |
The organization being inspected/assessed configures the information system to display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2364. |
Session Termination | User-Initiated Logouts/ Message Displays |
AC-12 (1) |
AC-12(1).3 |
Information resources to which users gain access via authentication include, for example, local workstations, databases, and password-protected websites/web-based services. Logout messages for web page access, for example, can be displayed after authenticated sessions have been terminated. However, for some types of interactive sessions including, for example, file transfer protocol (FTP) sessions, information systems typically send logout messages as final messages prior to terminating sessions. |
The information system:
(a) Provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources]; and
(b) Displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions. |
| CCI-002979 |
The organization employs organization-defined asset location technologies to track and monitor the location and movement of organization-defined assets within organization-defined controlled areas. |
The organization conducting the inspection/assessment obtains and examines documentation reflecting asset location technologies in use to ensure the organization being inspected/assessed implements asset location technologies defined in PE-20, CCI 2980 to track and monitor the location and movement of assets defined in PE-20, CCI 2981 within controlled areas defined in PE-20, CCI 2982. |
The organization being inspected/assessed implements asset location technologies defined in PE-20, CCI 2980 to track and monitor the location and movement of assets defined in PE-20, CCI 2981 within controlled areas defined in PE-20, CCI 2982. |
Asset Monitoring And Tracking |
PE-20 |
PE-20.1 |
Asset location technologies can help organizations ensure that critical assets such as vehicles or essential information system components remain in authorized locations. Organizations consult with the Office of the General Counsel and the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) regarding the deployment and use of asset location technologies to address potential privacy concerns. Related control: CM-8. |
The organization:
a. Employs [Assignment: organization-defined asset location technologies] to track and monitor the location and movement of [Assignment: organization-defined assets] within [Assignment: organization-defined controlled areas]; and
b. Ensures that asset location technologies are employed in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. |
| CCI-002980 |
The organization defines asset location technologies to track and monitor the location and movement of organization-defined assets within organization-defined controlled areas. |
The organization conducting the inspection/assessment obtains and examines the documented asset location technologies to ensure the organization being inspected/assessed defines asset location technologies to track and monitor the location and movement of organization-defined assets within organization-defined controlled areas.
DoD has determined the asset location technologies are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents asset location technologies to track and monitor the location and movement of organization-defined assets within organization-defined controlled areas.
DoD has determined the asset location technologies are not appropriate to define at the Enterprise level. |
Asset Monitoring And Tracking |
PE-20 |
PE-20.2 |
Asset location technologies can help organizations ensure that critical assets such as vehicles or essential information system components remain in authorized locations. Organizations consult with the Office of the General Counsel and the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) regarding the deployment and use of asset location technologies to address potential privacy concerns. Related control: CM-8. |
The organization:
a. Employs [Assignment: organization-defined asset location technologies] to track and monitor the location and movement of [Assignment: organization-defined assets] within [Assignment: organization-defined controlled areas]; and
b. Ensures that asset location technologies are employed in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. |
| CCI-002981 |
The organization defines the assets within the organization-defined controlled areas which are to be tracked and monitored for their location and movement. |
The organization conducting the inspection/assessment obtains and examines the documented assets to ensure the organization being inspected/assessed defines the assets within the organization-defined controlled areas which are to be tracked and monitored for their location and movement.
DoD has determined the assets are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the assets within the organization-defined controlled areas which are to be tracked and monitored for their location and movement.
DoD has determined the assets are not appropriate to define at the Enterprise level. |
Asset Monitoring And Tracking |
PE-20 |
PE-20.3 |
Asset location technologies can help organizations ensure that critical assets such as vehicles or essential information system components remain in authorized locations. Organizations consult with the Office of the General Counsel and the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) regarding the deployment and use of asset location technologies to address potential privacy concerns. Related control: CM-8. |
The organization:
a. Employs [Assignment: organization-defined asset location technologies] to track and monitor the location and movement of [Assignment: organization-defined assets] within [Assignment: organization-defined controlled areas]; and
b. Ensures that asset location technologies are employed in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. |
| CCI-002982 |
The organization defines controlled areas where the location and movement of organization-defined assets are tracked and monitored. |
The organization conducting the inspection/assessment obtains and examines the documented controlled areas to ensure the organization being inspected/assessed defines controlled areas that the location and movement of organization-defined assets are tracked and monitored.
DoD has determined the controlled areas are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents controlled areas that the location and movement of organization-defined assets are tracked and monitored.
DoD has determined the controlled areas are not appropriate to define at the Enterprise level. |
Asset Monitoring And Tracking |
PE-20 |
PE-20.4 |
Asset location technologies can help organizations ensure that critical assets such as vehicles or essential information system components remain in authorized locations. Organizations consult with the Office of the General Counsel and the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) regarding the deployment and use of asset location technologies to address potential privacy concerns. Related control: CM-8. |
The organization:
a. Employs [Assignment: organization-defined asset location technologies] to track and monitor the location and movement of [Assignment: organization-defined assets] within [Assignment: organization-defined controlled areas]; and
b. Ensures that asset location technologies are employed in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. |
| CCI-002983 |
The organization ensures that asset location technologies are employed in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. |
The organization conducting the inspection/assessment obtains and examines the documented list of any federal laws, Executive Orders, directives, regulations, policies, standards, and guidance applicable to the asset location technologies in use, as well as the documentation of asset tracking technologies per PE-20, CCI 2980, to ensure that the organization being inspected/assessed identifies any requirements (particularly privacy requirements) applicable to the asset tracking methodologies in use, and to ensure that the organization implements a process to meet those identified requirements.
|
The organization being inspected/assessed identifies and documents any federal laws, Executive Orders, directives, regulations, policies, standards, and guidance applicable to the asset location technologies in use. In particular, the organization identifies any requirements to protect the privacy of personnel transporting assets being tracked. The organization documents a process to meet the applicable requirements in their documentation of asset tracking technologies (PE-20, CCI 2980).
|
Asset Monitoring And Tracking |
PE-20 |
PE-20.5 |
Asset location technologies can help organizations ensure that critical assets such as vehicles or essential information system components remain in authorized locations. Organizations consult with the Office of the General Counsel and the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) regarding the deployment and use of asset location technologies to address potential privacy concerns. Related control: CM-8. |
The organization:
a. Employs [Assignment: organization-defined asset location technologies] to track and monitor the location and movement of [Assignment: organization-defined assets] within [Assignment: organization-defined controlled areas]; and
b. Ensures that asset location technologies are employed in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. |
| CCI-003372 |
The organization defines the support from external providers to be provided for unsupported information system components. |
The organization conducting the inspection/assessment obtains and examines the documented support to ensure the organization being inspected/assessed defines the support from external providers to be provided for unsupported information system components.
DoD has determined the support from external providers is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the support from external providers to be provided for unsupported information system components.
DoD has determined the support from external providers is not appropriate to define at the Enterprise level. |
Unsupported System Components | Alternative Sources For Continued Support |
SA-22 (1) |
SA-22(1).1 |
This control enhancement addresses the need to provide continued support for selected information system components that are no longer supported by the original developers, vendors, or manufacturers when such components remain essential to mission/business operations. Organizations can establish in-house support, for example, by developing customized patches for critical software components or secure the services of external providers who through contractual relationships, provide ongoing support for the designated unsupported components. Such contractual relationships can include, for example, Open Source Software value-added vendors. |
The organization provides [Selection (one or more): in-house support; [Assignment: organization-defined support from external providers]] for unsupported information system components. |
| CCI-003373 |
The organization provides in-house support and/or organization-defined support from external providers for unsupported information system components. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed provides in-house support and/or support from external providers defined in SA-22 (1), CCI 3372 for unsupported information system components. |
The organization being inspected/assessed documents and implements a process to provide in-house support and/or support from external providers defined in SA-22 (1), CCI 3372 for unsupported information system components. |
Unsupported System Components | Alternative Sources For Continued Support |
SA-22 (1) |
SA-22(1).2 |
This control enhancement addresses the need to provide continued support for selected information system components that are no longer supported by the original developers, vendors, or manufacturers when such components remain essential to mission/business operations. Organizations can establish in-house support, for example, by developing customized patches for critical software components or secure the services of external providers who through contractual relationships, provide ongoing support for the designated unsupported components. Such contractual relationships can include, for example, Open Source Software value-added vendors. |
The organization provides [Selection (one or more): in-house support; [Assignment: organization-defined support from external providers]] for unsupported information system components. |
| CCI-003374 |
The organization documents approval for the continued use of unsupported system components required to satisfy mission/business needs. |
The organization conducting the inspection/assessment obtains and examines the hardware and software lists as well as the documented approvals to ensure the organization being inspected/assessed documents approval for the continued use of unsupported system components required to satisfy mission/business needs. |
The organization being inspected/assessed documents approval for the continued use of unsupported system components required to satisfy mission/business needs. |
Unsupported System Components |
SA-22 |
SA-22.2 |
Support for information system components includes, for example, software patches, firmware updates, replacement parts, and maintenance contracts. Unsupported components (e.g., when vendors are no longer providing critical software patches), provide a substantial opportunity for adversaries to exploit new weaknesses discovered in the currently installed components. Exceptions to replacing unsupported system components may include, for example, systems that provide critical mission/business capability where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option. Related controls: PL-2, SA-3. |
The organization:
a. Replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer; and
b. Provides justification and documents approval for the continued use of unsupported system components required to satisfy mission/business needs. |
| CCI-003375 |
The organization provides justification for the continued use of unsupported system components required to satisfy mission/business needs. |
The organization conducting the inspection/assessment obtains and examines the documented justification as well as the hardware and software lists to ensure the organization being inspected/assessed provides justification for the continued use of unsupported system components required to satisfy mission/business needs. |
The organization being inspected/assessed documents justification for the continued use of unsupported system components required to satisfy mission/business needs. |
Unsupported System Components |
SA-22 |
SA-22.3 |
Support for information system components includes, for example, software patches, firmware updates, replacement parts, and maintenance contracts. Unsupported components (e.g., when vendors are no longer providing critical software patches), provide a substantial opportunity for adversaries to exploit new weaknesses discovered in the currently installed components. Exceptions to replacing unsupported system components may include, for example, systems that provide critical mission/business capability where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option. Related controls: PL-2, SA-3. |
The organization:
a. Replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer; and
b. Provides justification and documents approval for the continued use of unsupported system components required to satisfy mission/business needs. |
| CCI-003376 |
The organization replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the hardware and software lists to ensure the organization being inspected/assessed replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer. |
The organization being inspected/assessed documents and implements a process to replace information system components when support for the components is no longer available from the developer, vendor, or manufacturer. |
Unsupported System Components |
SA-22 |
SA-22.1 |
Support for information system components includes, for example, software patches, firmware updates, replacement parts, and maintenance contracts. Unsupported components (e.g., when vendors are no longer providing critical software patches), provide a substantial opportunity for adversaries to exploit new weaknesses discovered in the currently installed components. Exceptions to replacing unsupported system components may include, for example, systems that provide critical mission/business capability where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option. Related controls: PL-2, SA-3. |
The organization:
a. Replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer; and
b. Provides justification and documents approval for the continued use of unsupported system components required to satisfy mission/business needs. |
| CCI-002773 |
The organization defines the fail-safe procedures to be implemented by the information system when organization-defined failure conditions occur. |
The organization conducting the inspection/assessment obtains and examines the documented fail-safe procedures to ensure the organization being inspected/assessed defines the fail-safe procedures to be implemented by the information system when organization-defined failure conditions occur.
DoD has determined the fail-safe procedures are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the fail-safe procedures to be implemented by the information system when organization-defined failure conditions occur.
DoD has determined the fail-safe procedures are not appropriate to define at the Enterprise level. |
Fail-Safe Procedures |
SI-17 |
SI-17.1 |
Failure conditions include, for example, loss of communications among critical system components or between system components and operational facilities. Fail-safe procedures include, for example, alerting operator personnel and providing specific instructions on subsequent steps to take (e.g., do nothing, reestablish system settings, shut down processes, restart the system, or contact designated organizational personnel). Related controls: CP-12, CP-13, SC-24, SI-13. |
The information system implements [Assignment: organization-defined fail-safe procedures] when [Assignment: organization-defined failure conditions occur]. |
| CCI-002774 |
The organization defines the failure conditions which, when they occur, will result in the information system implementing organization-defined fail-safe procedures. |
The organization conducting the inspection/assessment obtains and examines the documented failure conditions to ensure the organization being inspected/assessed defines the failure conditions which, when they occur, will result in the information system implementing organization-defined fail-safe procedures.
DoD has determined the failure conditions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the failure conditions which, when they occur, will result in the information system implementing organization-defined fail-safe procedures.
DoD has determined the failure conditions are not appropriate to define at the Enterprise level. |
Fail-Safe Procedures |
SI-17 |
SI-17.2 |
Failure conditions include, for example, loss of communications among critical system components or between system components and operational facilities. Fail-safe procedures include, for example, alerting operator personnel and providing specific instructions on subsequent steps to take (e.g., do nothing, reestablish system settings, shut down processes, restart the system, or contact designated organizational personnel). Related controls: CP-12, CP-13, SC-24, SI-13. |
The information system implements [Assignment: organization-defined fail-safe procedures] when [Assignment: organization-defined failure conditions occur]. |
| CCI-002775 |
The information system implements organization-defined fail-safe procedures when organization-defined failure conditions occur. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement fail-safe procedures defined in SI-17, CCI 2773 when failure conditions defined in SI-17, CCI 2774 occur.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2775. |
The organization being inspected/assessed configures the information system to implement fail-safe procedures defined in SI-17, CCI 2773 when failure conditions defined in SI-17, CCI 2774 occur.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2775. |
Fail-Safe Procedures |
SI-17 |
SI-17.3 |
Failure conditions include, for example, loss of communications among critical system components or between system components and operational facilities. Fail-safe procedures include, for example, alerting operator personnel and providing specific instructions on subsequent steps to take (e.g., do nothing, reestablish system settings, shut down processes, restart the system, or contact designated organizational personnel). Related controls: CP-12, CP-13, SC-24, SI-13. |
The information system implements [Assignment: organization-defined fail-safe procedures] when [Assignment: organization-defined failure conditions occur]. |
| CCI-002823 |
The organization defines the security safeguards to be implemented to protect the information system^s memory from unauthorized code execution. |
The organization conducting the inspection/assessment obtains and examines the documented security safeguards to ensure the organization being inspected/assessed defines the security safeguards to be implemented to protect the information system's memory from unauthorized code execution.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security safeguards to be implemented to protect the information system's memory from unauthorized code execution.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
Memory Protection |
SI-16 |
SI-16.1 |
Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Related controls: AC-25, SC-3. |
The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. |
| CCI-002824 |
The information system implements organization-defined security safeguards to protect its memory from unauthorized code execution. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement security safeguards defined in SI-16, CCI 2823 to protect its memory from unauthorized code execution.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2824. |
The organization being inspected/assessed configures the information system to implement security safeguards defined in SI-16, CCI 2823 to protect its memory from unauthorized code execution.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2824. |
Memory Protection |
SI-16 |
SI-16.2 |
Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Related controls: AC-25, SC-3. |
The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. |
| CCI-003117 |
The organization centrally manages organization-defined security controls and related processes. |
DoDI 8500.01, DoDI 8510.01, and CNSSI 1253 meet the DoD requirements for centrally managing security controls and related processes.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and CNSSI 1253. |
DoDI 8500.01, DoDI 8510.01, and CNSSI 1253 meet the DoD requirements for centrally managing security controls and related processes.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and CNSSI 1253. |
Central Management |
PL-9 |
PL-9.1 |
Central management refers to the organization-wide management and implementation of selected security controls and related processes. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed security controls and processes. As central management of security controls is generally associated with common controls, such management promotes and facilitates standardization of security control implementations and management and judicious use of organizational resources. Centrally-managed security controls and processes may also meet independence requirements for assessments in support of initial and ongoing authorizations to operate as part of organizational continuous monitoring. As part of the security control selection process, organizations determine which controls may be suitable for central management based on organizational resources and capabilities. Organizations consider that it may not always be possible to centrally manage every aspect of a security control. In such cases, the security control is treated as a hybrid control with the control managed and implemented either centrally or at the information system level. Controls and control enhancements that are candidates for full or partial central management include, but are not limited to: AC-2 (1) (2) (3) (4); AC-17 (1) (2) (3) (9); AC-18 (1) (3) (4) (5); AC-19 (4); AC-22; AC-23; AT-2 (1) (2); AT-3 (1) (2) (3); AT-4; AU-6 (1) (3) (5) (6) (9); AU-7 (1) (2); AU-11, AU-13, AU-16, CA-2 (1) (2) (3); CA-3 (1) (2) (3); CA-7 (1); CA-9; CM-2 (1) (2); CM-3 (1) (4); CM-4; CM-6 (1); CM-7 (4) (5); CM-8 (all); CM-9 (1); CM-10; CM-11; CP-7 (all); CP-8 (all); SC-43; SI-2; SI-3; SI-7; and SI-8. |
The organization centrally manages [Assignment: organization-defined security controls and related processes]. |
| CCI-003118 |
The organization defines security controls and related processes to be centrally managed. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the security controls and related processes to be centrally managed as CNSSI 1253, DoDI 8510.01, and DoDI 8500.01. |
DoD has defined the security controls and related processes to be centrally managed as CNSSI 1253, DoDI 8510.01, and DoDI 8500.01. |
Central Management |
PL-9 |
PL-9.2 |
Central management refers to the organization-wide management and implementation of selected security controls and related processes. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed security controls and processes. As central management of security controls is generally associated with common controls, such management promotes and facilitates standardization of security control implementations and management and judicious use of organizational resources. Centrally-managed security controls and processes may also meet independence requirements for assessments in support of initial and ongoing authorizations to operate as part of organizational continuous monitoring. As part of the security control selection process, organizations determine which controls may be suitable for central management based on organizational resources and capabilities. Organizations consider that it may not always be possible to centrally manage every aspect of a security control. In such cases, the security control is treated as a hybrid control with the control managed and implemented either centrally or at the information system level. Controls and control enhancements that are candidates for full or partial central management include, but are not limited to: AC-2 (1) (2) (3) (4); AC-17 (1) (2) (3) (9); AC-18 (1) (3) (4) (5); AC-19 (4); AC-22; AC-23; AT-2 (1) (2); AT-3 (1) (2) (3); AT-4; AU-6 (1) (3) (5) (6) (9); AU-7 (1) (2); AU-11, AU-13, AU-16, CA-2 (1) (2) (3); CA-3 (1) (2) (3); CA-7 (1); CA-9; CM-2 (1) (2); CM-3 (1) (4); CM-4; CM-6 (1); CM-7 (4) (5); CM-8 (all); CM-9 (1); CM-10; CM-11; CP-7 (all); CP-8 (all); SC-43; SI-2; SI-3; SI-7; and SI-8. |
The organization centrally manages [Assignment: organization-defined security controls and related processes]. |
