Common Control Idenfiers - CCIs

CCI CCI Definition CCI Auditor CCI Guidance Control Name Control Assessment Procedure Control Guidance Control Definition
CCI-001545 The organization defines a frequency for reviewing and updating the access control policy. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as annually. DoD has defined the frequency as annually. Access Control Policy And Procedures AC-1 AC-1.8 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the access control policy and associated access controls; and b. Reviews and updates the current: 1. Access control policy [Assignment: organization-defined frequency]; and 2. Access control procedures [Assignment: organization-defined frequency].
CCI-001546 The organization defines a frequency for reviewing and updating the access control procedures. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as annually. DoD has defined the frequency as annually. Access Control Policy And Procedures AC-1 AC-1.10 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the access control policy and associated access controls; and b. Reviews and updates the current: 1. Access control policy [Assignment: organization-defined frequency]; and 2. Access control procedures [Assignment: organization-defined frequency].
CCI-000001 The organization develops an access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. The organization conducting the inspection/assessment obtains and examines the access control policy to ensure the organization being inspected/assessed develops and documents an access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. The organization being inspected/assessed develops and documents an access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. Access Control Policy And Procedures AC-1 AC-1.3 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the access control policy and associated access controls; and b. Reviews and updates the current: 1. Access control policy [Assignment: organization-defined frequency]; and 2. Access control procedures [Assignment: organization-defined frequency].
CCI-000004 The organization develops procedures to facilitate the implementation of the access control policy and associated access controls. The organization conducting the inspection/assessment obtains and examines the procedures to facilitate the implementation of the access control policy and associated access controls to ensure the organization being inspected/assessed develops and documents procedures to facilitate the implementation of the access control policy and associated access controls. The organization being inspected/assessed develops and documents procedures to facilitate the implementation of the access control policy and associated access controls. Access Control Policy And Procedures AC-1 AC-1.5 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the access control policy and associated access controls; and b. Reviews and updates the current: 1. Access control policy [Assignment: organization-defined frequency]; and 2. Access control procedures [Assignment: organization-defined frequency].
CCI-000002 The organization disseminates the access control policy to organization-defined personnel or roles. The organization conducting the inspection/assessment examines the access control policy via the organization's information sharing capability to ensure the organization being inspected/assessed disseminates the policy to all personnel. DoD has defined the personnel or roles as all personnel. The organization being inspected/assessed disseminates via an information sharing capability to all personnel. DoD has defined the personnel or roles as all personnel. Access Control Policy And Procedures AC-1 AC-1.4 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the access control policy and associated access controls; and b. Reviews and updates the current: 1. Access control policy [Assignment: organization-defined frequency]; and 2. Access control procedures [Assignment: organization-defined frequency].
CCI-000003 The organization reviews and updates the access control policy in accordance with organization-defined frequency. The organization conducting the inspection/assessment obtains and examines the audit trail of reviews and updates to ensure the organization being inspected/assessed annually reviews and updates the access control policy. DoD has defined the frequency as annually. The organization being inspected/assessed annually reviews and updates the access control policy. The organization must maintain review and update activity as an audit trail. DoD has defined the frequency as annually. Access Control Policy And Procedures AC-1 AC-1.7 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the access control policy and associated access controls; and b. Reviews and updates the current: 1. Access control policy [Assignment: organization-defined frequency]; and 2. Access control procedures [Assignment: organization-defined frequency].
CCI-000005 The organization disseminates the procedures to facilitate access control policy and associated access controls to the organization-defined personnel or roles. The organization conducting the inspection/assessment examines the procedures to facilitate access control policy and associated access controls via the organization's information sharing capability to ensure the organization being inspected/assessed disseminates the procedures to all personnel. DoD has defined the personnel or roles as all personnel. The organization being inspected/assessed disseminates via an information sharing capability to all personnel the procedures to facilitate access control policy and associated access controls. DoD has defined the personnel or roles as all personnel. Access Control Policy And Procedures AC-1 AC-1.6 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the access control policy and associated access controls; and b. Reviews and updates the current: 1. Access control policy [Assignment: organization-defined frequency]; and 2. Access control procedures [Assignment: organization-defined frequency].
CCI-000006 The organization reviews and updates the access control procedures in accordance with organization-defined frequency. The organization conducting the inspection/assessment obtains and examines the audit trail of reviews and updates to ensure the organization being inspected/assessed annually reviews and updates the access control procedures. DoD has defined the frequency as annually. The organization being inspected/assessed annually reviews and updates the access control procedures. The organization must maintain review and update activity as an audit trail. DoD has defined the frequency as annually. Access Control Policy And Procedures AC-1 AC-1.9 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the access control policy and associated access controls; and b. Reviews and updates the current: 1. Access control policy [Assignment: organization-defined frequency]; and 2. Access control procedures [Assignment: organization-defined frequency].
CCI-001547 The organization defines the frequency on which it will review information system accounts for compliance with account management requirements. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as at a minimum, annually. DoD has defined the frequency as at a minimum, annually. Account Management AC-2 AC-2.23 Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. The organization: a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; b. Assigns account managers for information system accounts; c. Establishes conditions for group and role membership; d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts; f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions]; g. Monitors the use of information system accounts; h. Notifies account managers: 1. When accounts are no longer required; 2. When users are terminated or transferred; and 3. When individual information system usage or need-to-know changes; i. Authorizes access to the information system based on: 1. A valid access authorization; 2. Intended system usage; and 3. Other attributes as required by the organization or associated missions/business functions; j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.
CCI-000007 The organization manages information system accounts by identifying account types (i.e., individual, group, system, application, guest/anonymous, and temporary).
CCI-000008 The organization establishes conditions for group membership. The organization conducting the inspection/assessment obtains and examines the documented conditions for adding accounts as members of groups to ensure that the conditions are established. The organization being inspected/assessed documents conditions for adding accounts as members of groups. Account Management AC-2 AC-2.4 Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. The organization: a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; b. Assigns account managers for information system accounts; c. Establishes conditions for group and role membership; d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts; f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions]; g. Monitors the use of information system accounts; h. Notifies account managers: 1. When accounts are no longer required; 2. When users are terminated or transferred; and 3. When individual information system usage or need-to-know changes; i. Authorizes access to the information system based on: 1. A valid access authorization; 2. Intended system usage; and 3. Other attributes as required by the organization or associated missions/business functions; j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.
CCI-000009 The organization manages information system accounts by identifying authorized users of the information system and specifying access privileges.
CCI-000010 The organization requires approvals by organization-defined personnel or roles for requests to create information system accounts. The organization conducting the inspection/assessment obtains and examines the audit trail of approvals to ensure that the organization being inspected/assessed implements a process for the ISSM or ISSO to approve information system account requests. DoD has defined the personnel or roles as the ISSM or ISSO. The organization being inspected/assessed implements a process for the ISSM or ISSO to approve information system account requests. The organization being inspected/assessed maintains an audit trail of approvals. DoD has defined the personnel or roles as the ISSM or ISSO. Account Management AC-2 AC-2.11 Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. The organization: a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; b. Assigns account managers for information system accounts; c. Establishes conditions for group and role membership; d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts; f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions]; g. Monitors the use of information system accounts; h. Notifies account managers: 1. When accounts are no longer required; 2. When users are terminated or transferred; and 3. When individual information system usage or need-to-know changes; i. Authorizes access to the information system based on: 1. A valid access authorization; 2. Intended system usage; and 3. Other attributes as required by the organization or associated missions/business functions; j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.
CCI-000011 The organization creates, enables, modifies, disables, and removes information system accounts in accordance with organization-defined procedures or conditions. The organization conducting the inspection/assessment obtains and examines the audit trail of account maintenance activities to ensure the organization being inspected/assessed implements account maintenance processes to create, enable, modify, disable, remove, and track information system accounts in accordance with procedures or conditions defined in AC-2, 2121. The organization being inspected/assessed implements account maintenance processes to create, enable, modify, disable, and remove information system accounts in accordance with procedures or conditions defined in AC-2, 2121. The organization being inspected/assessed maintains an audit trail of account maintenance activities. Account Management AC-2 AC-2.13 Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. The organization: a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; b. Assigns account managers for information system accounts; c. Establishes conditions for group and role membership; d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts; f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions]; g. Monitors the use of information system accounts; h. Notifies account managers: 1. When accounts are no longer required; 2. When users are terminated or transferred; and 3. When individual information system usage or need-to-know changes; i. Authorizes access to the information system based on: 1. A valid access authorization; 2. Intended system usage; and 3. Other attributes as required by the organization or associated missions/business functions; j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.
CCI-000012 The organization reviews information system accounts for compliance with account management requirements per organization-defined frequency. The organization conducting the inspection/assessment obtains and examines the audit trail of reviews to ensure the organization being inspected/assessed implements a process to review information system accounts for compliance with account management requirements at a minimum, annually. DoD has defined the frequency as at a minimum, annually. The organization being inspected/assessed implements a process to review information system accounts for compliance with account management requirements at a minimum, annually. The organization being inspected/assessed maintains an audit trail of reviews. DoD has defined the frequency as at a minimum, annually. Account Management AC-2 AC-2.22 Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. The organization: a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; b. Assigns account managers for information system accounts; c. Establishes conditions for group and role membership; d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts; f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions]; g. Monitors the use of information system accounts; h. Notifies account managers: 1. When accounts are no longer required; 2. When users are terminated or transferred; and 3. When individual information system usage or need-to-know changes; i. Authorizes access to the information system based on: 1. A valid access authorization; 2. Intended system usage; and 3. Other attributes as required by the organization or associated missions/business functions; j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.
CCI-000013 The organization manages information system accounts by notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or need-to-know/need-to-share changes.
CCI-000014 The organization manages information system accounts by granting access to the system based on a valid access authorization; intended system usage; and other attributes as required by the organization or associated missions/business functions.
CCI-000015 The organization employs automated mechanisms to support the information system account management functions. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to employ automated mechanisms to support the information system account management functions. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 000015. The organization being inspected/assessed configures the information system to employ automated mechanisms to support the information system account management functions. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 000015. Account Management | Automated System Account Management AC-2 (1) AC-2(1).1 The use of automated mechanisms can include, for example: using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using telephonic notification to report atypical system account usage. The organization employs automated mechanisms to support the management of information system accounts.
CCI-000016 The information system automatically removes or disables temporary accounts after an organization-defined time period for each type of account. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to automatically remove or disable temporary accounts after 72 hours. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 000016. DoD has defined the time period as 72 hours. The organization being inspected/assessed configures the information system to automatically remove or disable temporary accounts after 72 hours. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 000016. DoD has defined the time period as 72 hours. Account Management | Removal Of Temporary / Emergency Accounts AC-2 (2) AC-2(2).1 This control enhancement requires the removal of both temporary and emergency accounts automatically after a predefined period of time has elapsed, rather than at the convenience of the systems administrator. The information system automatically [Selection: removes; disables] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account].
CCI-000017 The information system automatically disables inactive accounts after an organization-defined time period. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to disable inactive accounts after 35 days. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 000017. DoD has defined the time period as 35 days. The organization being inspected/assessed configures the information system to disable inactive accounts after 35 days. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 000017. DoD has defined the time period as 35 days. Account Management | Disable Inactive Accounts AC-2 (3) AC-2(3).1 The information system automatically disables inactive accounts after [Assignment: organization-defined time period].
CCI-000018 The information system automatically audits account creation actions. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to automatically audit account creation actions. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 18. The organization being inspected/assessed configures the information system to automatically audit account creation actions. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 18. Account Management | Automated Audit Actions AC-2 (4) AC-2(4).1 Related controls: AU-2, AU-12. The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles].
CCI-000019 The organization requires that users log out in accordance with the organization-defined time period of inactivity or description of when to log out. The organization conducting the inspection/assessment obtains and examines the user policies to ensure that users are required to log out at the end of the users standard work period unless otherwise defined in formal organizational policy and IAW conditions defined in AC-2 (5) CCI 2133. DoD has defined the time period as at the end of the users standard work period unless otherwise defined in formal organizational policy. The organization being inspected/assessed documents in the user policies that users are required to log out at the end of the users standard work period unless otherwise defined in formal organizational policy and IAW conditions defined in AC-2 (5) CCI 2133. DoD has defined the time period as at the end of the users standard work period unless otherwise defined in formal organizational policy. Account Management | Inactivity Logout AC-2 (5) AC-2(5).2 Related control: SC-23. The organization requires that users log out when [Assignment: organization-defined time-period of expected inactivity or description of when to log out].
CCI-000020 The information system dynamically manages user privileges and associated access authorizations.
CCI-000237 The organization manages information system accounts by specifically authorizing and monitoring the use of guest/anonymous accounts and temporary accounts.
CCI-000208 The organization determines normal time-of-day and duration usage for information system accounts.
CCI-001361 The organization defines a time period after which temporary accounts are automatically terminated. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the time period as 72 hours. The time period of 72 hours applies to temporary user accounts. DoD has defined the time period as 72 hours. The time period of 72 hours applies to temporary user accounts. Account Management | Removal Of Temporary / Emergency Accounts AC-2 (2) AC-2(2).2 This control enhancement requires the removal of both temporary and emergency accounts automatically after a predefined period of time has elapsed, rather than at the convenience of the systems administrator. The information system automatically [Selection: removes; disables] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account].
CCI-001365 The organization defines a time period after which emergency accounts are automatically terminated. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the time period as never. The time period of never applies to emergency admin accounts. DoD has defined the time period as never. The time period of never applies to emergency admin accounts. Account Management | Removal Of Temporary / Emergency Accounts AC-2 (2) AC-2(2).3 This control enhancement requires the removal of both temporary and emergency accounts automatically after a predefined period of time has elapsed, rather than at the convenience of the systems administrator. The information system automatically [Selection: removes; disables] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account].
CCI-000217 The organization defines a time period after which inactive accounts are automatically disabled. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the time period as 35 days. DoD has defined the time period as 35 days. Account Management | Disable Inactive Accounts AC-2 (3) AC-2(3).2 The information system automatically disables inactive accounts after [Assignment: organization-defined time period].
CCI-001403 The information system automatically audits account modification actions. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to automatically audit account modification actions. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1403. The organization being inspected/assessed configures the information system to automatically audit account modification actions. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1403. Account Management | Automated Audit Actions AC-2 (4) AC-2(4).2 Related controls: AU-2, AU-12. The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles].
CCI-001404 The information system automatically audits account disabling actions. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to automatically audit account disabling actions. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1404. The organization being inspected/assessed configures the information system to automatically audit account disabling actions. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1404. Account Management | Automated Audit Actions AC-2 (4) AC-2(4).3 Related controls: AU-2, AU-12. The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles].
CCI-001405 The information system automatically audits account removal actions. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to automatically audit account removal actions. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1405. The organization being inspected/assessed configures the information system to automatically audit account removal actions. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1405. Account Management | Automated Audit Actions AC-2 (4) AC-2(4).4 Related controls: AU-2, AU-12. The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles].
CCI-001406 The organization defines a time period of expected inactivity when users are required to log out. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the time period as at the end of the users standard work period unless otherwise defined in formal organizational policy. DoD has defined the time period as at the end of the users standard work period unless otherwise defined in formal organizational policy. Account Management | Inactivity Logout AC-2 (5) AC-2(5).3 Related control: SC-23. The organization requires that users log out when [Assignment: organization-defined time-period of expected inactivity or description of when to log out].
CCI-001407 The organization administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles. The organization conducting the inspection/assessment obtains and examines documented processes for privileged user account creation to ensure the organization being inspected/assessed administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles. The organization being inspected/assessed documents and implements a process to administer privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles. Account Management | Role-Based Schemes AC-2 (7) AC-2(7).2 Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. These privileged roles include, for example, key management, account management, network and system administration, database administration, and web administration. The organization: (a) Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles; (b) Monitors privileged role assignments; and (c) Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate.
CCI-001354 The organization manages information system accounts by deactivating temporary accounts that are no longer required.
CCI-001355 The organization manages information system accounts by deactivating accounts of terminated or transferred users.
CCI-001356 The organization monitors for atypical usage of information system accounts.
CCI-001357 The organization reports atypical usage to designated organizational officials.
CCI-001358 The organization establishes privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles. The organization conducting the inspection/assessment obtains and examines documented processes for privileged user account creation to ensure the organization being inspected/assessed establishes privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles. The organization being inspected/assessed documents and implements a process to establish privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles. Account Management | Role-Based Schemes AC-2 (7) AC-2(7).1 Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. These privileged roles include, for example, key management, account management, network and system administration, database administration, and web administration. The organization: (a) Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles; (b) Monitors privileged role assignments; and (c) Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate.
CCI-001359 The organization tracks privileged role assignments.
CCI-001360 The organization monitors privileged role assignments. The organization conducting the inspection/assessment obtains and examines the audit trail of monitoring to ensure the organization being inspected/assessed monitors privileged role assignments. The organization being inspected/assessed implements a process to monitor privileged role assignments. The organization must maintain an audit trail of monitoring. Account Management | Role-Based Schemes AC-2 (7) AC-2(7).3 Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. These privileged roles include, for example, key management, account management, network and system administration, database administration, and web administration. The organization: (a) Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles; (b) Monitors privileged role assignments; and (c) Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate.
CCI-001682 The information system automatically removes or disables emergency accounts after an organization-defined time period for each type of account. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to never automatically remove or disable emergency accounts. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1682. DoD has defined the time period as never. The organization being inspected/assessed configures the information system to never automatically remove or disable emergency accounts. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1682. DoD has defined the time period as never. Account Management | Removal Of Temporary / Emergency Accounts AC-2 (2) AC-2(2).4 This control enhancement requires the removal of both temporary and emergency accounts automatically after a predefined period of time has elapsed, rather than at the convenience of the systems administrator. The information system automatically [Selection: removes; disables] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account].
CCI-001683 The information system notifies organization-defined personnel or roles for account creation actions. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to notify the system administrator and ISSO for account creation actions. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1683. DoD has defined the personnel or roles as the system administrator and ISSO. The organization being inspected/assessed configures the information system to notify the system administrator and ISSO for account creation actions. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1683. DoD has defined the personnel or roles as the system administrator and ISSO. Account Management | Automated Audit Actions AC-2 (4) AC-2(4).5 Related controls: AU-2, AU-12. The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles].
CCI-001684 The information system notifies organization-defined personnel or roles for account modification actions. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to notify the system administrator and ISSO for account modification actions. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1684. DoD has defined the personnel or roles as the system administrator and ISSO. The organization being inspected/assessed configures the information system to notify the system administrator and ISSO for account modification actions. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1684. DoD has defined the personnel or roles as the system administrator and ISSO. Account Management | Automated Audit Actions AC-2 (4) AC-2(4).6 Related controls: AU-2, AU-12. The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles].
CCI-001685 The information system notifies organization-defined personnel or roles for account disabling actions. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to notify the system administrator and ISSO for account disabling actions. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1685. DoD has defined the personnel or roles as the system administrator and ISSO. The organization being inspected/assessed configures the information system to notify the system administrator and ISSO for account disabling actions. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1685. DoD has defined the personnel or roles as the system administrator and ISSO. Account Management | Automated Audit Actions AC-2 (4) AC-2(4).7 Related controls: AU-2, AU-12. The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles].
CCI-001686 The information system notifies organization-defined personnel or roles for account removal actions. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to notify the system administrator and ISSO for account removal actions. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1686. DoD has defined the personnel or roles as the system administrator and ISSO. The organization being inspected/assessed configures the information system to notify the system administrator and ISSO for account removal actions. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1686. DoD has defined the personnel or roles as the system administrator and ISSO. Account Management | Automated Audit Actions AC-2 (4) AC-2(4).8 Related controls: AU-2, AU-12. The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles].
CCI-001548 The organization defines the information flow control policies for controlling the flow of information within the system. The organization conducting the inspection/assessment obtains and examines the documented information flow control policies to ensure the organization being inspected/assessed defines the information flow control policies for controlling the flow of information within the system. DoD has determined the information flow control policies are not appropriate to define at the Enterprise level. The organization being inspected/assessed defines and documents the information flow control policies for controlling the flow of information within the system. DoD has determined the information flow control policies are not appropriate to define at the Enterprise level. Information Flow Enforcement AC-4 AC-4.3 Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and security labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18. The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies].
CCI-001549 The organization defines the information flow control policies for controlling the flow of information between interconnected systems. The organization conducting the inspection/assessment obtains and examines the documented information flow control policies to ensure the organization being inspected/assessed defines the information flow control policies for controlling the flow of information between interconnected systems. DoD has determined the information flow control policies are not appropriate to define at the Enterprise level. The organization being inspected/assessed defines and documents the information flow control policies for controlling the flow of information between interconnected systems. DoD has determined the information flow control policies are not appropriate to define at the Enterprise level. Information Flow Enforcement AC-4 AC-4.4 Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and security labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18. The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies].
CCI-001550 The organization defines approved authorizations for controlling the flow of information within the system. The organization conducting the inspection/assessment obtains and examines the documented approved authorizations to ensure the organization being inspected/assessed defines approved authorizations for controlling the flow of information within the system. The organization being inspected/assessed defines and documents approved authorizations for controlling the flow of information within the system. Information Flow Enforcement AC-4 AC-4.5 Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and security labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18. The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies].
CCI-001551 The organization defines approved authorizations for controlling the flow of information between interconnected systems. The organization conducting the inspection/assessment obtains and examines the documented approved authorizations to ensure the organization being inspected/assessed defines approved authorizations for controlling the flow of information between interconnected systems. The organization being inspected/assessed defines and documents approved authorizations for controlling the flow of information between interconnected systems. Information Flow Enforcement AC-4 AC-4.6 Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and security labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18. The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies].
CCI-001552 The organization defines policy that allows or disallows information flows based on changing conditions or operational considerations.
CCI-001553 The organization defines the security policy filters that privileged administrators have the capability to enable/disable. The organization conducting the inspection/assessment obtains and examines the documented security policy filters to ensure the organization being inspected/assessed defines the security policy filters that privileged administrators have the capability to enable/disable. DoD has determined the security policy filters are not appropriate to define at the Enterprise level. The organization being inspected/assessed defines and documents the security policy filters that privileged administrators have the capability to enable/disable. DoD has determined the security policy filters are not appropriate to define at the Enterprise level. Information Flow Enforcement | Enable/Disable Security Policy Filters AC-4 (10) AC-4(10).2 For example, as allowed by the information system authorization, administrators can enable security policy filters to accommodate approved data types. The information system provides the capability for privileged administrators to enable/disable [Assignment: organization-defined security policy filters] under the following conditions: [Assignment: organization-defined conditions].
CCI-001554 The organization defines the security policy filters that privileged administrators have the capability to configure. The organization conducting the inspection/assessment obtains and examines the documented security policy filters to ensure the organization being inspected/assessed defines the security policy filters that privileged administrators have the capability to configure. DoD has determined the security policy filters are not appropriate to define at the Enterprise level. The organization being inspected/assessed defines and documents the security policy filters that privileged administrators have the capability to configure. DoD has determined the security policy filters are not appropriate to define at the Enterprise level. Information Flow Enforcement | Configuration Of Security Policy Filters AC-4 (11) AC-4(11).2 For example, to reflect changes in security policies, administrators can change the list of “dirty words” that security policy mechanisms check in accordance with the definitions provided by organizations. The information system provides the capability for privileged administrators to configure [Assignment: organization-defined security policy filters] to support different security policies.
CCI-001555 The information system uniquely identifies destination domains for information transfer.
CCI-001556 The information system uniquely authenticates destination domains for information transfer.
CCI-001557 The information system tracks problems associated with the information transfer.
CCI-000025 The information system enforces information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions.
CCI-000026 The information system uses protected processing domains to enforce organization-defined information flow control policies as a basis for flow control decisions. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to use protected processing domains to enforce information flow control policies defined in AC-4 (2), CCI 2191 as a basis for flow control decisions. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 000026. The organization being inspected/assessed configures the information system to use protected processing domains to enforce information flow control policies defined in AC-4 (2), CCI 2191 as a basis for flow control decisions. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 000026. Information Flow Enforcement | Processing Domains AC-4 (2) AC-4(2).1 Within information systems, protected processing domains are processing spaces that have controlled interactions with other processing spaces, thus enabling control of information flows between these spaces and to/from data/information objects. A protected processing domain can be provided, for example, by implementing domain and type enforcement. In domain and type enforcement, information system processes are assigned to domains; information is identified by types; and information flows are controlled based on allowed information accesses (determined by domain and type), allowed signaling among domains, and allowed process transitions to other domains. The information system uses protected processing domains to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.
CCI-000027 The information system enforces dynamic information flow control based on organization-defined policies. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce dynamic information flow control based on policies defined in AC-4 (3), CCI 2192. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 27. The organization being inspected/assessed configures the information system to enforce dynamic information flow control based on policies defined in AC-4 (3), CCI 2192. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 27. Information Flow Enforcement | Dynamic Information Flow Control AC-4 (3) AC-4(3).1 Organizational policies regarding dynamic information flow control include, for example, allowing or disallowing information flows based on changing conditions or mission/operational considerations. Changing conditions include, for example, changes in organizational risk tolerance due to changes in the immediacy of mission/business needs, changes in the threat environment, and detection of potentially harmful or adverse events. Related control: SI-4. The information system enforces dynamic information flow control based on [Assignment: organization-defined policies].
CCI-000028 The information system prevents encrypted information from bypassing content-checking mechanisms by employing organization-defined procedures or methods. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prevent encrypted information from bypassing content-checking mechanisms by employing procedures or methods defined in AC-4 (4), CCI 2193. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 28. The organization being inspected/assessed configures the information system to prevent encrypted information from bypassing content-checking mechanisms by employing procedures or methods defined in AC-4 (4), CCI 2193. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 28. Information Flow Enforcement | Content Check Encrypted Information AC-4 (4) AC-4(4).1 Related control: SI-4. The information system prevents encrypted information from bypassing content-checking mechanisms by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method]].
CCI-000029 The information system enforces organization-defined limitations on the embedding of data types within other data types. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce limitations defined in AC-4 (5), CCI 1415 on the embedding of data types within other data types. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 29. The organization being inspected/assessed configures the information system to enforce limitations defined in AC-4 (5), CCI 1415 on the embedding of data types within other data types. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 29. Information Flow Enforcement | Embedded Data Types AC-4 (5) AC-4(5).1 Embedding data types within other data types may result in reduced flow control effectiveness. Data type embedding includes, for example, inserting executable files as objects within word processing files, inserting references or descriptive information into a media file, and compressed or archived data types that may include multiple embedded data types. Limitations on data type embedding consider the levels of embedding and prohibit levels of data type embedding that are beyond the capability of the inspection tools. The information system enforces [Assignment: organization-defined limitations] on embedding data types within other data types.
CCI-000030 The information system enforces information flow control based on organization-defined metadata. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce information flow control based on metadata defined in AC-4 (6), CCI 2194. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 30. The organization being inspected/assessed configures the information system to enforce information flow control based on metadata defined in AC-4 (6), CCI 2194. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 30. Information Flow Enforcement | Metadata AC-4 (6) AC-4(6).1 Metadata is information used to describe the characteristics of data. Metadata can include structural metadata describing data structures (e.g., data format, syntax, and semantics) or descriptive metadata describing data contents (e.g., age, location, telephone number). Enforcing allowed information flows based on metadata enables simpler and more effective flow control. Organizations consider the trustworthiness of metadata with regard to data accuracy (i.e., knowledge that the metadata values are correct with respect to the data), data integrity (i.e., protecting against unauthorized changes to metadata tags), and the binding of metadata to the data payload (i.e., ensuring sufficiently strong binding techniques with appropriate levels of assurance). Related controls: AC-16, SI-7. The information system enforces information flow control based on [Assignment: organization-defined metadata].
CCI-000031 The information system enforces organization-defined one-way flows using hardware mechanisms. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce one-way flows defined in AC-4 (7), CCI 1416 using hardware mechanisms. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 31. The organization being inspected/assessed configures the information system to enforce one-way flows defined in AC-4 (7), CCI 1416 using hardware mechanisms. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 31. Information Flow Enforcement | One-Way Flow Mechanisms AC-4 (7) AC-4(7).1 The information system enforces [Assignment: organization-defined one-way flows] using hardware mechanisms.
CCI-000032 The information system enforces information flow control using organization-defined security policy filters as a basis for flow control decisions for organization-defined information flows. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce information flow control using security policy filters defined in AC-4 (8), CCI 1417 as a basis for flow control decisions for all information flows. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 32. DoD has defined the information flows as all information flows. The organization being inspected/assessed configures the information system to enforce information flow control using security policy filters defined in AC-4 (8), CCI 1417 as a basis for flow control decisions for all information flows. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 32. DoD has defined the information flows as all information flows. Information Flow Enforcement | Security Policy Filters AC-4 (8) AC-4(8).1 Organization-defined security policy filters can address data structures and content. For example, security policy filters for data structures can check for maximum file lengths, maximum field sizes, and data/file types (for structured and unstructured data). Security policy filters for data content can check for specific words (e.g., dirty/clean word filters), enumerated values or data value ranges, and hidden content. Structured data permits the interpretation of data content by applications. Unstructured data typically refers to digital information without a particular data structure or with a data structure that does not facilitate the development of rule sets to address the particular sensitivity of the information conveyed by the data or the associated flow enforcement decisions. Unstructured data consists of: (i) bitmap objects that are inherently non language-based (i.e., image, video, or audio files); and (ii) textual objects that are based on written or printed languages (e.g., commercial off-the-shelf word processing documents, spreadsheets, or emails). Organizations can implement more than one security policy filter to meet information flow control objectives (e.g., employing clean word lists in conjunction with dirty word lists may help to reduce false positives). The information system enforces information flow control using [Assignment: organization-defined security policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows].
CCI-000033 The information system enforces the use of human review for organization-defined security policy filters when the system is not capable of making an information flow control decision.
CCI-000034 The information system provides the capability for a privileged administrator to enable/disable organization-defined security policy filters under organization-defined conditions. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide the capability for a privileged administrator to enable/disable security policy filters defined in AC-4 (10), CCI 1553 under conditions defined in AC-4 (10), CCI 2199. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 34. The organization being inspected/assessed configures the information system to provide the capability for a privileged administrator to enable/disable security policy filters defined in AC-4 (10), CCI 1553 under conditions defined in AC-4 (10), CCI 2199. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 34. Information Flow Enforcement | Enable/Disable Security Policy Filters AC-4 (10) AC-4(10).1 For example, as allowed by the information system authorization, administrators can enable security policy filters to accommodate approved data types. The information system provides the capability for privileged administrators to enable/disable [Assignment: organization-defined security policy filters] under the following conditions: [Assignment: organization-defined conditions].
CCI-000035 The information system provides the capability for privileged administrators to configure the organization-defined security policy filters to support different security policies. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide the capability for privileged administrators to configure the security policy filters defined in AC-4 (11), CCI 1554 to support different security policies. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 35. The organization being inspected/assessed configures the information system to provide the capability for privileged administrators to configure the security policy filters defined in AC-4 (11), CCI 1554 to support different security policies. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 35. Information Flow Enforcement | Configuration Of Security Policy Filters AC-4 (11) AC-4(11).1 For example, to reflect changes in security policies, administrators can change the list of “dirty words” that security policy mechanisms check in accordance with the definitions provided by organizations. The information system provides the capability for privileged administrators to configure [Assignment: organization-defined security policy filters] to support different security policies.
CCI-000218 The information system, when transferring information between different security domains, identifies information flows by data type specification and usage.
CCI-000219 The information system, when transferring information between different security domains, decomposes information into organization-defined policy-relevant subcomponents for submission to policy enforcement mechanisms. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to decompose information into policy-relevant subcomponents defined in AC-4 (13), CCI 2202 for submission to policy enforcement mechanisms when transferring information between different security domains For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 219. The organization being inspected/assessed configures the information system to decompose information into policy-relevant subcomponents defined in AC-4 (13), CCI 2202 for submission to policy enforcement mechanisms when transferring information between different security domains For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 219. Information Flow Enforcement | Decomposition Into Policy-Relevant Subcomponents AC-4 (13) AC-4(13).1 Policy enforcement mechanisms apply filtering, inspection, and/or sanitization rules to the policy-relevant subcomponents of information to facilitate flow enforcement prior to transferring such information to different security domains. Parsing transfer files facilitates policy decisions on source, destination, certificates, classification, attachments, and other security-related component differentiators. The information system, when transferring information between different security domains, decomposes information into [Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms.
CCI-000221 The information system enforces security policies regarding information on interconnected systems.
CCI-000223 The information system binds security attributes to information to facilitate information flow policy enforcement.
CCI-000224 The information system tracks problems associated with the security attribute binding.
CCI-001414 The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce approved authorizations for controlling the flow of information between interconnected systems based on information flow control policies defined in AC-4, CCI 1549. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1414. The organization being inspected/assessed configures the information system to enforce approved authorizations for controlling the flow of information between interconnected systems based on information flow control policies defined in AC-4, CCI 1549. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1414. Information Flow Enforcement AC-4 AC-4.2 Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and security labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18. The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies].
CCI-001415 The organization defines limitations for the embedding of data types within other data types. The organization conducting the inspection/assessment obtains and examines the documented limitations to ensure the organization being inspected/assessed defines the limitations of the embedding of data types within other data types. DoD has determined the limitations are not appropriate to define at the Enterprise level. The organization being inspected/assessed defines and documents the limitations of the embedding of data types within other data types. DoD has determined the limitations are not appropriate to define at the Enterprise level. Information Flow Enforcement | Embedded Data Types AC-4 (5) AC-4(5).2 Embedding data types within other data types may result in reduced flow control effectiveness. Data type embedding includes, for example, inserting executable files as objects within word processing files, inserting references or descriptive information into a media file, and compressed or archived data types that may include multiple embedded data types. Limitations on data type embedding consider the levels of embedding and prohibit levels of data type embedding that are beyond the capability of the inspection tools. The information system enforces [Assignment: organization-defined limitations] on embedding data types within other data types.
CCI-001416 The organization defines one-way information flows to be enforced by the information system. The organization conducting the inspection/assessment obtains and examines the documented one-way information flows to ensure the organization being inspected/assessed defines one-way information flows to be enforced by the information system. DoD has determined the one-way information flow is not appropriate to define at the Enterprise level. The organization being inspected/assessed defines and documents one-way information flows to be enforced by the information system. DoD has determined the one-way information flow is not appropriate to define at the Enterprise level. Information Flow Enforcement | One-Way Flow Mechanisms AC-4 (7) AC-4(7).2 The information system enforces [Assignment: organization-defined one-way flows] using hardware mechanisms.
CCI-001417 The organization defines security policy filters to be enforced by the information system and used as a basis for flow control decisions. The organization conducting the inspection/assessment obtains and examines the documented security policy filters to ensure the organization being inspected/assessed defines security policy filters to be enforced by the information system and used as a basis for flow control decisions. DoD has determined the security policy filters are not appropriate to define at the Enterprise level. The organization being inspected/assessed defines and documents security policy filters to be enforced by the information system and used as a basis for flow control decisions. DoD has determined the security policy filters are not appropriate to define at the Enterprise level. Information Flow Enforcement | Security Policy Filters AC-4 (8) AC-4(8).2 Organization-defined security policy filters can address data structures and content. For example, security policy filters for data structures can check for maximum file lengths, maximum field sizes, and data/file types (for structured and unstructured data). Security policy filters for data content can check for specific words (e.g., dirty/clean word filters), enumerated values or data value ranges, and hidden content. Structured data permits the interpretation of data content by applications. Unstructured data typically refers to digital information without a particular data structure or with a data structure that does not facilitate the development of rule sets to address the particular sensitivity of the information conveyed by the data or the associated flow enforcement decisions. Unstructured data consists of: (i) bitmap objects that are inherently non language-based (i.e., image, video, or audio files); and (ii) textual objects that are based on written or printed languages (e.g., commercial off-the-shelf word processing documents, spreadsheets, or emails). Organizations can implement more than one security policy filter to meet information flow control objectives (e.g., employing clean word lists in conjunction with dirty word lists may help to reduce false positives). The information system enforces information flow control using [Assignment: organization-defined security policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows].
CCI-001418 The organization defines security policy filters for which the information system enforces the use of human review.
CCI-001368 The information system enforces approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce approved authorizations for controlling the flow of information within the system based on information flow control policies defined in AC-4, CCI 1548. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1368. The organization being inspected/assessed configures the information system to enforce approved authorizations for controlling the flow of information within the system based on information flow control policies defined in AC-4, CCI 1548. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1368. Information Flow Enforcement AC-4 AC-4.1 Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and security labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18. The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies].
CCI-001371 The organization defines information security policy filters requiring fully enumerated formats which are to be implemented when transferring information between different security domains. The organization conducting the inspection/assessment obtains and examines the documented information security policy filters to ensure the organization being inspected/assessed defines. information security policy filters requiring fully enumerated formats which are to be implemented when transferring information between different security domains. DoD has determined the frequency is not appropriate to define at the Enterprise level. The organization being inspected/assessed defines and documents information security policy filters requiring fully enumerated formats which are to be implemented when transferring information between different security domains. DoD has determined the information security policy filters are not appropriate to define at the Enterprise level. Information Flow Enforcement | Security Policy Filter Constraints AC-4 (14) AC-4(14).1 Data structure and content restrictions reduce the range of potential malicious and/or unsanctioned content in cross-domain transactions. Security policy filters that restrict data structures include, for example, restricting file sizes and field lengths. Data content policy filters include, for example: (i) encoding formats for character sets (e.g., Universal Character Set Transformation Formats, American Standard Code for Information Interchange); (ii) restricting character data fields to only contain alpha-numeric characters; (iii) prohibiting special characters; and (iv) validating schema structures. The information system, when transferring information between different security domains, implements [Assignment: organization-defined security policy filters] requiring fully enumerated formats that restrict data structure and content.
CCI-001372 The information system, when transferring information between different security domains, implements organization-defined security policy filters requiring fully enumerated formats that restrict data structure and content. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement security policy filters defined in AC-4 (14), CCI 1371 requiring fully enumerated formats that restrict data structure and content. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1372. The organization being inspected/assessed configures the information system to implement security policy filters defined in AC-4 (14), CCI 1371 requiring fully enumerated formats that restrict data structure and content. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1372. Information Flow Enforcement | Security Policy Filter Constraints AC-4 (14) AC-4(14).2 Data structure and content restrictions reduce the range of potential malicious and/or unsanctioned content in cross-domain transactions. Security policy filters that restrict data structures include, for example, restricting file sizes and field lengths. Data content policy filters include, for example: (i) encoding formats for character sets (e.g., Universal Character Set Transformation Formats, American Standard Code for Information Interchange); (ii) restricting character data fields to only contain alpha-numeric characters; (iii) prohibiting special characters; and (iv) validating schema structures. The information system, when transferring information between different security domains, implements [Assignment: organization-defined security policy filters] requiring fully enumerated formats that restrict data structure and content.
CCI-001373 The information system, when transferring information between different security domains, examines the information for the presence of organization-defined unsanctioned information. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to examine the information for the presence of unsanctioned information defined in AC-4 (15), CCI 2203 when transferring information between different security domains. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1373. The organization being inspected/assessed configures the information system to examine the information for the presence of unsanctioned information defined in AC-4 (15), CCI 2203 when transferring information between different security domains. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1373. Information Flow Enforcement | Detection Of Unsanctioned Information AC-4 (15) AC-4(15).1 Detection of unsanctioned information includes, for example, checking all information to be transferred for malicious code and dirty words. Related control: SI-3. The information system, when transferring information between different security domains, examines the information for the presence of [Assignment: organized-defined unsanctioned information] and prohibits the transfer of such information in accordance with the [Assignment: organization-defined security policy].
CCI-001374 The information system, when transferring information between different security domains, prohibits the transfer of organization-defined unsanctioned information in accordance with the organization-defined security policy. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prohibit the transfer of unsanctioned information defined in AC-4 (15), CCI 2203 in accordance with the security policy defined in AC-4 (15), CCI 2204. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1374. The organization being inspected/assessed configures the information system to prohibit the transfer of unsanctioned information defined in AC-4 (15), CCI 2203 in accordance with the security policy defined in AC-4 (15), CCI 2204. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1374. Information Flow Enforcement | Detection Of Unsanctioned Information AC-4 (15) AC-4(15).2 Detection of unsanctioned information includes, for example, checking all information to be transferred for malicious code and dirty words. Related control: SI-3. The information system, when transferring information between different security domains, examines the information for the presence of [Assignment: organized-defined unsanctioned information] and prohibits the transfer of such information in accordance with the [Assignment: organization-defined security policy].
CCI-001376 The information system uniquely identifies source domains for information transfer.
CCI-001377 The information system uniquely authenticates source domains for information transfer.
CCI-001558 The organization defines the security functions (deployed in hardware, software, and firmware) for which access must be explicitly authorized. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the security functions as all functions not publicly accessible. DoD has defined the security functions as all functions not publicly accessible. Least Privilege | Authorize Access To Security Functions AC-6 (1) AC-6(1).1 Security functions include, for example, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Security-relevant information includes, for example, filtering rules for routers/firewalls, cryptographic key management information, configuration parameters for security services, and access control lists. Explicitly authorized personnel include, for example, security administrators, system and network administrators, system security officers, system maintenance personnel, system programmers, and other privileged users. Related controls: AC-17, AC-18, AC-19. The organization explicitly authorizes access to [Assignment: organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information].
CCI-000038 The organization explicitly authorizes access to organization-defined security functions and security-relevant information.
CCI-000039 The organization requires that users of information system accounts or roles, with access to organization-defined security functions or security-relevant information, use non-privileged accounts, or roles, when accessing nonsecurity functions. The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed requires that users of information system accounts or roles, with access to any privileged security functions or security-relevant information, use non-privileged accounts, or roles, when accessing nonsecurity functions. DoD has defined the security functions and security-relevant information as any privileged security functions or security-relevant information. The organization being inspected/assessed documents and implements a process to require that users of information system accounts or roles, with access to any privileged security functions or security-relevant information, use non-privileged accounts, or roles, when accessing nonsecurity functions. DoD has defined the security functions and security-relevant information as any privileged security functions or security-relevant information. Least Privilege | Non-Privileged Access For Nonsecurity Functions AC-6 (2) AC-6(2).1 This control enhancement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. Related control: PL-4. The organization requires that users of information system accounts, or roles, with access to [Assignment: organization-defined security functions or security-relevant information], use non-privileged accounts or roles, when accessing nonsecurity functions.
CCI-000040 The organization audits any use of privileged accounts, or roles, with access to organization-defined security functions or security-relevant information, when accessing other system functions.
CCI-000041 The organization authorizes network access to organization-defined privileged commands only for organization-defined compelling operational needs. The organization conducting the inspection/assessment obtains and examines a sampling of network access authorizations to ensure the organization being inspected/assessed authorizes network access to privileged commands defined in AC-6 (3), CCI 1420 only for compelling operational needs defined in AC-6 (3), CCI 2224. The organization being inspected/assessed authorizes network access to privileged commands defined in AC-6 (3), CCI 1420 only for compelling operational needs defined in AC-6 (3), CCI 2224. Least Privilege | Network Access To Privileged Commands AC-6 (3) AC-6(3).1 Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device). Related control: AC-17. The organization authorizes network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and documents the rationale for such access in the security plan for the information system.
CCI-000042 The organization documents the rationale for authorized network access to organization-defined privileged commands in the security plan for the information system. The organization conducting the inspection/assessment obtains and examines the documented rationale to ensure the organization being inspected/assessed documents the rationale for authorized network access to privileged commands defined in AC-6 (3), CCI 1420 in the security plan for the information system. The organization being inspected/assessed documents the rationale for authorized network access to privileged commands defined in AC-6 (3), CCI 1420 in the security plan for the information system. Least Privilege | Network Access To Privileged Commands AC-6 (3) AC-6(3).2 Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device). Related control: AC-17. The organization authorizes network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and documents the rationale for such access in the security plan for the information system.
CCI-000225 The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. The organization conducting the inspection/assessment obtains and examines the documented processes to ensure that the organization being inspected/assessed implements the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. The organization being inspected/assessed documents and implements the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. Least Privilege AC-6 AC-6.1 Organizations employ least privilege for specific duties and information systems. The principle of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions/business functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational information systems. Related controls: AC-2, AC-3, AC-5, CM-6, CM-7, PL-2. The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
CCI-000226 The information system provides the capability for a privileged administrator to configure organization-defined security policy filters to support different security policies.
CCI-001419 The organization defines the security functions or security-relevant information to which users of information system accounts, or roles, have access. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the security functions and security-relevant information as any privileged security functions or security-relevant information. DoD has defined the security functions and security-relevant information as any privileged security functions or security-relevant information. Least Privilege | Non-Privileged Access For Nonsecurity Functions AC-6 (2) AC-6(2).2 This control enhancement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. Related control: PL-4. The organization requires that users of information system accounts, or roles, with access to [Assignment: organization-defined security functions or security-relevant information], use non-privileged accounts or roles, when accessing nonsecurity functions.
CCI-001420 The organization defines the privileged commands to which network access is to be authorized only for organization-defined compelling operational needs. The organization conducting the inspection/assessment obtains and examines the documented privileged commands to ensure the organization being inspected/assessed defines the privileged commands to which network access is to be authorized only for organization-defined compelling operational needs. DoD has determined the privileged commands are not appropriate to define at the Enterprise level. The organization being inspected/assessed defines and documents the privileged commands to which network access is to be authorized only for organization-defined compelling operational needs. DoD has determined the privileged commands are not appropriate to define at the Enterprise level. Least Privilege | Network Access To Privileged Commands AC-6 (3) AC-6(3).3 Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device). Related control: AC-17. The organization authorizes network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and documents the rationale for such access in the security plan for the information system.
CCI-001421 The organization limits authorization to super user accounts on the information system to designated system administration personnel.
CCI-001422 The organization prohibits privileged access to the information system by non-organizational users. The organization conducting the inspection/assessment obtains and examines the access authorization process as well as a sampling of information system access agreements to ensure that the organization being inspected/assessed prohibits privileged access to the information system by non-organizational users. The organization being inspected/assessed implements as a step in the access authorization process, a check to prohibit privileged access to the information system by non-organizational users. Least Privilege | Privileged Access By Non-Organizational Users AC-6 (6) AC-6(6).1 Related control: IA-8. The organization prohibits privileged access to the information system by non-organizational users.
CCI-001559 The organization identifies the individuals authorized to change the value of associated security attributes. The organization conducting the inspection/assessment obtains and examines the documented individuals to ensure the organization being inspected/assessed identifies the individuals authorized to change the value of associated security attributes. The organization being inspected/assessed identifies and documents the individuals authorized to change the value of associated security attributes. Security Attributes | Attribute Value Changes By Authorized Individuals AC-16 (2) AC-16(2).2 The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information. Therefore, it is important for information systems to be able to limit the ability to create or modify security attributes to authorized individuals. Related controls: AC-6, AU-2. The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security attributes.
CCI-001560 The organization identifies individuals (or processes acting on behalf of individuals) authorized to associate organization-defined security attributes with organization-defined objects. The organization conducting the inspection/assessment obtains and examines the documented individuals to ensure the organization being inspected/assessed identifies individuals (or processes acting on behalf of individuals) authorized to associate security attributes defined in AC-16 (4), CCI 2288 with objects defined in AC-16 (4), CCI 2287. The organization being inspected/assessed identifies and documents individuals (or processes acting on behalf of individuals) authorized to associate security attributes defined in AC-16 (4), CCI 2288 with objects defined in AC-16 (4), CCI 2287. Security Attributes | Association Of Attributes By Authorized Individuals AC-16 (4) AC-16(4).1 The support provided by information systems can vary to include: (i) prompting users to select specific security attributes to be associated with specific information objects; (ii) employing automated mechanisms for categorizing information with appropriate attributes based on defined policies; or (iii) ensuring that the combination of selected security attributes selected is valid. Organizations consider the creation, deletion, or modification of security attributes when defining auditable events. The information system supports the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals).
CCI-001424 The information system dynamically associates security attributes with organization-defined subjects in accordance with organization-defined security policies as information is created and combined. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to dynamically associates security attributes with the subjects defined in AC-16 (1), CCI 2274 in accordance with the security policies defined in AC-16 (1), CCI 2273 as information is created and combined. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1424. The organization being inspected/assessed configures the information system to dynamically associates security attributes with the subjects defined in AC-16 (1), CCI 2274 in accordance with the security policies defined in AC-16 (1), CCI 2273 as information is created and combined. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1424. Security Attributes | Dynamic Attribute Association AC-16 (1) AC-16(1).1 Dynamic association of security attributes is appropriate whenever the security characteristics of information changes over time. Security attributes may change, for example, due to information aggregation issues (i.e., the security characteristics of individual information elements are different from the combined elements), changes in individual access authorizations (i.e., privileges), and changes in the security category of information. Related control: AC-4. The information system dynamically associates security attributes with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies] as information is created and combined.
CCI-001425 The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to change the value of associated security attributes. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provides authorized individuals (or processes acting on behalf of individuals) the capability to change the value of associated security attributes. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1425. The organization being inspected/assessed configures the information system to provide authorized individuals (or processes acting on behalf of individuals) the capability to change the value of associated security attributes. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1425. Security Attributes | Attribute Value Changes By Authorized Individuals AC-16 (2) AC-16(2).1 The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information. Therefore, it is important for information systems to be able to limit the ability to create or modify security attributes to authorized individuals. Related controls: AC-6, AU-2. The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security attributes.
CCI-001426 The information system maintains the binding of security attributes to information with sufficient assurance that the information--attribute association can be used as the basis for automated policy actions.
CCI-001427 The information system allows authorized users to associate security attributes with information.
CCI-001428 The information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify organization-identified special dissemination, handling, or distribution instructions using organization-identified human-readable, standard naming conventions. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to display security attributes in human readable form on each object that the system transmits to output devices to identify special dissemination, handling, or distribution instructions defined in AC-16 (5), CCI 1429 using human readable, standard naming conventions defined in AC-16 (5), CCI 1430. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1428. The organization being inspected/assessed configures the information system to display security attributes in human readable form on each object that the system transmits to output devices to identify special dissemination, handling, or distribution instructions defined in AC-16 (5), CCI 1429 using human readable, standard naming conventions defined in AC-16 (5), CCI 1430. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1428. Security Attributes | Attribute Displays For Output Devices AC-16 (5) AC-16(5).1 Information system outputs include, for example, pages, screens, or equivalent. Information system output devices include, for example, printers and video displays on computer workstations, notebook computers, and personal digital assistants. The information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify [Assignment: organization-identified special dissemination, handling, or distribution instructions] using [Assignment: organization-identified human-readable, standard naming conventions].
CCI-001429 The organization identifies special dissemination, handling, or distribution instructions for identifying security attributes on output. DoD has defined the instructions as for instructions relating to classification, special dissemination, handling, or distribution instructions IAW DODI 5200.1R; for SCI and SAP, IAW Controlled Access Program Coordination Office (CAPCO) register. For all other instructions, not appropriate to define at the Enterprise level. The organization conducting the inspection/assessment obtains and examines the documented instructions not relating to classification to ensure the organization being inspected/assessed identifies special dissemination, handling, or distribution instructions for identifying security attributes on output. DoD has defined the instructions as for instructions relating to classification, special dissemination, handling, or distribution instructions IAW DODI 5200.1R; for SCI and SAP, IAW Controlled Access Program Coordination Office (CAPCO) register. For all other instructions, not appropriate to define at the Enterprise level. The organization being inspected/assessed defines and documents special dissemination, handling, or distribution instructions not relating to classification, for identifying security attributes on output. Security Attributes | Attribute Displays For Output Devices AC-16 (5) AC-16(5).2 Information system outputs include, for example, pages, screens, or equivalent. Information system output devices include, for example, printers and video displays on computer workstations, notebook computers, and personal digital assistants. The information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify [Assignment: organization-identified special dissemination, handling, or distribution instructions] using [Assignment: organization-identified human-readable, standard naming conventions].
CCI-001430 The organization identifies human-readable, standard naming conventions for identifying security attributes on output. DoD has defined the human readable, standard naming conventions for security attributes relating to classification as human readable, standard naming conventions IAW DODI 5200.1R; for TS SCI, IAW Controlled Access Program Coordination Office (CAPCO) register. For all other security attributes, not appropriate to define at the Enterprise level. The organization conducting the inspection/assessment obtains and examines the documented security attributes not relating to classification to ensure the organization being inspected/assessed identifies human readable, standard naming conventions for identifying security attributes on output. DoD has defined the human readable, standard naming conventions for security attributes relating to classification as human readable, standard naming conventions IAW DODI 5200.1R; for TS SCI, IAW Controlled Access Program Coordination Office (CAPCO) register. For all other security attributes, not appropriate to define at the Enterprise level. The organization being inspected/assessed defines and documents all other security attributes not relating to classification. Security Attributes | Attribute Displays For Output Devices AC-16 (5) AC-16(5).3 Information system outputs include, for example, pages, screens, or equivalent. Information system output devices include, for example, printers and video displays on computer workstations, notebook computers, and personal digital assistants. The information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify [Assignment: organization-identified special dissemination, handling, or distribution instructions] using [Assignment: organization-identified human-readable, standard naming conventions].
CCI-001396 The organization defines security attributes for which the information system supports and maintains the bindings for information in storage.
CCI-001397 The organization defines security attributes for which the information system supports and maintains the bindings for information in process.
CCI-001398 The organization defines security attributes for which the information system supports and maintains the bindings for information in transmission.
CCI-001399 The information system supports and maintains the binding of organization-defined security attributes to information in storage.
CCI-001400 The information system supports and maintains the binding of organization-defined security attributes to information in process.
CCI-001401 The information system supports and maintains the binding of organization-defined security attributes to information in transmission.
CCI-001561 The organization defines managed access control points for remote access to the information system. The organization conducting the inspection/assessment obtains and examines the documented managed access points to ensure the organization being inspected/assessed defines managed access control points for remote access to the information system. The organization being inspected/assessed defines and documents managed access control points for remote access to the information system. Remote Access | Managed Access Control Points AC-17 (3) AC-17(3).2 Limiting the number of access control points for remote accesses reduces the attack surface for organizations. Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections. Related control: SC-7. The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points.
CCI-001562 The organization defines the appropriate action(s) to be taken if an unauthorized remote connection is discovered.
CCI-000063 The organization defines allowed methods of remote access to the information system. The organization conducting the inspection/assessment obtains and examines the documented methods to ensure the organization being inspected/assessed defines allowed methods of remote access to the information system. DoD has determined the allowed methods of remote access are not appropriate to define at the Enterprise level. The organization being inspected/assessed defines and documents the allowed methods of remote access to the information system. The methods should be defined IAW ports, protocols, and service requirements, as well as access control requirements for any STIGs applicable to the technology in use. DoD has determined the allowed methods of remote access are not appropriate to define at the Enterprise level. Remote Access AC-17 AC-17.1 Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4. The organization: a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorizes remote access to the information system prior to allowing such connections.
CCI-000064 The organization establishes usage restrictions and implementation guidance for each allowed remote access method.
CCI-000065 The organization authorizes remote access to the information system prior to allowing such connections. The organization conducting the inspection/assessment obtains and examines the audit trail of authorizations to ensure the organization being inspected/assessed authorizes remote access to the information system prior to allowing such connections. The organization being inspected/assessed authorizes remote access to the information system prior to allowing such connections. The organization must maintain an audit trail of authorizations. Remote Access AC-17 AC-17.5 Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4. The organization: a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorizes remote access to the information system prior to allowing such connections.
CCI-000066 The organization enforces requirements for remote connections to the information system.
CCI-000067 The information system monitors remote access methods. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to monitor remote access methods. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 67. The organization being inspected/assessed configures the information system to monitor remote access methods. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 67. Remote Access | Automated Monitoring / Control AC-17 (1) AC-17(1).1 Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). Related controls: AU-2, AU-12. The information system monitors and controls remote access methods.
CCI-000068 The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement cryptographic mechanisms to protect the confidentiality of remote access sessions. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 68. The organization being inspected/assessed configures the information system to implement cryptographic mechanisms to protect the confidentiality of remote access sessions. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 68. Remote Access | Protection Of Confidentiality / Integrity Using Encryption AC-17 (2) AC-17(2).1 The encryption strength of mechanism is selected based on the security categorization of the information. Related controls: SC-8, SC-12, SC-13. The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.
CCI-000069 The information system routes all remote accesses through an organization-defined number of managed network access control points. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to route all remote accesses through the number of managed network access control points defined in AC-17 (3), CCI 2315. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 69. The organization being inspected/assessed configures the information system to route all remote accesses through the number of managed network access control points defined in AC-17 (3), CCI 2315. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 69. Remote Access | Managed Access Control Points AC-17 (3) AC-17(3).1 Limiting the number of access control points for remote accesses reduces the attack surface for organizations. Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections. Related control: SC-7. The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points.
CCI-000070 The organization authorizes the execution of privileged commands via remote access only for organization-defined needs. The organization conducting the inspection/assessment obtains and examines the audit trail of authorizations to ensure the organization being inspected/assessed authorizes the execution of privileged commands via remote access only for needs defined in AC-17 (4), CCI 2317. The organization being inspected/assessed authorizes the execution of privileged commands via remote access only for needs defined in AC-17 (4), CCI 2317. The organization being inspected/assessed maintains an audit trail of authorizations. Remote Access | Privileged Commands/ Access AC-17 (4) AC-17(4).1 Related control: AC-6. The organization: (a) Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and (b) Documents the rationale for such access in the security plan for the information system.
CCI-000071 The organization monitors for unauthorized remote connections to the information system on an organization-defined frequency.
CCI-000072 The organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure. The organization conducting the inspection/assessment obtains and examines the documented process to ensure that the organization being inspected/assessed ensures that users protect information about remote access mechanisms from unauthorized use and disclosure. The organization being inspected/assessed implements and documents a process to ensure that users protect information about remote access mechanisms from unauthorized use and disclosure. Remote Access | Protection Of Information AC-17 (6) AC-17(6).1 Related controls: AT-2, AT-3, PS-6. The organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure.
CCI-000079 The organization ensures that remote sessions for accessing an organization-defined list of security functions and security-relevant information employ organization-defined additional security measures.
CCI-001431 The organization defines a frequency for monitoring for unauthorized remote connections to the information system.
CCI-001432 The organization takes appropriate action if an unauthorized remote connection to the information system is discovered.
CCI-001433 The organization defines a list of security functions and security-relevant information that for remote access sessions have organization-defined security measures employed and are audited.
CCI-001434 The organization defines additional security measures to be employed when an organization-defined list of security functions and security-relevant information is accessed remotely.
CCI-001435 The organization defines networking protocols within the information system deemed to be nonsecure.
CCI-001436 The organization disables organization-defined networking protocols within the information system deemed to be nonsecure except for explicitly identified components in support of specific operational requirements.
CCI-001437 The organization documents the rationale for the execution of privileged commands and access to security-relevant information in the security plan for the information system.
CCI-001453 The information system implements cryptographic mechanisms to protect the integrity of remote access sessions. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement cryptographic mechanisms to protect the integrity of remote access sessions. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1453. The organization being inspected/assessed configures the information system to implement cryptographic mechanisms to protect the integrity of remote access sessions. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1453. Remote Access | Protection Of Confidentiality / Integrity Using Encryption AC-17 (2) AC-17(2).2 The encryption strength of mechanism is selected based on the security categorization of the information. Related controls: SC-8, SC-12, SC-13. The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.
CCI-001454 The organization ensures that remote sessions for accessing an organization-defined list of security functions and security-relevant information are audited.
CCI-001455 The organization explicitly identifies components needed in support of specific operational requirements.
CCI-001402 The organization monitors for unauthorized remote access to the information system.
CCI-001563 The organization defines the appropriate action(s) to be taken if an unauthorized wireless connection is discovered.
CCI-001438 The organization establishes usage restrictions for wireless access. The organization conducting the inspection/assessment obtains and examines documented usage restrictions to ensure the organization being inspected/assessed establishes usage restrictions for wireless access. The organization being inspected/assessed establishes and documents usage restrictions for wireless access. Wireless Access AC-18 AC-18.1 Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication. Related controls: AC-2, AC-3, AC-17, AC-19, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, PL-4, SI-4. The organization: a. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and b. Authorizes wireless access to the information system prior to allowing such connections.
CCI-001439 The organization establishes implementation guidance for wireless access. The organization conducting the inspection/assessment obtains and examines the documented implementation guidance to ensure the organization being inspected/assessed establishes implementation guidance for wireless access. The organization being inspected/assessed establishes and documents implementation guidance for wireless access. Wireless Access AC-18 AC-18.2 Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication. Related controls: AC-2, AC-3, AC-17, AC-19, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, PL-4, SI-4. The organization: a. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and b. Authorizes wireless access to the information system prior to allowing such connections.
CCI-001440 The organization monitors for unauthorized wireless access to the information system.
CCI-001441 The organization authorizes wireless access to the information system prior to allowing such connections. The organization conducting the inspection/assessment obtains and examines the audit trail of authorizations to ensure the organization being inspected/assessed authorizes wireless access to the information system prior to allowing such connections. The organization being inspected/assessed authorizes wireless access to the information system prior to allowing such connections. The organization must maintain an audit trail of authorizations. Wireless Access AC-18 AC-18.4 Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication. Related controls: AC-2, AC-3, AC-17, AC-19, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, PL-4, SI-4. The organization: a. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and b. Authorizes wireless access to the information system prior to allowing such connections.
CCI-001442 The organization enforces requirements for wireless connections to the information system.
CCI-001443 The information system protects wireless access to the system using authentication of users and/or devices. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to protect wireless access to the system using authentication of users and/or devices. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1443. The organization being inspected/assessed configures the information system to protect wireless access to the system using authentication of users and/or devices. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1443. Wireless Access | Authentication And Encryption AC-18 (1) AC-18(1).1 Related controls: SC-8, SC-13. The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption.
CCI-001444 The information system protects wireless access to the system using encryption. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to protect wireless access to the system using encryption. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1444. The organization being inspected/assessed configures the information system to protect wireless access to the system using encryption. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1444. Wireless Access | Authentication And Encryption AC-18 (1) AC-18(1).2 Related controls: SC-8, SC-13. The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption.
CCI-001445 The organization monitors for unauthorized wireless connections to the information system on an organization-defined frequency.
CCI-001446 The organization scans for unauthorized wireless access points on an organization-defined frequency.
CCI-001447 The organization defines a frequency of monitoring for unauthorized wireless connections to information system, including scans for unauthorized wireless access points.
CCI-001448 The organization takes appropriate action if an unauthorized wireless connection is discovered.
CCI-001449 The organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment. The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment. The organization conducting the inspection/assessment obtains and examines a sampling of information systems to ensure that any internally embedded wireless networking capabilities are disabled unless a documented need exists. The organization being inspected/assessed documents and implements a process to disable wireless networking capabilities internally embedded within information system components prior to issuance and deployment when not intended for use. Wireless Access | Disable Wireless Networking AC-18 (3) AC-18(3).1 Related control: AC-19. The organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment.
CCI-001450 The organization does not allow users to independently configure wireless networking capabilities.
CCI-001451 The organization selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries. The organization conducting the inspection/assessment obtains and examines the documentation from radio antenna installation to ensure that the organization being inspected/assessed selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries. The organization being inspected/assessed documents and implements a process to select radio antennas and calibrate transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries. Wireless Access | Antennas / Transmission Power Levels AC-18 (5) AC-18(5).1 Actions that may be taken by organizations to limit unauthorized use of wireless communications outside of organization-controlled boundaries include, for example: (i) reducing the power of wireless transmissions so that the transmissions are less likely to emit a signal that can be used by adversaries outside of the physical perimeters of organizations; (ii) employing measures such as TEMPEST to control wireless emanations; and (iii) using directional/beam forming antennas that reduce the likelihood that unintended receivers will be able to intercept signals. Prior to taking such actions, organizations can conduct periodic wireless surveys to understand the radio frequency profile of organizational information systems as well as other systems that may be operating in the area. Related control: PE-19. The organization selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries.
CCI-001564 The organization defines the frequency of security awareness and training policy reviews and updates. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as reviewed annually - updated as appropritate but at least within 10 years of date of issuance. DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. Security Awareness And Training Policy And Procedures AT-1 AT-1.5 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and b. Reviews and updates the current: 1. Security awareness and training policy [Assignment: organization-defined frequency]; and 2. Security awareness and training procedures [Assignment: organization-defined frequency].
CCI-001565 The organization defines the frequency of security awareness and training procedure reviews and updates. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as reviewed annually - updated as appropriate. DoD has defined the frequency as reviewed annually - updated as appropriate. Security Awareness And Training Policy And Procedures AT-1 AT-1.10 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and b. Reviews and updates the current: 1. Security awareness and training policy [Assignment: organization-defined frequency]; and 2. Security awareness and training procedures [Assignment: organization-defined frequency].
CCI-000100 The organization develops and documents a security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. Comment: The organization's use of their higher command policy/procedures meets this requirement if more stringent. DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. Comment: DoDD 8570.01 will be updated with DoDD 8140 once signed. The organization's use of their higher command policy/procedures meets this requirement if more stringent. Security Awareness And Training Policy And Procedures AT-1 AT-1.3 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and b. Reviews and updates the current: 1. Security awareness and training policy [Assignment: organization-defined frequency]; and 2. Security awareness and training procedures [Assignment: organization-defined frequency].
CCI-000101 The organization disseminates a security awareness and training policy to organization-defined personnel or roles. DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. DoD disseminates DoDD 8570.01 organization-wide via the DoD Issuances website. http://www.dtic.mil/whs/directives/corres/dir.html Security Awareness And Training Policy And Procedures AT-1 AT-1.4 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and b. Reviews and updates the current: 1. Security awareness and training policy [Assignment: organization-defined frequency]; and 2. Security awareness and training procedures [Assignment: organization-defined frequency].
CCI-000102 The organization reviews and updates the current security awareness and training policy in accordance with organization-defined frequency. DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. Security Awareness And Training Policy And Procedures AT-1 AT-1.8 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and b. Reviews and updates the current: 1. Security awareness and training policy [Assignment: organization-defined frequency]; and 2. Security awareness and training procedures [Assignment: organization-defined frequency].
CCI-000103 The organization develops and documents procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls. DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. DoD develops and documents procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls within DoDD 8570.01. DISA's DoD IA awareness CBT is the DoD baseline standard. DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. Security Awareness And Training Policy And Procedures AT-1 AT-1.6 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and b. Reviews and updates the current: 1. Security awareness and training policy [Assignment: organization-defined frequency]; and 2. Security awareness and training procedures [Assignment: organization-defined frequency].
CCI-000104 The organization disseminates security awareness and training procedures to organization-defined personnel or roles. DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. DoD has defined the roles as organizational personnel with security awareness and training responsibilities. DoD disseminates DoDD 8570.01 organization-wide via the DoD Issuances website. http://www.dtic.mil/whs/directives/corres/dir.html DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. DoD has defined the roles as organizational personnel with security awareness and training responsibilities. Security Awareness And Training Policy And Procedures AT-1 AT-1.7 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and b. Reviews and updates the current: 1. Security awareness and training policy [Assignment: organization-defined frequency]; and 2. Security awareness and training procedures [Assignment: organization-defined frequency].
CCI-000105 The organization reviews and updates the current security awareness and training procedures in accordance with an organization-defined frequency. DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. DoD has defined the frequency as annually. DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. DoD has defined the frequency as annually. Security Awareness And Training Policy And Procedures AT-1 AT-1.9 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and b. Reviews and updates the current: 1. Security awareness and training policy [Assignment: organization-defined frequency]; and 2. Security awareness and training procedures [Assignment: organization-defined frequency].
CCI-001566 The organization provides organization-defined personnel or roles with initial training in the employment and operation of physical security controls. The organization conducting the inspection/assessment obtains and examines: 1. Documentation of physical security controls that require training. 2. Documented list of personnel defined in AT-3 (2), CCI 2051 3. Ensures identified personnel have received the initial training. The organization being inspected/assessed: 1. Identifies and documents physical security controls that require training. 2. Identifies the personnel defined in AT-3 (2), CCI 2051 3. Ensures designated personnel receive this training. 4. Maintains and monitors records of personnel who have received this training. Security Training | Physical Security Controls AT-3 (2) AT-3(2).1 Physical security controls include, for example, physical access control devices, physical intrusion alarms, monitoring/surveillance equipment, and security guards (deployment and operating procedures). Organizations identify personnel with specific roles and responsibilities associated with physical security controls requiring specialized training. Related controls: PE-2, PE-3, PE-4, PE-5. The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls.
CCI-001567 The organization provides organization-defined personnel or roles with refresher training in the employment and operation of physical security controls in accordance with the organization-defined frequency. The organization conducting the inspection/assessment obtains and examines: 1. Documentation of physical security controls that require training. 2. Documented list of personnel defined in AT-3 (2), CCI 2051 3. Ensures identified personnel have received training annually. DoD has defined the frequency as annual. The organization being inspected/assessed: 1. Identifies and documents physical security controls that require training. 2. Identifies personnel defined in AT-3 (2), CCI 2051 3. Ensures designated personnel receive this training annually 4. Maintains and monitors records of personnel who have received this training. DoD has defined the frequency as annual. Security Training | Physical Security Controls AT-3 (2) AT-3(2).2 Physical security controls include, for example, physical access control devices, physical intrusion alarms, monitoring/surveillance equipment, and security guards (deployment and operating procedures). Organizations identify personnel with specific roles and responsibilities associated with physical security controls requiring specialized training. Related controls: PE-2, PE-3, PE-4, PE-5. The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls.
CCI-001568 The organization defines a frequency for providing employees with refresher training in the employment and operation of physical security controls. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as annual. DoD has defined the frequency as annual. Security Training | Physical Security Controls AT-3 (2) AT-3(2).3 Physical security controls include, for example, physical access control devices, physical intrusion alarms, monitoring/surveillance equipment, and security guards (deployment and operating procedures). Organizations identify personnel with specific roles and responsibilities associated with physical security controls requiring specialized training. Related controls: PE-2, PE-3, PE-4, PE-5. The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls.
CCI-000108 The organization provides role-based security training to personnel with assigned security roles and responsibilities before authorizing access to the information system or performing assigned duties. DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DISA's DoD IA awareness CBT for privileged users is the DoD baseline standard. DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DISA's DoD IA awareness CBT for privileged users is the DoD baseline standard. DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. Role-Based Security Training AT-3 AT-3.1 Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition/procurement officials, information system managers, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies. Related controls: AT-2, AT-4, PL-4, PS-7, SA-3, SA-12, SA-16. The organization provides role-based security training to personnel with assigned security roles and responsibilities: a. Before authorizing access to the information system or performing assigned duties; b. When required by information system changes; and c. [Assignment: organization-defined frequency] thereafter.
CCI-000109 The organization provides role-based security training to personnel with assigned security roles and responsibilities when required by information system changes. The organization conducting the inspection/assessment obtains and examines documented records (IAW AT-4) of their privileged users training. Privileged user type Security-related education/training available through DISA IASE (e.g. VTE, Skill Soft, other professional sources) meets the provision of this control. The organization being inspected/assessed may define specific requirements within the above listed sources for their personnel. Role-Based Security Training AT-3 AT-3.2 Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition/procurement officials, information system managers, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies. Related controls: AT-2, AT-4, PL-4, PS-7, SA-3, SA-12, SA-16. The organization provides role-based security training to personnel with assigned security roles and responsibilities: a. Before authorizing access to the information system or performing assigned duties; b. When required by information system changes; and c. [Assignment: organization-defined frequency] thereafter.
CCI-000110 The organization provides refresher role-based security training to personnel with assigned security roles and responsibilities in accordance with organization-defined frequency. The organization conducting the inspection/assessment obtains and examines documented records (IAW AT-4) of their privileged users training. Privileged user type Security-related education/training available through DISA IASE (e.g. VTE, Skill Soft, other professional sources) meets the provision of this control. The organization being inspected/assessed may define specific requirements within the above listed sources for their personnel. Role-Based Security Training AT-3 AT-3.3 Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition/procurement officials, information system managers, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies. Related controls: AT-2, AT-4, PL-4, PS-7, SA-3, SA-12, SA-16. The organization provides role-based security training to personnel with assigned security roles and responsibilities: a. Before authorizing access to the information system or performing assigned duties; b. When required by information system changes; and c. [Assignment: organization-defined frequency] thereafter.
CCI-000111 The organization defines a frequency for providing refresher role-based security training. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as annually. DoD has defined the frequency as annually. Role-Based Security Training AT-3 AT-3.4 Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition/procurement officials, information system managers, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies. Related controls: AT-2, AT-4, PL-4, PS-7, SA-3, SA-12, SA-16. The organization provides role-based security training to personnel with assigned security roles and responsibilities: a. Before authorizing access to the information system or performing assigned duties; b. When required by information system changes; and c. [Assignment: organization-defined frequency] thereafter.
CCI-001481 The organization provides organization-defined personnel or roles with initial training in the employment and operation of environmental controls. The organization conducting the inspection/assessment obtains and examines: 1. Documentation of environmental controls that require training. 2. Documented list of personnel defined in AT-3 (1), CCI 2050 3. Ensures identified personnel have received the initial training. The organization being inspected/assessed: 1. Identifies and documents environmental controls that require training. 2. Identifies the personnel defined in AT-3 (1), CCI 2050 3. Ensures designated personnel receive this training. 4. Maintains and monitors records of personnel who have received this training. Security Training | Environmental Controls AT-3 (1) AT-3(1).1 Environmental controls include, for example, fire suppression and detection devices/systems, sprinkler systems, handheld fire extinguishers, fixed fire hoses, smoke detectors, temperature/humidity, HVAC, and power within the facility. Organizations identify personnel with specific roles and responsibilities associated with environmental controls requiring specialized training. Related controls: PE-1, PE-13, PE-14, PE-15. The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls.
CCI-001482 The organization provides organization-defined personnel or roles with refresher training in the employment and operation of environmental controls in accordance with the organization-defined frequency. The organization conducting the inspection/assessment obtains and examines: 1. Documentation of environmental controls that require training. 2. Documented list of personnel defined in AT-3 (1), CCI 2050 3. Ensures identified personnel have received training annually. DoD has defined the frequency as annually. The organization being inspected/assessed: 1. Identifies and documents environmental controls that require training. 2. Identifies the personnel defined in AT-3 (1), CCI 2050 3. Ensures designated personnel receive this training annually 4. Maintains and monitors records of personnel who have received this training. DoD has defined the frequency as annually. Security Training | Environmental Controls AT-3 (1) AT-3(1).2 Environmental controls include, for example, fire suppression and detection devices/systems, sprinkler systems, handheld fire extinguishers, fixed fire hoses, smoke detectors, temperature/humidity, HVAC, and power within the facility. Organizations identify personnel with specific roles and responsibilities associated with environmental controls requiring specialized training. Related controls: PE-1, PE-13, PE-14, PE-15. The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls.
CCI-001483 The organization defines a frequency for providing employees with refresher training in the employment and operation of environmental controls. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as annual. DoD has defined the frequency as annual. Security Training | Environmental Controls AT-3 (1) AT-3(1).3 Environmental controls include, for example, fire suppression and detection devices/systems, sprinkler systems, handheld fire extinguishers, fixed fire hoses, smoke detectors, temperature/humidity, HVAC, and power within the facility. Organizations identify personnel with specific roles and responsibilities associated with environmental controls requiring specialized training. Related controls: PE-1, PE-13, PE-14, PE-15. The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls.
CCI-001569 The organization defines the frequency on which it will review and update the audit and accountability policy. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as annually. DoD has defined the frequency as annually. Audit And Accountability Policy And Procedures AU-1 AU-1.8 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and b. Reviews and updates the current: 1. Audit and accountability policy [Assignment: organization-defined frequency]; and 2. Audit and accountability procedures [Assignment: organization-defined frequency].
CCI-001570 The organization defines the frequency on which it will review and update the audit and accountability procedures. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as annually. DoD has defined the frequency as annually. Audit And Accountability Policy And Procedures AU-1 AU-1.10 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and b. Reviews and updates the current: 1. Audit and accountability policy [Assignment: organization-defined frequency]; and 2. Audit and accountability procedures [Assignment: organization-defined frequency].
CCI-000117 The organization develops and documents an audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. The organization conducting the inspection/assessment obtains and examines the audit and accountability policy to ensure that the audit and accountability policy addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. The organization being inspected/assessed develops and documents an audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. Audit And Accountability Policy And Procedures AU-1 AU-1.3 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and b. Reviews and updates the current: 1. Audit and accountability policy [Assignment: organization-defined frequency]; and 2. Audit and accountability procedures [Assignment: organization-defined frequency].
CCI-000118 The organization disseminates a formal, documented, audit and accountability policy to elements within the organization having associated audit and accountability roles and responsibilities.
CCI-000119 The organization reviews and updates the audit and accountability policy on an organization-defined frequency. The organization conducting the inspection/assessment obtains and examines the audit trail of reviews and updates to ensure the organization being inspected/assessed reviews and updates the audit and accountability policy annually. DoD has defined the frequency as annually. The organization being inspected/assessed reviews and updates the audit and accountability policy annually. The organization must maintain an audit trail of reviews and updates. Any changes or acceptance of the document without change must be captured in the audit trail. DoD has defined the frequency as annually. Audit And Accountability Policy And Procedures AU-1 AU-1.7 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and b. Reviews and updates the current: 1. Audit and accountability policy [Assignment: organization-defined frequency]; and 2. Audit and accountability procedures [Assignment: organization-defined frequency].
CCI-000120 The organization develops and documents procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls. The organization conducting the inspection/assessment obtains and examines the audit and accountability procedures to ensure that the procedures facilitate the implementation of the audit and accountability policy and associated audit and accountability controls. The organization being inspected/assessed develops and documents procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls. Audit And Accountability Policy And Procedures AU-1 AU-1.5 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and b. Reviews and updates the current: 1. Audit and accountability policy [Assignment: organization-defined frequency]; and 2. Audit and accountability procedures [Assignment: organization-defined frequency].
CCI-000121 The organization disseminates formal, documented, procedures to elements within the organization having associated audit and accountability roles and responsibilities.
CCI-000122 The organization reviews and updates the audit and accountability procedures on an organization-defined frequency. The organization conducting the inspection/assessment obtains and examines the audit trail of reviews and updates to ensure the organization being inspected/assessed reviews and updates the audit and accountability procedures annually. DoD has defined the frequency as annually. The organization being inspected/assessed reviews and updates the audit and accountability procedures annually. The organization must maintain an audit trail of reviews and updates. Any changes or acceptance of the document without change must be captured in the audit trail. DoD has defined the frequency as annually. Audit And Accountability Policy And Procedures AU-1 AU-1.9 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and b. Reviews and updates the current: 1. Audit and accountability policy [Assignment: organization-defined frequency]; and 2. Audit and accountability procedures [Assignment: organization-defined frequency].
CCI-001571 The organization defines the information system auditable events. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the information system auditable events as successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g. classification levels). Successful and unsuccessful logon attempts, Privileged activities or other system level access, Starting and ending time for user access to the system, Concurrent logons from different workstations, Successful and unsuccessful accesses to objects, All program initiations, All direct access to the information system. All account creations, modifications, disabling, and terminations. All kernel module load, unload, and restart. DoD has defined the information system auditable events as successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g. classification levels). Successful and unsuccessful logon attempts, Privileged activities or other system level access, Starting and ending time for user access to the system, Concurrent logons from different workstations, Successful and unsuccessful accesses to objects, All program initiations, All direct access to the information system. All account creations, modifications, disabling, and terminations. All kernel module load, unload, and restart. Audit Events AU-2 AU-2.2 An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures. Related controls: AC-6, AC-17, AU-3, AU-12, MA-4, MP-2, MP-4, SI-4. The organization: a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events]; b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and d. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event].
CCI-000123 The organization determines the information system must be capable of auditing an organization-defined list of auditable events. The organization conducting the inspection/assessment obtains and examines the documentation of the auditable events to ensure the information system is capable of auditing the: - successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g. Classification levels), - Successful and unsuccessful logon attempts, - Privileged activities or other system level access, - Starting and ending time for user access to the system, - Concurrent logons from different workstations, - Successful and unsuccessful accesses to objects, - All program initiations, - All direct access to the information system, - All account creations, modifications, disabling, and terminations, - All kernel module load, unload, and restart. DoD has defined the information system auditable events as successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g. classification levels). Successful and unsuccessful logon attempts, Privileged activities or other system level access, Starting and ending time for user access to the system, Concurrent logons from different workstations, Successful and unsuccessful accesses to objects, All program initiations, All direct access to the information system. All account creations, modifications, disabling, and terminations. All kernel module load, unload, and restart. The organization being inspected/assessed determines whether the information system is capable of auditing: - successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g. Classification levels), - Successful and unsuccessful logon attempts, - Privileged activities or other system level access, - Starting and ending time for user access to the system, - Concurrent logons from different workstations, - Successful and unsuccessful accesses to objects, - All program initiations, - All direct access to the information system, - All account creations, modifications, disabling, and terminations, - All kernel module load, unload, and restart. The organization must document those auditable events that are not captured. DoD has defined the information system auditable events as successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g. classification levels). Successful and unsuccessful logon attempts, Privileged activities or other system level access, Starting and ending time for user access to the system, Concurrent logons from different workstations, Successful and unsuccessful accesses to objects, All program initiations, All direct access to the information system. All account creations, modifications, disabling, and terminations. All kernel module load, unload, and restart. Audit Events AU-2 AU-2.1 An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures. Related controls: AC-6, AC-17, AU-3, AU-12, MA-4, MP-2, MP-4, SI-4. The organization: a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events]; b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and d. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event].
CCI-000124 The organization coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events. The organization conducting the inspection/assessment obtains and examines the audit and accountability policy and procedures as well as artifacts of the coordination to determine if coordination is necessary and if necessary, whether it has been performed. The organization being inspected/assessed documents and implements within the audit and accountability policy and procedures, a process to coordinate the additional auditable events. The objective is to enhance mutual support and to help guide the selection of auditable events. The organization must maintain artifacts of the coordination. Audit Events AU-2 AU-2.3 An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures. Related controls: AC-6, AC-17, AU-3, AU-12, MA-4, MP-2, MP-4, SI-4. The organization: a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events]; b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and d. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event].
CCI-000125 The organization provides a rationale for why the list of auditable events is deemed to be adequate to support after-the-fact investigations of security incidents. The organization conducting the inspection/assessment obtains and examines the audit and accountability policy and procedures to ensure the organization being inspected/assess has defined the auditable system events, rationale for the selection, and that the organization has defined how the auditable events will support after-action investigations of security events. The organization being inspected/assessed documents in the audit and accountability policy the list of auditable system events, the organization provides clearly stated rationale for the selection of each system event. The rationale will support any after-action investigations of security event. Audit Events AU-2 AU-2.4 An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures. Related controls: AC-6, AC-17, AU-3, AU-12, MA-4, MP-2, MP-4, SI-4. The organization: a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events]; b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and d. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event].
CCI-000126 The organization determines that the organization-defined subset of the auditable events defined in AU-2 are to be audited within the information system. The organization conducting the inspection/assessment reviews the documented audit process as well as audit logs to ensure that the organization being inspected/assessed audits all auditable events defined in AU-2 (a) per occurrence. DoD has defined the actions as all auditable events defined in AU-2 (a) per occurrence. The organization conducting the inspection/assessment reviews the documented audit process as well as audit logs to ensure that the organization being inspected/assessed audits all auditable events defined in AU-2 (a) per occurrence. DoD has defined the actions as all auditable events defined in AU-2 (a) per occurrence. Audit Events AU-2 AU-2.5 An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures. Related controls: AC-6, AC-17, AU-3, AU-12, MA-4, MP-2, MP-4, SI-4. The organization: a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events]; b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and d. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event].
CCI-000127 The organization reviews and updates the list of organization-defined audited events on an organization-defined frequency. The organization conducting the inspection/assessment reviews the audit trail showing reviews and updates to the list of audited events to ensure that the list is reviewed and updated annually or more frequently upon changes to situational awareness of threats or vulnerabilities. DoD has defined the frequency as annually or more frequently upon changes to situational awareness of threats or vulnerabilities. The organization being inspected/assessed will conduct reviews of the list of auditable events as defined in AU-2 (d), CCI 1485 annually or more frequently upon changes to situational awareness of threats or vulnerabilities. The organization will generate and maintain an audit trail to document the completion of the review and update actions. DoD has defined the frequency as annually or more frequently upon changes to situational awareness of threats or vulnerabilities. Audit Events | Reviews And Updates AU-2 (3) AU-2(3).1 Over time, the events that organizations believe should be audited may change. Reviewing and updating the set of audited events periodically is necessary to ensure that the current set is still necessary and sufficient. The organization reviews and updates the audited events [Assignment: organization-defined frequency].
CCI-000128 The organization includes execution of privileged functions in the list of events to be audited by the information system.
CCI-000129 The organization defines in the auditable events that the information system must be capable of auditing based on a risk assessment and mission/business needs.
CCI-001484 The organization defines frequency of (or situation requiring) auditing for each identified event. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as all auditable events defined in AU-2 (a) per occurrence. DoD has defined the frequency as all auditable events defined in AU-2 (a) per occurrence. Audit Events AU-2 AU-2.6 An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures. Related controls: AC-6, AC-17, AU-3, AU-12, MA-4, MP-2, MP-4, SI-4. The organization: a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events]; b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and d. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event].
CCI-001485 The organization defines the events which are to be audited on the information system on an organization-defined frequency of (or situation requiring) auditing for each identified event. The organization conducting the inspection/assessment obtains and examines the documented list of events which are to be audited on the information system to ensure those events have been defined. DoD has determined that the events are not appropriate to define at the Enterprise level. The organization being inspected/assessed defines and documents events which are to be audited on the information system. Events should be selected from the events the information system is capable of auditing as defined in AU-2 (a) and should be based on ongoing risk assessments of current threat information and environment. DoD has determined that the events are not appropriate to define at the Enterprise level. Audit Events AU-2 AU-2.7 An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures. Related controls: AC-6, AC-17, AU-3, AU-12, MA-4, MP-2, MP-4, SI-4. The organization: a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events]; b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and d. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event].
CCI-001486 The organization defines a frequency for reviewing and updating the list of organization-defined auditable events. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as annually or more frequently upon changes to situational awareness of threats or vulnerabilities. DoD has defined the frequency as annually or more frequently upon changes to situational awareness of threats or vulnerabilities. Audit Events | Reviews And Updates AU-2 (3) AU-2(3).2 Over time, the events that organizations believe should be audited may change. Reviewing and updating the set of audited events periodically is necessary to ensure that the current set is still necessary and sufficient. The organization reviews and updates the audited events [Assignment: organization-defined frequency].
CCI-001572 The organization defines the personnel or roles to be alerted in the event of an audit processing failure. The organization conducting the inspection/assessment obtains and examines the documented list of personnel or roles who should be alerted in the event of audit processing failure to ensure the organization being inspected/assessed has either defined additional personnel or roles, or identified that there are no additional personnel or roles. DoD has defined the personnel or roles as at a minimum, the SCA and ISSO. The organization being inspected/assessed defines and documents any personnel or roles, in addition to the SCA and ISSO, who shall be alerted in the event of audit processing failure. If there are no additional personnel or roles, the organization must also document that. DoD has defined the personnel or roles as at a minimum, the SCA and ISSO. Response To Audit Processing Failures AU-5 AU-5.2 Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. Related controls: AU-4, SI-12. The information system: a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)].
CCI-001573 The organization defines whether to reject or delay network traffic that exceeds organization-defined thresholds. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the action to take as delay. DoD has defined the action to take as delay. Response To Audit Processing Failures | Configurable Traffic Volume Thresholds AU-5 (3) AU-5(3).2 Organizations have the capability to reject or delay the processing of network communications traffic if auditing such traffic is determined to exceed the storage capacity of the information system audit function. The rejection or delay response is triggered by the established organizational traffic volume thresholds which can be adjusted based on changes to audit storage capacity. The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity and [Selection: rejects; delays] network traffic above those thresholds.
CCI-001574 The information system rejects or delays, as defined by the organization, network traffic which exceed the organization-defined thresholds. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to delay network communications traffic exceeding the thresholds defined in AU-5 (3), CCI 1859. DoD has defined the action to take as delay. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1574. The organization being inspected/assessed configures the information system to delay network communications traffic exceeding the thresholds defined in AU-5 (3), CCI 1859. DoD has defined the action to take as delay. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1574. Response To Audit Processing Failures | Configurable Traffic Volume Thresholds AU-5 (3) AU-5(3).3 Organizations have the capability to reject or delay the processing of network communications traffic if auditing such traffic is determined to exceed the storage capacity of the information system audit function. The rejection or delay response is triggered by the established organizational traffic volume thresholds which can be adjusted based on changes to audit storage capacity. The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity and [Selection: rejects; delays] network traffic above those thresholds.
CCI-000139 The information system alerts designated organization-defined personnel or roles in the event of an audit processing failure. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to alert at a minimum, the SCA and ISSO in the event of an audit processing failure. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 139. DoD has defined the personnel or roles as at a minimum, the SCA and ISSO. The organization being inspected/assessed configures the information system to alert at a minimum, the SCA and ISSO in the event of an audit processing failure. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 139. DoD has defined the personnel or roles as at a minimum, the SCA and ISSO. Response To Audit Processing Failures AU-5 AU-5.1 Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. Related controls: AU-4, SI-12. The information system: a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)].
CCI-000140 The information system takes organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records). The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to take actions as defined in AU-5, CCI 1490 upon audit failure. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 140. The organization being inspected/assessed configures the information system to take actions as defined in AU-5, CCI 1490 upon audit failure. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 140. Response To Audit Processing Failures AU-5 AU-5.3 Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. Related controls: AU-4, SI-12. The information system: a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)].
CCI-000143 The information system provides a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity.
CCI-000144 The information system provides a real-time alert when organization-defined audit failure events occur.
CCI-000145 The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity by delaying or rejecting network traffic which exceeds the organization-defined thresholds. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to delay network communications traffic exceeding the thresholds defined in AU-5 (3), CCI 1859. DoD has defined the action to take as delay. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 145. The organization being inspected/assessed configures the information system to delay network communications traffic exceeding the thresholds defined in AU-5 (3), CCI 1859. DoD has defined the action to take as delay. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 145. Response To Audit Processing Failures | Configurable Traffic Volume Thresholds AU-5 (3) AU-5(3).1 Organizations have the capability to reject or delay the processing of network communications traffic if auditing such traffic is determined to exceed the storage capacity of the information system audit function. The rejection or delay response is triggered by the established organizational traffic volume thresholds which can be adjusted based on changes to audit storage capacity. The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity and [Selection: rejects; delays] network traffic above those thresholds.
CCI-000146 The organization defines the percentage of maximum audit record storage capacity that when exceeded, a warning is provided.
CCI-000147 The organization defines the audit failure events requiring real-time alerts. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the audit failure events as all. DoD has defined the audit failure events as all. Response To Audit Processing Failures | Real-Time Alerts AU-5 (2) AU-5(2).1 Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less). The information system provides an alert in [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring real-time alerts].
CCI-001343 The information system invokes a system shutdown in the event of an audit failure, unless an alternative audit capability exists.
CCI-001490 The organization defines actions to be taken by the information system upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records). The organization conducting the inspection/assessment obtains and examines the documented actions to ensure the organization being inspected/assessed has defined the actions to be taken by the information system upon audit failure. DoD has determined that the actions are not appropriate to define at the Enterprise level. The organization being inspected/assessed will define and document actions to be taken by the information system upon audit failure. The organization shall consider trade-offs between the needs for system availability and audit integrity when defining the actions. Unless availability is an overriding concern, the default action should be to shut down the information system. DoD has determined that the actions are not appropriate to define at the Enterprise level. Response To Audit Processing Failures AU-5 AU-5.4 Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. Related controls: AU-4, SI-12. The information system: a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)].
CCI-001575 The organization defines the system or system component for storing audit records that is a different system or system component than the system or component being audited. The organization conducting the inspection/assessment obtains and examines the information system or media documentation addressing the storage of backups of information system audit records; information system audit records; and any other relevant documents or records. The purpose of the reviews is to ensure the organization has defined and documented a system or storage media different from the system or media being audited. The organization being inspected/assessed defines and documents a system or storage media that will be used to store information system audit data different and separate from the system or media generating the audit data. Protection Of Audit Information | Audit Backup On Separate Physical Systems / Components AU-9 (2) AU-9(2).3 This control enhancement helps to ensure that a compromise of the information system being audited does not also result in a compromise of the audit records. Related controls: AU-4, AU-5, AU-11. The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited.
CCI-000162 The information system protects audit information from unauthorized access. The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to disallow unauthorized access to audit information. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 162. The organization being inspected/assessed configures the information system to disallow unauthorized access to audit information. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 162. Protection Of Audit Information AU-9 AU-9.1 Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls. Related controls: AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6. The information system protects audit information and audit tools from unauthorized access, modification, and deletion.
CCI-000163 The information system protects audit information from unauthorized modification. The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to disallow unauthorized modification of audit information. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 163. The organization being inspected/assessed configures the information system to disallow unauthorized modification of audit information. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 163. Protection Of Audit Information AU-9 AU-9.2 Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls. Related controls: AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6. The information system protects audit information and audit tools from unauthorized access, modification, and deletion.
CCI-000164 The information system protects audit information from unauthorized deletion. The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to disallow unauthorized deletion of audit information. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 164. The organization being inspected/assessed configures the information system to disallow unauthorized deletion of audit information. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 164. Protection Of Audit Information AU-9 AU-9.3 Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls. Related controls: AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6. The information system protects audit information and audit tools from unauthorized access, modification, and deletion.
CCI-000165 The information system writes audit records to hardware-enforced, write-once media. The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to write audit records to hardware-enforced, write-once media. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 165. The organization being inspected/assessed configures the information system to write audit records to hardware-enforced, write-once media. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 165. Protection Of Audit Information | Hardware Write-Once Media AU-9 (1) AU-9(1).1 This control enhancement applies to the initial generation of audit trails (i.e., the collection of audit records that represents the audit information to be used for detection, analysis, and reporting purposes) and to the backup of those audit trails. The enhancement does not apply to the initial generation of audit records prior to being written to an audit trail. Write-once, read-many (WORM) media includes, for example, Compact Disk-Recordable (CD-R) and Digital Video Disk-Recordable (DVD-R). In contrast, the use of switchable write-protection media such as on tape cartridges or Universal Serial Bus (USB) drives results in write-protected, but not write-once, media. Related controls: AU-4, AU-5. The information system writes audit trails to hardware-enforced, write-once media.
CCI-001348 The information system backs up audit records on an organization-defined frequency onto a different system or system component than the system or component being audited. The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to back up audit records at least every seven days. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1348. DoD has defined the frequency as every seven days. The organization being inspected/assessed configures the information system to back up audit records at least every seven days. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1348. DoD has defined the frequency as every seven days. Protection Of Audit Information | Audit Backup On Separate Physical Systems / Components AU-9 (2) AU-9(2).1 This control enhancement helps to ensure that a compromise of the information system being audited does not also result in a compromise of the audit records. Related controls: AU-4, AU-5, AU-11. The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited.
CCI-001349 The organization defines a frequency for backing up system audit records onto a different system or system component than the system or component being audited. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as every seven days. DoD has defined the frequency as every seven days. Protection Of Audit Information | Audit Backup On Separate Physical Systems / Components AU-9 (2) AU-9(2).2 This control enhancement helps to ensure that a compromise of the information system being audited does not also result in a compromise of the audit records. Related controls: AU-4, AU-5, AU-11. The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited.
CCI-001350 The information system implements cryptographic mechanisms to protect the integrity of audit information. The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to implement cryptographic mechanisms to protect the integrity of audit information. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1350. The organization being inspected/assessed configures the information system to implement cryptographic mechanisms to protect the integrity of audit information. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1350. Protection Of Audit Information | Cryptographic Protection AU-9 (3) AU-9(3).1 Cryptographic mechanisms used for protecting the integrity of audit information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. Related controls: AU-10, SC-12, SC-13. The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools.
CCI-001351 The organization authorizes access to management of audit functionality to only an organization-defined subset of privileged users. The organization conducting the inspection/assessment obtains and examines the documentation of access authorizations for the management of audit functionality to ensure only the subset of privileged users defined in AU-9 (4), CCI 1894 have been granted access authorization. The organization being inspected/assessed authorizes access to the management of audit functionality to only the subset of privileged users defined in AU-9 (4), CCI 1894. Protection Of Audit Information | Access By Subset Of Privileged Users AU-9 (4) AU-9(4).2 Individuals with privileged access to an information system and who are also the subject of an audit by that system, may affect the reliability of audit information by inhibiting audit activities or modifying audit records. This control enhancement requires that privileged access be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges. Related control: AC-5. The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users].
CCI-001352 The organization protects the audit records of non-local accesses to privileged accounts and the execution of privileged functions.
CCI-001493 The information system protects audit tools from unauthorized access. The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to disallow unauthorized access to audit tools. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1493. The organization being inspected/assessed configures the information system to disallow unauthorized access to audit tools. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1493. Protection Of Audit Information AU-9 AU-9.4 Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls. Related controls: AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6. The information system protects audit information and audit tools from unauthorized access, modification, and deletion.
CCI-001494 The information system protects audit tools from unauthorized modification. The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to disallow unauthorized modification of audit tools. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1494. The organization being inspected/assessed configures the information system to disallow unauthorized modification of audit tools. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1494. Protection Of Audit Information AU-9 AU-9.5 Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls. Related controls: AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6. The information system protects audit information and audit tools from unauthorized access, modification, and deletion.
CCI-001495 The information system protects audit tools from unauthorized deletion. The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to disallow unauthorized deletion of audit tools. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1495. The organization being inspected/assessed configures the information system to disallow unauthorized deletion of audit tools. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1495. Protection Of Audit Information AU-9 AU-9.6 Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls. Related controls: AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6. The information system protects audit information and audit tools from unauthorized access, modification, and deletion.
CCI-001496 The information system implements cryptographic mechanisms to protect the integrity of audit tools. The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to implement cryptographic mechanisms to protect the integrity of audit tools. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1496. The organization being inspected/assessed configures the information system to implement cryptographic mechanisms to protect the integrity of audit tools. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1496. Protection Of Audit Information | Cryptographic Protection AU-9 (3) AU-9(3).2 Cryptographic mechanisms used for protecting the integrity of audit information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. Related controls: AU-10, SC-12, SC-13. The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools.
CCI-001576 The information system produces a system-wide (logical or physical) audit trail of information system audit records.
CCI-001577 The organization defines the information system components from which audit records are to be compiled into the system-wide audit trail. The organization conducting the inspection/assessment obtains and examines the system-wide audit trail documentation to ensure the organization being inspected/assessed maintains a current list of information system components. DoD has determined the information system components are not appropriate to define at the Enterprise level. The organization being inspected/assessed will define and document the information system components from which audit records are to be compiled into the system-wide audit trail. The organization will periodically update this list to ensure it is current. DoD has determined the information system components are not appropriate to define at the Enterprise level. Audit Generation | System-Wide / Time-Correlated Audit Trail AU-12 (1) AU-12(1).3 Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances. Related controls: AU-8, AU-12. The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail].
CCI-000169 The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components. The organization conducting the inspection/assessment examines the information system to ensure that all information system and network components provide audit record generation capability for the auditable events defined in AU-2 a. DoD has defined the information system components as all information system and network components. The organization being inspected/assessed acquires or designs all information system and network components that provide audit record generation capability for the auditable events defined in AU-2 a. DoD has defined the information system components as all information system and network components. Audit Generation AU-12 AU-12.1 Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records. Related controls: AC-3, AU-2, AU-3, AU-6, AU-7. The information system: a. Provides audit record generation capability for the auditable events defined in AU-2 at [Assignment: organization-defined information system components]; b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and c. Generates audit records for the audited events defined in AU-2 with the content defined in AU-3.
CCI-000171 The information system allows organization-defined personnel or roles to select which auditable events are to be audited by specific components of the information system. The organization conducting the inspection/assessment examines a sampling of information system components and confirms that the individuals capable of selecting auditable events are the ISSM or individuals appointed by the ISSM. DoD has defined the personnel or roles as the ISSM or individuals appointed by the ISSM. The organization being inspected/assessed configures the information system to ensure that only the ISSM or individuals appointed by the ISSM select which auditable events are to be audited by specific components of the information system. DoD has defined the personnel or roles as the ISSM or individuals appointed by the ISSM. Audit Generation AU-12 AU-12.3 Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records. Related controls: AC-3, AU-2, AU-3, AU-6, AU-7. The information system: a. Provides audit record generation capability for the auditable events defined in AU-2 at [Assignment: organization-defined information system components]; b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and c. Generates audit records for the audited events defined in AU-2 with the content defined in AU-3.
CCI-000172 The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. The organization conducting the inspection/assessment examines the information system to ensure that the system generates audit records for the events defined in AU-2 d with the content defined in AU-3. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 172. The organization being inspected/assessed configures the information system to generate audit records for the events defined in AU-2 d with the content defined in AU-3. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 172. Audit Generation AU-12 AU-12.5 Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records. Related controls: AC-3, AU-2, AU-3, AU-6, AU-7. The information system: a. Provides audit record generation capability for the auditable events defined in AU-2 at [Assignment: organization-defined information system components]; b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and c. Generates audit records for the audited events defined in AU-2 with the content defined in AU-3.
CCI-000173 The organization defines the level of tolerance for relationship between time stamps of individual records in the audit trail that will be used for correlation. The organization conducting the inspection/assessment reviews the organization's audit and accountability policy and procedures addressing audit record generation and retention; information system audit configuration settings and associated documentation; information system audit records; and any other relevant documents or records. The objective is to validate the organization has defined and documented its level of tolerance for variation in the time stamps applied to the audit data generated by the organization's information systems. DoD has determined that the level of tolerance is not appropriate to define at the Enterprise level. The organization being inspected/assessed will define and document their level of tolerance for variation in the time stamps applied to the audit data generated by the organization's information systems. DoD has determined that the level of tolerance is not appropriate to define at the Enterprise level. Audit Generation | System-Wide / Time-Correlated Audit Trail AU-12 (1) AU-12(1).1 Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances. Related controls: AU-8, AU-12. The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail].
CCI-000174 The information system compiles audit records from organization-defined information system components into a system-wide (logical or physical) audit trail that is time-correlated to within an organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail. The organization conducting the inspection/assessment examines the information system to ensure the information system is configured to compile audit records from information system components defined in AU-12 (1), CCI 1577 into a system-wide (logical or physical) audit trail that is time-correlated to within the level of tolerance defined in AU-12 (1), CCI-000173 for relationship between time stamps of individual records in the audit trail. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 174. The organization being inspected/assessed configures the information system to compile audit records from information system components defined in AU-12 (1), CCI 1577 into a system-wide (logical or physical) audit trail that is time-correlated to within the level of tolerance defined in AU-12 (1), CCI-000173 for relationship between time stamps of individual records in the audit trail. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 174. Audit Generation | System-Wide / Time-Correlated Audit Trail AU-12 (1) AU-12(1).2 Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances. Related controls: AU-8, AU-12. The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail].
CCI-001459 The organization defines information system components that provide audit record generation capability. DoD has defined the information system components as all information system and network components. DoD has defined the information system components as all information system and network components. Audit Generation AU-12 AU-12.2 Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records. Related controls: AC-3, AU-2, AU-3, AU-6, AU-7. The information system: a. Provides audit record generation capability for the auditable events defined in AU-2 at [Assignment: organization-defined information system components]; b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and c. Generates audit records for the audited events defined in AU-2 with the content defined in AU-3.
CCI-001353 The information system produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format. The organization conducting the inspection/assessment examines the information system to ensure the information system is configured to produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1353. The organization being inspected/assessed configures the information system to produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1353. Audit Generation | Standardized Formats AU-12 (2) AU-12(2).1 Audit information that is normalized to common standards promotes interoperability and exchange of such information between dissimilar devices and information systems. This facilitates production of event information that can be more readily analyzed and correlated. Standard formats for audit records include, for example, system log records and audit records compliant with Common Event Expressions (CEE). If logging mechanisms within information systems do not conform to standardized formats, systems may convert individual audit records into standardized formats when compiling system-wide audit trails. The information system produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format.
CCI-001578 The organization defines the frequency to review and update the current security assessment and authorization procedures. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as annually. DoD has defined the frequency as annually. Security Assessment And Authorization Policy And Procedures CA-1 CA-1.10 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and b. Reviews and updates the current: 1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and 2. Security assessment and authorization procedures [Assignment: organization-defined frequency].
CCI-000238 The organization defines the frequency to review and update the current security assessment and authorization policy. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as every 5 years. DoD has defined the frequency as every 5 years. Security Assessment And Authorization Policy And Procedures CA-1 CA-1.7 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and b. Reviews and updates the current: 1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and 2. Security assessment and authorization procedures [Assignment: organization-defined frequency].
CCI-000239 The organization develops and documents a security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. DoDI 8510.01 meets the DoD requirement for security assessment authorization policy and procedures. DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01. DoDI 8510.01 meets the DoD requirement for security assessment authorization policy and procedures. DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01. Security Assessment And Authorization Policy And Procedures CA-1 CA-1.3 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and b. Reviews and updates the current: 1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and 2. Security assessment and authorization procedures [Assignment: organization-defined frequency].
CCI-000240 The organization disseminates to organization-defined personnel or roles a security assessment and authorization policy. DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01. DoD disseminates DoDI 8510.01 organization-wide via the DoD Issuances website. http://www.dtic.mil/whs/directives/corres/ins1.html Security Assessment And Authorization Policy And Procedures CA-1 CA-1.4 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and b. Reviews and updates the current: 1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and 2. Security assessment and authorization procedures [Assignment: organization-defined frequency].
CCI-000241 The organization reviews and updates the current security assessment and authorization policy in accordance with organization-defined frequency. DoDI 8510.01 meets the DoD requirement for security assessment authorization policy and procedures. DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01. DoDI 8510.01 meets the DoD requirement for security assessment authorization policy and procedures. DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01. Security Assessment And Authorization Policy And Procedures CA-1 CA-1.8 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and b. Reviews and updates the current: 1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and 2. Security assessment and authorization procedures [Assignment: organization-defined frequency].
CCI-000242 The organization develops and documents procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls. The organization conducting the inspection/assessment obtains and examines the procedures to ensure the organization being inspected/assessedd evelops and documents procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls IAW DoDI 8510.01 The organization being inspected/assessed develops and documents, IAW DoDI 8510.01, procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls. Security Assessment And Authorization Policy And Procedures CA-1 CA-1.5 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and b. Reviews and updates the current: 1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and 2. Security assessment and authorization procedures [Assignment: organization-defined frequency].
CCI-000243 The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls. The organization conducting the inspection/assessment obtains and examines the AUP (Acceptable Use Policy), appointment orders, or written policy requiring that all personnel register at the DTIC website to receive update notifications. DoD has defined the personnel or roles as all personnel. The organization being inspected/assessed will require all personnel to register at the DTIC website to receive update notifications to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls. DoD has defined the personnel or roles as all personnel. Security Assessment And Authorization Policy And Procedures CA-1 CA-1.6 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and b. Reviews and updates the current: 1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and 2. Security assessment and authorization procedures [Assignment: organization-defined frequency].
CCI-000244 The organization reviews and updates the current security assessment and authorization procedures in accordance with organization-defined frequency. The organization conducting the inspection/assessment obtains and examines the audit trail of review and update activity to ensure the organization being inspected/assessed reviews and updates, IAW DoDI 8510.01, the current security assessment and authorization procedures annually. The organization being inspected/assessed reviews and updates, IAW DoDI 8510.01, the current security assessment and authorization procedures annually. The organization must maintain an audit trail of review and update activity. DoD has defined the frequency as annually. Security Assessment And Authorization Policy And Procedures CA-1 CA-1.9 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and b. Reviews and updates the current: 1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and 2. Security assessment and authorization procedures [Assignment: organization-defined frequency].
CCI-001579 The organization conducts security control assessments using organization-defined forms of testing in accordance with organization-defined frequency and assessment techniques.
CCI-000245 The organization develops a security assessment plan for the information system and its environment of operation. The organization conducting the inspection/assessment obtains and examines the Security Plan to validate *security assessment blocks* are complete. The organization being inspected/assessed will document these security assessment plan requirements as part of the DoD approved Security Plan. Security plan templates are provided through eMASS and the Knowledge Service. *Comment* The items required within this control are being split into the security plan and security assessment report to eliminate creation of an additional artifact. Security Assessments CA-2 CA-2.1 Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives. To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4. The organization: a. Develops a security assessment plan that describes the scope of the assessment including: 1. Security controls and control enhancements under assessment; 2. Assessment procedures to be used to determine security control effectiveness; and 3. Assessment environment, assessment team, and assessment roles and responsibilities; b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements; c. Produces a security assessment report that documents the results of the assessment; and d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].
CCI-000246 The organization's security assessment plan describes the security controls and control enhancements under assessment. The organization conducting the inspection/assessment obtains the security assessment plan to verify the plan identifies the security controls and those control enhancements under assessment. The organization being inspected/assessed will ensure the Security Plan identifies the security controls and control enhancements under assessment. *Comment* The items required within this control are being split into the security plan and security assessment report to eliminate creation of an additional artifact. Security Assessments CA-2 CA-2.2 Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives. To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4. The organization: a. Develops a security assessment plan that describes the scope of the assessment including: 1. Security controls and control enhancements under assessment; 2. Assessment procedures to be used to determine security control effectiveness; and 3. Assessment environment, assessment team, and assessment roles and responsibilities; b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements; c. Produces a security assessment report that documents the results of the assessment; and d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].
CCI-000247 The organization's security assessment plan describes assessment procedures to be used to determine security control effectiveness. DoD components are automatically compliant with this CCI if using the implementation guidance and validation procedures on the Knowledge Service. If the organization being inspected/assessed is using alternative implementation guidance and validation procedures, the organization conducting the inspection/assessment will obtain and examine those procedures. The implementation guidance and validation procedures posted on the Knowledge Service constitutes assessment procedures for DoD. If organizations being inspected/assessed use assessment procedures other than those posted on the Knowledge Service, those procedures must be documented. *Comment* The items required within this CCI are being split into the security plan and security assessment report to eliminate creation of an additional artifact. Security Assessments CA-2 CA-2.3 Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives. To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4. The organization: a. Develops a security assessment plan that describes the scope of the assessment including: 1. Security controls and control enhancements under assessment; 2. Assessment procedures to be used to determine security control effectiveness; and 3. Assessment environment, assessment team, and assessment roles and responsibilities; b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements; c. Produces a security assessment report that documents the results of the assessment; and d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].
CCI-000248 The organization's security assessment plan describes assessment environment. The organization conducting the inspection/assessment obtains and examines the organization's authorization boundary. Authorization boundary can be described via one or more of the following: network diagrams, data flow diagrams, system design documents, or a list of information system components. The organization being inspected/assessed will provide a description of the authorization boundary in their Security Plan. Authorization boundary can be described via one or more of the following: network diagrams, data flow diagrams, system design documents, or a list of information system components. Authorization boundary as defined in CNSSI 4009. *Comment* The items required within this control are being split into the security plan and security assessment report to eliminate creation of an additional artifact. Security Assessments CA-2 CA-2.4 Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives. To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4. The organization: a. Develops a security assessment plan that describes the scope of the assessment including: 1. Security controls and control enhancements under assessment; 2. Assessment procedures to be used to determine security control effectiveness; and 3. Assessment environment, assessment team, and assessment roles and responsibilities; b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements; c. Produces a security assessment report that documents the results of the assessment; and d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].
CCI-000249 The organizations security assessment plan describes the assessment team.
CCI-000250 The organization's security assessment plan describes assessment roles and responsibilities.
CCI-000251 The organization assesses, on an organization-defined frequency, the security controls in the information system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements. See CA-2 c "The organization conducting the inspection/assessment obtains and examines the security assessment report to verify that it includes the compliance/non-compliance status of all controls and specific deficiencies for all non-compliant controls." In accordance with DoD's published guidance, the organization being inspected/assessed will utilize the implementation guidance and validation procedures published on the Knowledge Service to evaluate the implementation status of the applicable controls. DoD has defined the frequency as annually for technical controls, annually for a portion of management and operational controls, such that all are reviewed in a 3 year period, except for those requiring more frequent review as defined in other site or overarching policy. (NOTE: Technical, Management and Operational is IAW NIST SP 800-53 Table 1-1). *Comment* The items required within this control are being split into the security plan and security assessment report to eliminate creation of an additional artifact. Security Assessments CA-2 CA-2.6 Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives. To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4. The organization: a. Develops a security assessment plan that describes the scope of the assessment including: 1. Security controls and control enhancements under assessment; 2. Assessment procedures to be used to determine security control effectiveness; and 3. Assessment environment, assessment team, and assessment roles and responsibilities; b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements; c. Produces a security assessment report that documents the results of the assessment; and d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].
CCI-000252 The organization defines the frequency on which the security controls in the information system and its environment of operation are assessed. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as annually for technical controls, annually for a portion of management and operation controls such that all are reviewed in a 3 year period except for those requiring more frequent review as defined in other site or overarching policy. NOTE: Technical, Management and Operational is IAW NIST SP 800-53 Table 1-1. DoD has defined the frequency as annually for technical controls, annually for a portion of management and operation controls such that all are reviewed in a 3 year period except for those requiring more frequent review as defined in other site or overarching policy. NOTE: Technical, Management and Operational is IAW NIST SP 800-53 Table 1-1. *Comment* The items required within this control are being split into the security plan and security assessment report to eliminate creation of an additional artifact. Security Assessments CA-2 CA-2.7 Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives. To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4. The organization: a. Develops a security assessment plan that describes the scope of the assessment including: 1. Security controls and control enhancements under assessment; 2. Assessment procedures to be used to determine security control effectiveness; and 3. Assessment environment, assessment team, and assessment roles and responsibilities; b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements; c. Produces a security assessment report that documents the results of the assessment; and d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].
CCI-000253 The organization produces a security assessment report that documents the results of the assessment against the information system and its environment of operation. The organization conducting the inspection/assessment obtains and examines the SAR to verify that it includes the compliance/non-compliance status of all controls and specific deficiencies for all non-compliant controls. The organization being inspected/assessed will develop a SAR that includes the compliance/non-compliance status of all controls and specific deficiencies for all non-compliant controls using the template available on the Knowledge Service. *Comment* The items required within this control are being split into the security plan and security assessment report to eliminate creation of an additional artifact. Security Assessments CA-2 CA-2.8 Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives. To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4. The organization: a. Develops a security assessment plan that describes the scope of the assessment including: 1. Security controls and control enhancements under assessment; 2. Assessment procedures to be used to determine security control effectiveness; and 3. Assessment environment, assessment team, and assessment roles and responsibilities; b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements; c. Produces a security assessment report that documents the results of the assessment; and d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].
CCI-000254 The organization provides the results of the security control assessment against the information system and its environment of operation to organization-defined individuals or roles. The organization conducting the inspection/assessment interviews at a minimum, the ISSO and ISSM to ensure the SAR has been received. DoD has defined the individuals or roles as at a minimum, the ISSO and ISSM. The organization being inspected/assessed will provide the SAR to at a minimum, the ISSO and ISSM. DoD has defined the individuals or roles as at a minimum, the ISSO and ISSM. *Comment* The items required within this control are being split into the security plan and security assessment report to eliminate creation of an additional artifact. Security Assessments CA-2 CA-2.9 Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives. To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4. The organization: a. Develops a security assessment plan that describes the scope of the assessment including: 1. Security controls and control enhancements under assessment; 2. Assessment procedures to be used to determine security control effectiveness; and 3. Assessment environment, assessment team, and assessment roles and responsibilities; b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements; c. Produces a security assessment report that documents the results of the assessment; and d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].
CCI-000255 The organization employs assessors or assessment teams with an organization-defined level of independence to conduct security control assessments of organizational information systems. The organization conducting the inspection/assessment obtains and examines the level of independence defined in CA-2 (1), CCI 2064 to ensure that they, as the assessor, meet the required level of independence. The organization being inspected/assessed will employ assessors and assessor teams with the level of independence defined in CA-2 (1), CCI 2064 to conduct security control assessments of organizational information systems. Security Assessments | Independent Assessors CA-2 (1) CA-2(1).1 Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of organizational information systems. Impartiality implies that assessors are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the organizational information systems under assessment or to the determination of security control effectiveness. To achieve impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in positions of advocacy for the organizations acquiring their services. Independent assessments can be obtained from elements within organizations or can be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of information systems and/or the ultimate risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. This includes determining whether contracted security assessment services have sufficient independence, for example, when information system owners are not directly involved in contracting processes or cannot unduly influence the impartiality of assessors conducting assessments. In special situations, for example, when organizations that own the information systems are small or organizational structures require that assessments are conducted by individuals that are in the developmental, operational, or management chain of system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Organizations recognize that assessments performed for purposes other than direct support to authorization decisions are, when performed by assessors with sufficient independence, more likely to be useable for such decisions, thereby reducing the need to repeat assessments. The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to conduct security control assessments.
CCI-000256 The organization includes, as part of security control assessments announced or unannounced, one or more of the following: in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; and organization-defined other forms of security assessment on an organization-defined frequency. The organization conducting the inspection/assessment obtains and examines the test and exercise plan documented in the security assessment plan as well as the results of one or more of the latest security assessments to ensure the organization being inspected/assessed is conducting the assessments required in their security assessment plan annually. DoD has defined the frequency as annually. The organization being assessed/inspected must document how they will annually conduct tests and exercises of the implemented security controls in their security assessment plan. The tests and exercises may consist of activities such as in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; or other forms of security assessment defined in CA-2 (2), CCI 1582. Vulnerability scans are not the same as penetration testing. DoD has defined the frequency as annually. Security Assessments | Specialized Assessments CA-2 (2) CA-2(2).1 Organizations can employ information system monitoring, insider threat assessments, malicious user testing, and other forms of testing (e.g., verification and validation) to improve readiness by exercising organizational capabilities and indicating current performance levels as a means of focusing actions to improve security. Organizations conduct assessment activities in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can incorporate vulnerabilities uncovered during assessments into vulnerability remediation processes. Related controls: PE-3, SI-2. The organization includes as part of security control assessments, [Assignment: organization- defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]].
CCI-001580 The organization identifies connections to external information systems (i.e., information systems outside of the authorization boundary).
CCI-000257 The organization authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements. The organization conducting the inspection/assessment obtains and examines documentation of the Interconnection Security Agreements to include appropriate signatures. Policy Note: Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. The organization being inspected/assessed will develop and certify, by appropriate signatures (e.g. AO, network managers), Interconnection Security Agreements (e.g., MOU, MOA, SLA) authorizing the connection of its information systems to other information systems. Policy Note: Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. System Interconnections CA-3 CA-3.1 This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls. Related controls: AC-3, AC-4, AC-20, AU-2, AU-12, AU-16, CA-7, IA-3, SA-9, SC-7, SI-4. The organization: a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements; b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency].
CCI-000258 The organization documents, for each interconnection, the interface characteristics. The organization conducting the inspection/assessment obtains and examines interconnection security agreement documentation. Policy Note: Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. The organization being inspected/assessed will document the interface characteristics for each interconnection. Use of external reporting databases for these characteristics when tied to the specific interconnection is acceptable (e.g., ports, protocols, and services). Policy Note: Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. System Interconnections CA-3 CA-3.2 This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls. Related controls: AC-3, AC-4, AC-20, AU-2, AU-12, AU-16, CA-7, IA-3, SA-9, SC-7, SI-4. The organization: a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements; b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency].
CCI-000259 The organization documents, for each interconnection, the security requirements. The organization conducting the inspection/assessment obtains and examines interconnection security agreement documentation, specifically looking at any additional security controls identified for implementation. Policy Note: Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. The organization being inspected/assessed will, for each interconnection, identify and document any additional security controls to be implemented to protect the confidentiality, integrity, and availability of the connected systems and the data passing between them. Controls should be appropriate for the systems to be connected and the environment in which the interconnection will operate. Policy Note: Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. System Interconnections CA-3 CA-3.3 This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls. Related controls: AC-3, AC-4, AC-20, AU-2, AU-12, AU-16, CA-7, IA-3, SA-9, SC-7, SI-4. The organization: a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements; b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency].
CCI-000260 The organization documents, for each interconnection, the nature of the information communicated. The organization conducting the inspection/assessment obtains and examines the interconnection security agreement documentation, specifically to identify the type of information being transferred/transmitted. Characteristics will include but are not limited to: classification, information type (e.g. PII, HIPAA, FOUO, financial data, etc.) Policy Note: Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. The organization being inspected/assessed will document in the interconnection security agreement the type of information being transferred/transmitted. Characteristics will include but are not limited to: classification, information type (e.g. PII, HIPAA, FOUO, financial data, etc.) Policy Note: Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. System Interconnections CA-3 CA-3.4 This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls. Related controls: AC-3, AC-4, AC-20, AU-2, AU-12, AU-16, CA-7, IA-3, SA-9, SC-7, SI-4. The organization: a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements; b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency].
CCI-000261 The organization monitors the information system connections on an ongoing basis to verify enforcement of security requirements.
CCI-000262 The organization prohibits the direct connection of an organization-defined unclassified, national security system to an external network without the use of an organization-defined boundary protection device. The organization conducting the inspection/assessment obtains and examines policy document prohibiting direct connection of all unclassified NSS to external networks without the use of a boundary protection device defined in CA-3 (1), CCI 262. DoD has defined the unclassified, national security systems as all unclassified NSS. The organization being inspected/assessed documents in its policy and procedures addressing information system connections, the organization will prohibit DoD has defined the unclassified, national security systems as all unclassified NSS from having a direct connection to an external network without the use of a boundary protection device defined in CA-3 (1), CCI 262. DoD has defined the unclassified, national security systems as all unclassified NSS. System Interconnections | Unclassified National Security System Connections CA-3 (1) CA-3(1).1 Organizations typically do not have control over external networks (e.g., the Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate communications (i.e., information flows) between unclassified national security systems and external networks. This control enhancement is required for organizations processing, storing, or transmitting Controlled Unclassified Information (CUI). The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, national security system] to an external network without the use of [Assignment: organization-defined boundary protection device].
CCI-000263 The organization prohibits the direct connection of a classified, national security system to an external network without the use of organization-defined boundary protection device. The organization conducting the inspection/assessment obtains and examines network topology diagrams and examines the information system to ensure the organization being inspected/assessed does not connect any national security systems to an external network without the use of protection devices defined in CA-3 (2), CCI 2074. The organization being inspected/assessed does not connect any national security systems to an external network without the use of protection devices defined in CA-3 (2), CCI 2074. System Interconnections | Classified National Security System Connections CA-3 (2) CA-3(2).1 Organizations typically do not have control over external networks (e.g., the Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate communications (i.e., information flows) between classified national security systems and external networks. In addition, approved boundary protection devices (typically managed interface/cross-domain systems) provide information flow enforcement from information systems to external networks. The organization prohibits the direct connection of a classified, national security system to an external network without the use of [Assignment; organization-defined boundary protection device].
CCI-001581 The organization defines personnel or roles to whom the security status of the organization and the information system should be reported. Future DoD-wide CM guidance to be published Future DoD-wide CM guidance to be published Continuous Monitoring CA-7 CA-7.11 Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: a. Establishment of [Assignment: organization-defined metrics] to be monitored; b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; e. Correlation and analysis of security-related information generated by assessments and monitoring; f. Response actions to address results of the analysis of security-related information; and g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].
CCI-001582 The organization defines other forms of security assessments other than in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; and performance/load testing that should be included as part of security control assessments. The organization conducting the inspection/assessment obtains and examines the documented other forms of security assessments to ensure the organization being inspected/assessed defines other forms of security assessments other than in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment and performance/load testing that should be included as part of security control assessments. DoD has determined the other forms of security assessments are not appropriate to define at the Enterprise level. The organization being inspected/assessed defines and documents other forms of security assessments other than in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment and performance/load testing that should be included as part of security control assessments. DoD has determined the other forms of security assessments are not appropriate to define at the Enterprise level. Security Assessments | Specialized Assessments CA-2 (2) CA-2(2).2 Organizations can employ information system monitoring, insider threat assessments, malicious user testing, and other forms of testing (e.g., verification and validation) to improve readiness by exercising organizational capabilities and indicating current performance levels as a means of focusing actions to improve security. Organizations conduct assessment activities in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can incorporate vulnerabilities uncovered during assessments into vulnerability remediation processes. Related controls: PE-3, SI-2. The organization includes as part of security control assessments, [Assignment: organization- defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]].
CCI-001583 The organization selects announced or unannounced assessments for each form of security control assessment. The organization conducting the inspection/assessment obtains and examines the documented list of security control assessment techniques defined in CA-2 (2), CCI 2064 and verifies that the security assessment plan defines whether the assessment is announced or unannounced. The organization being inspected/assessed selects and documents whether announced or unannounced assessments are required for each form of security control assessment that was selected as part of CA-2 (2), CCI 2064. DoD has determined the announced or unannounced nature of the assessments is not appropriate to define at the Enterprise level. Security Assessments | Specialized Assessments CA-2 (2) CA-2(2).3 Organizations can employ information system monitoring, insider threat assessments, malicious user testing, and other forms of testing (e.g., verification and validation) to improve readiness by exercising organizational capabilities and indicating current performance levels as a means of focusing actions to improve security. Organizations conduct assessment activities in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can incorporate vulnerabilities uncovered during assessments into vulnerability remediation processes. Related controls: PE-3, SI-2. The organization includes as part of security control assessments, [Assignment: organization- defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]].
CCI-000274 The organization develops a continuous monitoring strategy. Future DoD-wide CM guidance to be published Future DoD-wide CM guidance to be published Continuous Monitoring CA-7 CA-7.1 Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: a. Establishment of [Assignment: organization-defined metrics] to be monitored; b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; e. Correlation and analysis of security-related information generated by assessments and monitoring; f. Response actions to address results of the analysis of security-related information; and g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].
CCI-000275 The organization implements a continuous monitoring program that includes a configuration management process for the information system.
CCI-000276 The organization implements a continuous monitoring program that includes a configuration management process for the information system constituent components.
CCI-000277 The organization implements a continuous monitoring program that includes a determination of the security impact of changes to the information system.
CCI-000278 The organization implements a continuous monitoring program that includes a determination of the security impact of changes to the environment of operation.
CCI-000279 The organization implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. Future DoD-wide CM guidance to be published Future DoD-wide CM guidance to be published Continuous Monitoring CA-7 CA-7.5 Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: a. Establishment of [Assignment: organization-defined metrics] to be monitored; b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; e. Correlation and analysis of security-related information generated by assessments and monitoring; f. Response actions to address results of the analysis of security-related information; and g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].
CCI-000280 The organization implements a continuous monitoring program that includes reporting the security status of the organization and the information system to organization-defined personnel or roles on an organization-defined frequency. Future DoD-wide CM guidance to be published Future DoD-wide CM guidance to be published Continuous Monitoring CA-7 CA-7.9 Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: a. Establishment of [Assignment: organization-defined metrics] to be monitored; b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; e. Correlation and analysis of security-related information generated by assessments and monitoring; f. Response actions to address results of the analysis of security-related information; and g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].
CCI-000281 The organization defines the frequency with which to report the security status of the organization and the information system to organization-defined personnel or roles. Future DoD-wide CM guidance to be published Future DoD-wide CM guidance to be published Continuous Monitoring CA-7 CA-7.10 Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: a. Establishment of [Assignment: organization-defined metrics] to be monitored; b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; e. Correlation and analysis of security-related information generated by assessments and monitoring; f. Response actions to address results of the analysis of security-related information; and g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].
CCI-000282 The organization employs assessors or assessment teams with an organization-defined level of independence to monitor the security controls in the information system on an ongoing basis. Future DoD-wide CM guidance to be published Future DoD-wide CM guidance to be published Continuous Monitoring | Independent Assessment CA-7 (1) CA-7(1).1 Organizations can maximize the value of assessments of security controls during the continuous monitoring process by requiring that such assessments be conducted by assessors or assessment teams with appropriate levels of independence based on continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in advocacy positions for the organizations acquiring their services. The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to monitor the security controls in the information system on an ongoing basis.
CCI-000283 The organization plans announced or unannounced assessments (in-depth monitoring, malicious user testing, penetration testing, red team exercises, or other organization-defined forms of security assessment), on an organization-defined frequency, to ensure compliance with all vulnerability mitigation procedures.
CCI-000284 The organization schedules announced or unannounced assessments (in-depth monitoring, malicious user testing, penetration testing, red team exercises, or other organization-defined forms of security assessment), on an organization-defined frequency, to ensure compliance with all vulnerability mitigation procedures.
CCI-000285 The organization conducts announced or unannounced assessments (in-depth monitoring, malicious user testing, penetration testing, red team exercises, or other organization-defined forms of security assessment), on an organization-defined frequency, to ensure compliance with all vulnerability mitigation procedures.
CCI-001681 The organization defines the frequency at which each form of security control assessment should be conducted.
CCI-001584 The organization defines the frequency with which to review and update configuration management procedures. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as annually. DoD has defined the frequency as annually. Configuration Management Policy And Procedures CM-1 CM-1.10 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and b. Reviews and updates the current: 1. Configuration management policy [Assignment: organization-defined frequency]; and 2. Configuration management procedures [Assignment: organization-defined frequency].
CCI-000286 The organization defines a frequency with which to review and update the configuration management policies. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as annually. DoD has defined the frequency as annually. Configuration Management Policy And Procedures CM-1 CM-1.7 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and b. Reviews and updates the current: 1. Configuration management policy [Assignment: organization-defined frequency]; and 2. Configuration management procedures [Assignment: organization-defined frequency].
CCI-000287 The organization develops and documents a configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. The organization conducting the inspection/assessment obtains and examines the configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. The organization being inspected/assessed develops and documents a configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. Configuration Management Policy And Procedures CM-1 CM-1.3 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and b. Reviews and updates the current: 1. Configuration management policy [Assignment: organization-defined frequency]; and 2. Configuration management procedures [Assignment: organization-defined frequency].
CCI-000288 The organization disseminates formal, documented configuration management policy to elements within the organization having associated configuration management roles and responsibilities.
CCI-000289 The organization reviews and updates, on an organization-defined frequency, the configuration management policy. The organization conducting the inspection/assessment obtains and examines documentation of occurrence of reviews and update actions for the configuration management policy to ensure annual review and necessary updates are occurring. DoD has defined the frequency as annually. The organization being inspected/assessed reviews and updates, annually, the configuration management policy. The organization must document each occurrence of the reviews and update actions as an audit trail. DoD has defined the frequency as annually. Configuration Management Policy And Procedures CM-1 CM-1.8 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and b. Reviews and updates the current: 1. Configuration management policy [Assignment: organization-defined frequency]; and 2. Configuration management procedures [Assignment: organization-defined frequency].
CCI-000290 The organization develops and documents procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. The organization conducting the inspection/assessment obtains and examines the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. The organization being inspected/assessed develops and documents procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. Configuration Management Policy And Procedures CM-1 CM-1.5 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and b. Reviews and updates the current: 1. Configuration management policy [Assignment: organization-defined frequency]; and 2. Configuration management procedures [Assignment: organization-defined frequency].
CCI-000291 The organization disseminates formal, documented procedures to facilitate the implementation of the configuration management policy and associated configuration management controls.
CCI-000292 The organization reviews and updates, on an organization-defined frequency, the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. The organization conducting the inspection/assessment obtains and examines documentation of occurrence of reviews and update actions for the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls to ensure annual review and necessary updates are occurring. DoD has defined the frequency as annually. The organization being inspected/assessed reviews and updates, annually, the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. The organization must document each occurrence of the reviews and update actions as an audit trail. DoD has defined the frequency as annually. Configuration Management Policy And Procedures CM-1 CM-1.9 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and b. Reviews and updates the current: 1. Configuration management policy [Assignment: organization-defined frequency]; and 2. Configuration management procedures [Assignment: organization-defined frequency].
CCI-001585 The organization defines the circumstances that require reviews and updates to the baseline configuration of the information system. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the circumstances as baseline configuration changes or as events dictate such as changes due to USCYBERCOM tactical orders/ directives or cyber attacks. DoD has defined the circumstances as baseline configuration changes or as events dictate such as changes due to USCYBERCOM tactical orders/ directives or cyber attacks. Baseline Configuration | Reviews And Updates CM-2 (1) CM-2(1).4 Related control: CM-5. The organization reviews and updates the baseline configuration of the information system: (a) [Assignment: organization-defined frequency]; (b) When required due to [Assignment organization-defined circumstances]; and (c) As an integral part of information system component installations and upgrades.
CCI-000293 The organization develops a current baseline configuration of the information system. The organization conducting the inspection/assessment obtains and examines the documented baseline configuration. The organization being inspected/assessed develops and documents a current baseline configuration of the information system. Baseline Configuration CM-2 CM-2.1 This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture. Related controls: CM-3, CM-6, CM-8, CM-9, SA-10, PM-5, PM-7. The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.
CCI-000294 The organization documents a baseline configuration of the information system.
CCI-000295 The organization maintains, under configuration control, a current baseline configuration of the information system. The organization conducting the inspection/assessment obtains and examines the current baseline to ensure the current configuration matches the current documented baseline. The organization being inspected/assessed maintains a current baseline configuration of the information system. Baseline Configuration CM-2 CM-2.2 This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture. Related controls: CM-3, CM-6, CM-8, CM-9, SA-10, PM-5, PM-7. The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.
CCI-000296 The organization reviews and updates the baseline configuration of the information system at an organization-defined frequency. The organization conducting the inspection/assessment obtains and examines documentation of organizational reviews and update actions for the baseline configuration to ensure annual review and necessary updates are occurring. DoD has defined the frequency as annually. The organization being inspected/assessed reviews and updates the baseline configuration of the information system annually. The organization must document each occurrence of the reviews and update actions as an audit trail. DoD has defined the frequency as annually. Baseline Configuration | Reviews And Updates CM-2 (1) CM-2(1).1 Related control: CM-5. The organization reviews and updates the baseline configuration of the information system: (a) [Assignment: organization-defined frequency]; (b) When required due to [Assignment organization-defined circumstances]; and (c) As an integral part of information system component installations and upgrades.
CCI-000297 The organization reviews and updates the baseline configuration of the information system when required due to organization-defined circumstances. The organization conducting the inspection/assessment obtains and examines documentation of organizational reviews and update actions for the baseline configuration of the information system when required due to baseline configuration changes or as events dictate such as changes due to USCYBERCOM tactical orders/ directives or cyber attacks to ensure review and necessary updates are occurring. DoD has defined the circumstances as baseline configuration changes or as events dictate such as changes due to USCYBERCOM tactical orders/ directives or cyber attacks. The organization being inspected/assessed reviews and updates the baseline configuration of the information system when required due to baseline configuration changes or as events dictate such as changes due to USCYBERCOM tactical orders/ directives or cyber attacks. The organization must document each occurrence of the reviews and update actions as an audit trail. DoD has defined the circumstances as baseline configuration changes or as events dictate such as changes due to USCYBERCOM tactical orders/ directives or cyber attacks. Baseline Configuration | Reviews And Updates CM-2 (1) CM-2(1).3 Related control: CM-5. The organization reviews and updates the baseline configuration of the information system: (a) [Assignment: organization-defined frequency]; (b) When required due to [Assignment organization-defined circumstances]; and (c) As an integral part of information system component installations and upgrades.
CCI-000298 The organization reviews and updates the baseline configuration of the information system as an integral part of information system component installations. The organization conducting the inspection/assessment obtains and examines documentation of organizational reviews and update actions for the baseline configuration of the information system as an integral part of information system component installations to ensure review and necessary updates are occurring. The organization being inspected/assessed reviews and updates the baseline configuration of the information system as an integral part of information system component installations. The organization must document each occurrence of the reviews and update actions as an audit trail. Baseline Configuration | Reviews And Updates CM-2 (1) CM-2(1).5 Related control: CM-5. The organization reviews and updates the baseline configuration of the information system: (a) [Assignment: organization-defined frequency]; (b) When required due to [Assignment organization-defined circumstances]; and (c) As an integral part of information system component installations and upgrades.
CCI-000299 The organization reviews and updates the baseline configuration of the information system as an integral part of information system component upgrades. The organization conducting the inspection/assessment obtains and examines documentation of organizational reviews and update actions for the baseline configuration of the information system as an integral part of information system component upgrades to ensure review and necessary updates are occurring. The organization being inspected/assessed reviews and updates the baseline configuration of the information system as an integral part of information system component upgrades. The organization must document each occurrence of the reviews and update actions as an audit trail. Baseline Configuration | Reviews And Updates CM-2 (1) CM-2(1).6 Related control: CM-5. The organization reviews and updates the baseline configuration of the information system: (a) [Assignment: organization-defined frequency]; (b) When required due to [Assignment organization-defined circumstances]; and (c) As an integral part of information system component installations and upgrades.
CCI-000300 The organization employs automated mechanisms to maintain a complete baseline configuration of the information system. The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms used to maintain complete baseline configuration of the information system. The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. The organization being inspected/assessed identifies, documents, and implements automated mechanisms used to maintain complete baseline configuration of the information system. Baseline Configuration | Automation Support For Accuracy / Currency CM-2 (2) CM-2(2).1 Automated mechanisms that help organizations maintain consistent baseline configurations for information systems include, for example, hardware and software inventory tools, configuration management tools, and network management tools. Such tools can be deployed and/or allocated as common controls, at the information system level, or at the operating system or component level (e.g., on workstations, servers, notebook computers, network components, or mobile devices). Tools can be used, for example, to track version numbers on operating system applications, types of software installed, and current patch levels. This control enhancement can be satisfied by the implementation of CM-8 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related controls: CM-7, RA-5. The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.
CCI-000301 The organization employs automated mechanisms to maintain an up-to-date baseline configuration of the information system. The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms used to maintain an up-to-date baseline configuration of the information system. The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. The organization being inspected/assessed identifies, documents, and implements automated mechanisms used to maintain an up-to-date baseline configuration of the information system. Baseline Configuration | Automation Support For Accuracy / Currency CM-2 (2) CM-2(2).2 Automated mechanisms that help organizations maintain consistent baseline configurations for information systems include, for example, hardware and software inventory tools, configuration management tools, and network management tools. Such tools can be deployed and/or allocated as common controls, at the information system level, or at the operating system or component level (e.g., on workstations, servers, notebook computers, network components, or mobile devices). Tools can be used, for example, to track version numbers on operating system applications, types of software installed, and current patch levels. This control enhancement can be satisfied by the implementation of CM-8 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related controls: CM-7, RA-5. The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.
CCI-000302 The organization employs automated mechanisms to maintain an accurate baseline configuration of the information system. The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms used to maintain accurate baseline configuration of the information system. The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. The organization being inspected/assessed identifies, documents, and implements automated mechanisms used to maintain accurate baseline configuration of the information system. Baseline Configuration | Automation Support For Accuracy / Currency CM-2 (2) CM-2(2).3 Automated mechanisms that help organizations maintain consistent baseline configurations for information systems include, for example, hardware and software inventory tools, configuration management tools, and network management tools. Such tools can be deployed and/or allocated as common controls, at the information system level, or at the operating system or component level (e.g., on workstations, servers, notebook computers, network components, or mobile devices). Tools can be used, for example, to track version numbers on operating system applications, types of software installed, and current patch levels. This control enhancement can be satisfied by the implementation of CM-8 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related controls: CM-7, RA-5. The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.
CCI-000303 The organization employs automated mechanisms to maintain a readily available baseline configuration of the information system. The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms used to maintain readily available baseline configuration of the information system. The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. The organization being inspected/assessed identifies, documents, and implements automated mechanisms used to maintain readily available baseline configuration of the information system. Baseline Configuration | Automation Support For Accuracy / Currency CM-2 (2) CM-2(2).4 Automated mechanisms that help organizations maintain consistent baseline configurations for information systems include, for example, hardware and software inventory tools, configuration management tools, and network management tools. Such tools can be deployed and/or allocated as common controls, at the information system level, or at the operating system or component level (e.g., on workstations, servers, notebook computers, network components, or mobile devices). Tools can be used, for example, to track version numbers on operating system applications, types of software installed, and current patch levels. This control enhancement can be satisfied by the implementation of CM-8 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related controls: CM-7, RA-5. The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.
CCI-000304 The organization retains organization-defined previous versions of baseline configurations of the information system to support rollback. The organization conducting the inspection/assessment obtains and examines the documentation of the previous version of the baseline configuration to determine if all IS components necessary for rollback are retained. DoD has defined the previous versions as the previous approved baseline configuration of IS components for a minimum of 3 months. The organization being inspected/assessed retains the previous approved baseline configuration of IS components for a minimum of 3 months and documents baseline configuration to support rollback. The goal is to verify that the IS can roll back components to previous versions. DoD has defined the previous versions as the previous approved baseline configuration of IS components for a minimum of 3 months. Baseline Configuration | Retention Of Previous Configurations CM-2 (3) CM-2(3).1 Retaining previous versions of baseline configurations to support rollback may include, for example, hardware, software, firmware, configuration files, and configuration records. The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback.
CCI-000305 The organization develops a list of software programs not authorized to execute on the information system.
CCI-000306 The organization maintains the list of software programs not authorized to execute on the information system.
CCI-000307 The organization employs an allow-all, deny-by-exception authorization policy to identify software allowed to execute on the information system.
CCI-000308 The organization develops the list of software programs authorized to execute on the information system.
CCI-000309 The organization maintains the list of software programs authorized to execute on the information system.
CCI-000310 The organization employs a deny-all, permit-by-exception authorization policy to identify software allowed to execute on the information system.
CCI-000311 The organization maintains a baseline configuration for information system development environments that is managed separately from the operational baseline configuration. The organization conducting the inspection/assessment obtains and examines development environment baseline configuration documentation and ensures the organization is maintaining and managing a baseline configuration for the development environment separate from the operational baseline configuration. The organization being inspected/assessed establishes and maintains a development environment baseline configuration managed separately from the operational baseline configuration. Baseline Configuration | Development And Test Environments CM-2 (6) CM-2(6).1 Establishing separate baseline configurations for development, testing, and operational environments helps protect information systems from unplanned/unexpected events related to development and testing activities. Separate baseline configurations allow organizations to apply the configuration management that is most appropriate for each type of configuration. For example, management of operational configurations typically emphasizes the need for stability, while management of development/test configurations requires greater flexibility. Configurations in the test environment mirror the configurations in the operational environment to the extent practicable so that the results of the testing are representative of the proposed changes to the operational systems. This control enhancement requires separate configurations but not necessarily separate physical environments. Related controls: CM-4, SC-3, SC-7. The organization maintains a baseline configuration for information system development and test environments that is managed separately from the operational baseline configuration.
CCI-000312 The organization maintains a baseline configuration for information system test environments that is managed separately from the operational baseline configuration. The organization conducting the inspection/assessment obtains and examines test environment baseline configuration documentation and ensures the organization is maintaining and managing a baseline configuration for the test environment separate from the operational baseline configuration. The organization being inspected/assessed establishes and maintains a test environment baseline configuration managed separately from the operational baseline configuration. Baseline Configuration | Development And Test Environments CM-2 (6) CM-2(6).2 Establishing separate baseline configurations for development, testing, and operational environments helps protect information systems from unplanned/unexpected events related to development and testing activities. Separate baseline configurations allow organizations to apply the configuration management that is most appropriate for each type of configuration. For example, management of operational configurations typically emphasizes the need for stability, while management of development/test configurations requires greater flexibility. Configurations in the test environment mirror the configurations in the operational environment to the extent practicable so that the results of the testing are representative of the proposed changes to the operational systems. This control enhancement requires separate configurations but not necessarily separate physical environments. Related controls: CM-4, SC-3, SC-7. The organization maintains a baseline configuration for information system development and test environments that is managed separately from the operational baseline configuration.
CCI-001497 The organization defines a frequency for the reviews and updates to the baseline configuration of the information system. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as annually. DoD has defined the frequency as annually. Baseline Configuration | Reviews And Updates CM-2 (1) CM-2(1).2 Related control: CM-5. The organization reviews and updates the baseline configuration of the information system: (a) [Assignment: organization-defined frequency]; (b) When required due to [Assignment organization-defined circumstances]; and (c) As an integral part of information system component installations and upgrades.
CCI-001586 The organization defines the configuration change control element (e.g., committee, board) responsible for coordinating and providing oversight for configuration change control activities. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the configuration change control element as a configuration control board (CCB). DoD has defined the configuration change control element as a configuration control board (CCB). Configuration Change Control CM-3 CM-3.12 Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. The organization: a. Determines the types of changes to the information system that are configuration-controlled; b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; c. Documents configuration change decisions associated with the information system; d. Implements approved configuration-controlled changes to the information system; e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period]; f. Audits and reviews activities associated with configuration-controlled changes to the information system; and g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].
CCI-000313 The organization determines the types of changes to the information system that are configuration controlled. The organization conducting the inspection/assessment obtains and examines the configuration management policy and plan to ensure the organization identifies the types of changes to the information system that are configuration controlled. The organization being inspected/assessed determines the types of changes to the information system that are to be configuration controlled. This action will be implemented by the CCB as defined in CM-3, CCI 1586. Configuration Change Control CM-3 CM-3.1 Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. The organization: a. Determines the types of changes to the information system that are configuration-controlled; b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; c. Documents configuration change decisions associated with the information system; d. Implements approved configuration-controlled changes to the information system; e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period]; f. Audits and reviews activities associated with configuration-controlled changes to the information system; and g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].
CCI-000314 The organization approves or disapproves configuration-controlled changes to the information system, with explicit consideration for security impact analysis. The organization conducting the inspection/assessment obtains and examines the audit trail of the approval/disapproval of configuration controlled changes to ensure a security impact analysis was conducted. The organization being inspected/assessed approves or disapproves configuration controlled changes to the information system with explicit consideration for security impact analysis. The organization must maintain an audit trail of approval/disapproval of configuration controlled changes. This action will be implemented by the CCB as defined in CM-3, CCI 1586. Configuration Change Control CM-3 CM-3.2 Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. The organization: a. Determines the types of changes to the information system that are configuration-controlled; b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; c. Documents configuration change decisions associated with the information system; d. Implements approved configuration-controlled changes to the information system; e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period]; f. Audits and reviews activities associated with configuration-controlled changes to the information system; and g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].
CCI-000315 The organization documents approved configuration-controlled changes to the system.
CCI-000316 The organization retains records of configuration-controlled changes to the information system for an organization-defined time period. The organization conducting the inspection/assessment obtains and examines the records of all configuration-controlled changes to the information system to ensure the organization being inspected/assessed retains the records of all configuration controlled changes for a time period defined by the organization's CCB. DoD has defined the time period as a time period defined by the organization's CCB. The organization being inspected/assessed retains records of all configuration-controlled changes to the information system, as a result of CM-3, CCI 1819, for a time period defined by the organization's CCB. DoD has defined the time period as a time period defined by the organization's CCB. Configuration Change Control CM-3 CM-3.6 Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. The organization: a. Determines the types of changes to the information system that are configuration-controlled; b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; c. Documents configuration change decisions associated with the information system; d. Implements approved configuration-controlled changes to the information system; e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period]; f. Audits and reviews activities associated with configuration-controlled changes to the information system; and g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].
CCI-000317 The organization reviews records of configuration-controlled changes to the system.
CCI-000318 The organization audits and reviews activities associated with configuration-controlled changes to the system. The organization conducting the inspection/assessment obtains and examines the audit trail documenting the review activities associated with configuration-controlled changes to the information system to ensure the organization being inspected/assessed audits and reviews activities associated with the changes. The organization being inspected/assessed audits and reviews activities associated with configuration-controlled changes to the information system. The organization must maintain an audit trail to include review activities associated with configuration-controlled changes. Configuration Change Control CM-3 CM-3.8 Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. The organization: a. Determines the types of changes to the information system that are configuration-controlled; b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; c. Documents configuration change decisions associated with the information system; d. Implements approved configuration-controlled changes to the information system; e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period]; f. Audits and reviews activities associated with configuration-controlled changes to the information system; and g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].
CCI-000319 The organization coordinates and provides oversight for configuration change control activities through an organization-defined configuration change control element (e.g., committee, board) that convenes at the organization-defined frequency and/or for any organization-defined configuration change conditions. The organization conducting the inspection/assessment obtains and examines the organization's configuration management policy and plan; document/charter establishing the organization's CCB; meeting minutes; information system change control records; and any other relevant documents or records. The objective of the review is to validate the organization is coordinating and overseeing the configuration change control activities through a CCB. The organization being inspected/assessed coordinates and provides oversight for configuration change control activities through a configuration control board (CCB) that convenes at a frequency determined by the CCB and/or for any configuration change conditions determined by the CCB. DoD has defined the configuration change control element as a configuration control board. DoD has defined the frequency as at a frequency determined by the CCB. DoD has defined the configuration change conditions as configuration change conditions determined by the CCB. Configuration Change Control CM-3 CM-3.9 Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. The organization: a. Determines the types of changes to the information system that are configuration-controlled; b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; c. Documents configuration change decisions associated with the information system; d. Implements approved configuration-controlled changes to the information system; e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period]; f. Audits and reviews activities associated with configuration-controlled changes to the information system; and g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].
CCI-000320 The organization defines the frequency with which to convene the configuration change control element. The organization conducting the inspection/assessment obtains and examines the CCB Charter to ensure the frequency for configuration change control review is defined. DoD has defined the frequency as at a frequency determined by the CCB. The organization being inspected/assessed defines within their CCB Charter, the frequency for configuration change control review. DoD has defined the frequency as at a frequency determined by the CCB. Configuration Change Control CM-3 CM-3.10 Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. The organization: a. Determines the types of changes to the information system that are configuration-controlled; b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; c. Documents configuration change decisions associated with the information system; d. Implements approved configuration-controlled changes to the information system; e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period]; f. Audits and reviews activities associated with configuration-controlled changes to the information system; and g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].
CCI-000321 The organization defines configuration change conditions that prompt the configuration change control element to convene. The organization conducting the inspection/assessment obtains and examines the CCB Charter to ensure the configuration change conditions that prompt the configuration change control element to convene are defined. DoD has defined the configuration change conditions as configuration change conditions determined by the CCB. The organization being inspected/assessed defines within their CCB Charter, the configuration change conditions that prompt the configuration change control element to convene. DoD has defined the configuration change conditions as configuration change conditions determined by the CCB. Configuration Change Control CM-3 CM-3.11 Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. The organization: a. Determines the types of changes to the information system that are configuration-controlled; b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; c. Documents configuration change decisions associated with the information system; d. Implements approved configuration-controlled changes to the information system; e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period]; f. Audits and reviews activities associated with configuration-controlled changes to the information system; and g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].
CCI-000322 The organization employs automated mechanisms to document proposed changes to the information system. The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms to ensure that the identified system documents proposed changes. The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. The organization being inspected/assessed documents and employs the automated mechanisms (e.g., Remedy, ticketing mechanism, etc.) to document proposed changes to the information system. Configuration Change Control | Automated Document / Notification / Prohibition Of Changes CM-3 (1) CM-3(1).1 The organization employs automated mechanisms to: (a) Document proposed changes to the information system; (b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval; (c) Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period]; (d) Prohibit changes to the information system until designated approvals are received; (e) Document all changes to the information system; and (f) Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed.
CCI-000323 The organization employs automated mechanisms to notify organization-defined approval authorities of proposed changes to the information system and request change approval. The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms to ensure that the identified system notifies designated approval authorities of proposed changes to the information system and request change approval. The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. The organization being inspected/assessed documents and employs the automated mechanisms (e.g., Remedy, ticketing mechanism, etc.) to notify designated approval authorities of proposed changes to the information system and request change approval. Configuration Change Control | Automated Document / Notification / Prohibition Of Changes CM-3 (1) CM-3(1).2 The organization employs automated mechanisms to: (a) Document proposed changes to the information system; (b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval; (c) Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period]; (d) Prohibit changes to the information system until designated approvals are received; (e) Document all changes to the information system; and (f) Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed.
CCI-000324 The organization employs automated mechanisms to highlight proposed changes to the information system that have not been approved or disapproved by an organization-defined time period. The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms to ensure that the identified system highlights proposed changes to the information system that have not been approved or disapproved by 7 days. The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. DoD has defined the time period as 7 days. The organization being inspected/assessed documents and employs the automated mechanisms (e.g., Remedy, ticketing mechanism, etc.) to highlight proposed changes to the information system that have not been approved or disapproved by 7 days. DoD has defined the time period as 7 days. Configuration Change Control | Automated Document / Notification / Prohibition Of Changes CM-3 (1) CM-3(1).4 The organization employs automated mechanisms to: (a) Document proposed changes to the information system; (b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval; (c) Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period]; (d) Prohibit changes to the information system until designated approvals are received; (e) Document all changes to the information system; and (f) Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed.
CCI-000325 The organization employs automated mechanisms to prohibit changes to the information system until designated approvals are received. The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms to ensure that the identified system prohibits changes. The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. The organization being inspected/assessed documents and employs the automated mechanisms to prohibit changes to the information system until designated approvals are received. Configuration Change Control | Automated Document / Notification / Prohibition Of Changes CM-3 (1) CM-3(1).6 The organization employs automated mechanisms to: (a) Document proposed changes to the information system; (b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval; (c) Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period]; (d) Prohibit changes to the information system until designated approvals are received; (e) Document all changes to the information system; and (f) Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed.
CCI-000326 The organization employs automated mechanisms to document all changes to the information system. The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms to ensure that the identified system documents all changes. The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. The organization being inspected/assessed documents and employs the automated mechanisms (e.g., Remedy, ticketing mechanism, etc.) to document all changes to the information system. Configuration Change Control | Automated Document / Notification / Prohibition Of Changes CM-3 (1) CM-3(1).7 The organization employs automated mechanisms to: (a) Document proposed changes to the information system; (b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval; (c) Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period]; (d) Prohibit changes to the information system until designated approvals are received; (e) Document all changes to the information system; and (f) Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed.
CCI-000327 The organization tests changes to the information system before implementing the changes on the operational system. The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of testing activity to ensure the organization being inspected/assessed tests changes to the information system before implementing the changes on the operational system. The organization being inspected/assessed documents and implements a process to test changes to the information system before implementing the changes on the operational system. The organization must maintain an audit trail of testing activity. Configuration Change Control | Test / Validate / Document Changes CM-3 (2) CM-3(2).1 Changes to information systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6. Organizations ensure that testing does not interfere with information system operations. Individuals/groups conducting tests understand organizational security policies and procedures, information system security policies and procedures, and the specific health, safety, and environmental risks associated with particular facilities/processes. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If information systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If testing cannot be conducted on operational systems, organizations employ compensating controls (e.g., testing on replicated systems). The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system.
CCI-000328 The organization validates changes to the information system before implementing the changes on the operational system. The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of validation activity to ensure the organization being inspected/assessed validates changes to the information system before implementing the changes on the operational system. The organization being inspected/assessed documents and implements a process to validate changes to the information system before implementing the changes on the operational system. The organization must maintain an audit trail of validation activity. Configuration Change Control | Test / Validate / Document Changes CM-3 (2) CM-3(2).2 Changes to information systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6. Organizations ensure that testing does not interfere with information system operations. Individuals/groups conducting tests understand organizational security policies and procedures, information system security policies and procedures, and the specific health, safety, and environmental risks associated with particular facilities/processes. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If information systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If testing cannot be conducted on operational systems, organizations employ compensating controls (e.g., testing on replicated systems). The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system.
CCI-000329 The organization documents changes to the information system before implementing the changes on the operational system. The organization conducting the inspection/assessment obtains and examines the documented process as well as documentation of changes to the information system to ensure the organization has established, published, and is complying with the requirement to document all changes to be made to its operational information system(s) prior to their implementation. The organization being inspected/assessed documents and implements a process to document changes to the information system before implementing the changes on the operational system. Configuration Change Control | Test / Validate / Document Changes CM-3 (2) CM-3(2).3 Changes to information systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6. Organizations ensure that testing does not interfere with information system operations. Individuals/groups conducting tests understand organizational security policies and procedures, information system security policies and procedures, and the specific health, safety, and environmental risks associated with particular facilities/processes. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If information systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If testing cannot be conducted on operational systems, organizations employ compensating controls (e.g., testing on replicated systems). The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system.
CCI-000330 The organization employs automated mechanisms to implement changes to the current information system baseline. The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms to ensure that the identified system implements changes to the current information system baseline. The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. The organization being inspected/assessed documents and employs the automated mechanisms (e.g., software deployment tools) to implement changes to the current information system baseline. Configuration Change Control | Automated Change Implementation CM-3 (3) CM-3(3).1 The organization employs automated mechanisms to implement changes to the current information system baseline and deploys the updated baseline across the installed base.
CCI-000331 The organization deploys the updated information system baseline across the installed base. The organization conducting the inspection/assessment obtains and examines the documented deployment procedures and a sampling of the audit trail of automated baseline deployments to ensure the organization being inspected/assessed is deploying the updated information system baseline across the installed base. The organization being inspected/assessed documents and employs procedures for deploying the updated information system baseline across the installed base. The information system must maintain an audit trail of automated baseline deployments. Configuration Change Control | Automated Change Implementation CM-3 (3) CM-3(3).2 The organization employs automated mechanisms to implement changes to the current information system baseline and deploys the updated baseline across the installed base.
CCI-000332 The organization requires an information security representative to be a member of the organization-defined configuration change control element. The organization conducting the inspection/assessment obtains and examines the membership list of the organization's configuration control board to ensure an information security representative is a member of the organization's configuration control board. The organization being inspected/assessed requires an information security representative to be a member of the configuration control board. DoD has defined the configuration change control element as the configuration control board. Configuration Change Control | Security Representative CM-3 (4) CM-3(4).1 Information security representatives can include, for example, senior agency information security officers, information system security officers, or information system security managers. Representation by personnel with information security expertise is important because changes to information system configurations can have unintended side effects, some of which may be security-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security state of organizational information systems. The configuration change control element in this control enhancement reflects the change control elements defined by organizations in CM-3. The organization requires an information security representative to be a member of the [Assignment: organization-defined configuration change control element].
CCI-001498 The organization defines a time period after which proposed changes to the information system that have not been approved or disapproved are highlighted. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the time period as 7 days. DoD has defined the time period as 7 days. Configuration Change Control | Automated Document / Notification / Prohibition Of Changes CM-3 (1) CM-3(1).5 The organization employs automated mechanisms to: (a) Document proposed changes to the information system; (b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval; (c) Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period]; (d) Prohibit changes to the information system until designated approvals are received; (e) Document all changes to the information system; and (f) Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed.
CCI-001587 The organization, when analyzing new software in a separate test environment, looks for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.
CCI-000333 The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. The organization conducting the inspection/assessment obtains and examines the records of analyses to ensure the organization is conducting a security impact analysis of changes to the information system(s) prior to their implementation. The organization being inspected/assessed analyzes changes to the information system to determine potential security impacts prior to change implementation. The organization must maintain records of analysis of changes to the information system. Security Impact Analysis CM-4 CM-4.1 Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills/technical expertise to analyze the changes to information systems and the associated security ramifications. Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Security impact analyses are scaled in accordance with the security categories of the information systems. Related controls: CA-2, CA-7, CM-3, CM-9, SA-4, SA-5, SA-10, SI-2. The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.
CCI-000334 The organization analyzes new software in a separate test environment before installation in an operational environment.
CCI-000335 The organization, after the information system is changed, checks the security functions to verify the functions are implemented correctly. The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of the verification of security functions to ensure the organization being inspected/assessed verifies in an operational environment, following changes to the information system, the security functions are implemented correctly. The organization being inspected/assessed documents and implements a process to verify in an operational environment, following changes to the information system, the security functions are implemented correctly. The organization must maintain an audit trail of the verification of security functions. Security Impact Analysis | Verification Of Security Functions CM-4 (2) CM-4(2).1 Implementation is this context refers to installing changed code in the operational information system. Related control: SA-11. The organization, after the information system is changed, checks the security functions to verify that the functions are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security requirements for the system.
CCI-000336 The organization, after the information system is changed, checks the security functions to verify the functions are operating as intended. The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of the verification of security functions to ensure the organization being inspected/assessed verifies in an operational environment, following changes to the information system, the security functions are operating as intended. The organization being inspected/assessed documents and implements a process to verify in an operational environment, following changes to the information system, the security functions are operating as intended. The organization must maintain an audit trail of the verification of security functions. Security Impact Analysis | Verification Of Security Functions CM-4 (2) CM-4(2).2 Implementation is this context refers to installing changed code in the operational information system. Related control: SA-11. The organization, after the information system is changed, checks the security functions to verify that the functions are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security requirements for the system.
CCI-000337 The organization, after the information system is changed, checks the security functions to verify the functions are producing the desired outcome with regard to meeting the security requirements for the system. The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of the verification of security functions to ensure the organization being inspected/assessed verifies in an operational environment, following changes to the information system, the security functions are producing the desired outcome with regard to meeting the security requirements for the system. The organization being inspected/assessed documents and implements a process to verify in an operational environment, following changes to the information system, the security functions are producing the desired outcome with regard to meeting the security requirements for the system. The organization must maintain an audit trail of the verification of security functions. Security Impact Analysis | Verification Of Security Functions CM-4 (2) CM-4(2).3 Implementation is this context refers to installing changed code in the operational information system. Related control: SA-11. The organization, after the information system is changed, checks the security functions to verify that the functions are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security requirements for the system.
CCI-001588 The organization-defined security configuration checklists reflect the most restrictive mode consistent with operational requirements. DoD security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.) meet the DoD requirement for ensuring security configuration checklists reflect the most restrictive mode consistent with operational requirements. DoD Components are automatically compliant with this CCI because they are covered by the DoD level security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.). DoD security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.) meet the DoD requirement for ensuring security configuration checklists reflect the most restrictive mode consistent with operational requirements. DoD Components are automatically compliant with this CCI because they are covered by the DoD level security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.). Configuration Settings CM-6 CM-6.4 Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. The organization: a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; b. Implements the configuration settings; c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
CCI-001589 The organization incorporates detection of unauthorized, security-relevant configuration changes into the organization’s incident response capability to ensure they are tracked.
CCI-000363 The organization defines security configuration checklists to be used to establish and document configuration settings for the information system technology products employed. DoD has defined the security configuration checklists as DoD security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.). The organization conducting the inspection/assessment obtains and examines the security plan to ensure the organization being inspected/assessed has documented the configuration guidance which apply to their information system components. The organization conducting the inspection/assessment reviews the list of documented guidance to ensure that all applicable guidance is identified given the information system components within the authorization boundary. DoD has defined the security configuration checklists as DoD security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.). The organization being inspected/assessed documents in the security plan, the configuration guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.) which apply to their information system components. Configuration Settings CM-6 CM-6.1 Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. The organization: a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; b. Implements the configuration settings; c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
CCI-000364 The organization establishes configuration settings for information technology products employed within the information system using organization-defined security configuration checklists. DoD security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.) meet the DoD requirement for establishing configuration settings. DoD Components are automatically compliant with this CCI because they are covered by the DoD level security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.). DoD security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.) meet the DoD requirement for establishing configuration settings. DoD Components are automatically compliant with this CCI because they are covered by the DoD level security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.). Configuration Settings CM-6 CM-6.2 Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. The organization: a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; b. Implements the configuration settings; c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
CCI-000365 The organization documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists that reflect the most restrictive mode consistent with operational requirements. DoD security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.) meet the DoD requirement for documenting configuration settings. DoD Components are automatically compliant with this CCI because they are covered by the DoD level security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.). DoD security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.) meet the DoD requirement for documenting configuration settings. DoD Components are automatically compliant with this CCI because they are covered by the DoD level security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.). Configuration Settings CM-6 CM-6.3 Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. The organization: a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; b. Implements the configuration settings; c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
CCI-000366 The organization implements the security configuration settings. The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed implements DoD security configuration or implementation guidance (e.g. STIGs, NSA configuration guides, CTOs, DTMs etc.). The organization conducting the inspection/assessment tests a sampling of information system components to ensure they comply with the required settings. DoD has defined the security configuration checklists as DoD security configuration or implementation guidance (e.g. STIGs, NSA configuration guides, CTOs, DTMs etc.). The organization being inspected/assessed must develop and document a process for implementing DoD security configuration or implementation guidance (e.g. STIGs, NSA configuration guides, CTOs, DTMs etc.). DoD has defined the security configuration checklists as DoD security configuration or implementation guidance (e.g. STIGs, NSA configuration guides, CTOs, DTMs etc.). Configuration Settings CM-6 CM-6.5 Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. The organization: a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; b. Implements the configuration settings; c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
CCI-000367 The organization identifies any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements. The organization conducting the inspection/assessment obtains and examines the security plan to ensure the organization being inspected/assessed has documented deviations from configuration settings for information system components. The organization being inspected/assessed documents in the security plan and POA&M, if applicable, the information system components as defined in CM-6, CCI 1755 which deviate from configuration settings, and which settings as defined in CM-6, CCI 1756. Configuration Settings CM-6 CM-6.6 Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. The organization: a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; b. Implements the configuration settings; c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
CCI-000368 The organization documents any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements. The organization conducting the inspection/assessment obtains and examines the security plan to ensure the organization being inspected/assessed has documented deviations from configuration settings for information system components. The organization being inspected/assessed documents in the security plan and POA&M, if applicable, all configurable information system components which deviate from configuration settings, and which settings as defined in CM-6, CCI 1756. DoD has defined the information system components as all configurable information system components. Configuration Settings CM-6 CM-6.7 Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. The organization: a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; b. Implements the configuration settings; c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
CCI-000369 The organization approves any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements. The organization conducting the inspection/assessment obtains and examines the security plan and the audit trail of approved changes to ensure the deviations are approved IAW CM-3, CCI 314. The organization being inspected/assessed manages and approves changes to the security plan documenting deviations IAW CM-3, CCI 314. The organization must maintain an audit trail of approved changes to the security plan. Configuration Settings CM-6 CM-6.8 Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. The organization: a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; b. Implements the configuration settings; c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
CCI-000370 The organization employs automated mechanisms to centrally manage configuration settings for organization-defined information system components. The organization conducting the inspection/assessment obtains and examines the configuration management policy to ensure the organization being inspected/assessed identifies automated mechanisms to centrally manage configuration settings. The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. The organization being inspected/assessed identifies, documents in the configuration management policy, and implements automated mechanisms to centrally manage configuration settings. Configuration Settings | Automated Central Management / Application / Verification CM-6 (1) CM-6(1).1 Related controls: CA-7, CM-4. The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components].
CCI-000371 The organization employs automated mechanisms to centrally apply configuration settings for organization-defined information system components. The organization conducting the inspection/assessment obtains and examines the configuration management policy to ensure the organization being inspected/assessed identifies automated mechanisms to centrally apply configuration settings. The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. The organization being inspected/assessed identifies, documents in the configuration management policy, and implements automated mechanisms to centrally apply configuration settings. Configuration Settings | Automated Central Management / Application / Verification CM-6 (1) CM-6(1).2 Related controls: CA-7, CM-4. The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components].
CCI-000372 The organization employs automated mechanisms to centrally verify configuration settings for organization-defined information system components. The organization conducting the inspection/assessment obtains and examines the configuration management policy to ensure the organization being inspected/assessed identifies automated mechanisms to centrally verify configuration settings. The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. The organization being inspected/assessed identifies, documents in the configuration management policy, and implements automated mechanisms to centrally verify configuration settings. Configuration Settings | Automated Central Management / Application / Verification CM-6 (1) CM-6(1).3 Related controls: CA-7, CM-4. The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components].
CCI-000373 The organization defines configuration settings for which unauthorized changes are responded to by automated mechanisms.
CCI-000374 The organization employs automated mechanisms to respond to unauthorized changes to organization-defined configuration settings.
CCI-000375 The organization incorporates detection of unauthorized, security-relevant configuration changes into the organizations incident response capability.
CCI-000376 The organization ensures unauthorized, security-relevant configuration changes detected are monitored.
CCI-000377 The organization ensures unauthorized, security-relevant configuration changes detected are corrected.
CCI-000378 The organization ensures unauthorized, security-relevant configuration changes detected are available for historical purposes.
CCI-000379 The information system (including modifications to the baseline configuration) demonstrates conformance to security configuration guidance (i.e., security checklists) prior to being introduced into a production environment.
CCI-001502 The organization monitors changes to the configuration settings in accordance with organizational policies and procedures. The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed monitors changes to the configuration settings in accordance with organizational policies and procedures. The organization being inspected/assessed develops and documents a process for monitoring changes to the configuration settings in accordance with organizational policies and procedures. Configuration Settings CM-6 CM-6.11 Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. The organization: a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; b. Implements the configuration settings; c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
CCI-001503 The organization controls changes to the configuration settings in accordance with organizational policies and procedures. The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed controls changes to the configuration settings in accordance with organizational policies and procedures. The organization being inspected/assessed develops and documents a process for controlling changes to the configuration settings in accordance with organizational policies and procedures. Configuration Settings CM-6 CM-6.12 Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. The organization: a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; b. Implements the configuration settings; c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
CCI-001590 The organization develops a list of software programs authorized to execute on the information system.
CCI-001591 The organization develops a list of software programs not authorized to execute on the information system.
CCI-001592 The organization defines the rules authorizing the terms and conditions of software program usage on the information system. The organization conducting the inspection/assessment obtains and examines the rules as well as the software list to ensure that all network capable software programs are DoDI 8551 compliant and that the rules authorizing the use of all other programs are defined. DoD has determined that the rules authorizing the terms and conditions of software program usage on the information system are not appropriate to define at the Enterprise level The organization being inspected/assessed defines and documents their rules for approval of software program usage. For network capable software programs, the organization being inspected/assessed complies with DoDI 8551. DoD has determined that the rules authorizing the terms and conditions of software program usage on the information system are not appropriate to define at the Enterprise level. Least Functionality | Prevent Program Execution CM-7 (2) CM-7(2).1 Related controls: CM-8, PM-5. The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage].
CCI-001593 The organization maintains a list of software programs authorized to execute on the information system.
CCI-001594 The organization maintains a list of software programs not authorized to execute on the information system.
CCI-001595 The organization maintains rules authorizing the terms and conditions of software program usage on the information system.
CCI-000380 The organization defines prohibited or restricted functions, ports, protocols, and/or services for the information system. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the information system prohibited or restricted functions, ports, protocols, and/or services as IAW DoDI 8551.01. DoD has defined the information system prohibited or restricted functions, ports, protocols, and/or services as IAW DoDI 8551.01. Least Functionality CM-7 CM-7.2 Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. Related controls: AC-6, CM-2, RA-5, SA-5, SC-7. The organization: a. Configures the information system to provide only essential capabilities; and b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].
CCI-000381 The organization configures the information system to provide only essential capabilities. The organization conducting the inspection/assessment obtains and examines the security plan to ensure the organization being inspected/assessed has identified essential capabilities. The organization conducting the inspection/assessment inspects the information system to ensure that it provides only those documented essential capabilities. The organization being inspected/assessed documents in the security plan, essential capabilities which the information system must provide. The organization being inspected/assessed configures the information system to provide only those documented essential capabilities. Least Functionality CM-7 CM-7.1 Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. Related controls: AC-6, CM-2, RA-5, SA-5, SC-7. The organization: a. Configures the information system to provide only essential capabilities; and b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].
CCI-000382 The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services. The organization conducting the inspection/assessment inspects the information system to ensure the organization being inspected/assessed prohibits or restricts the use of functions, ports, protocols, and/or services IAW DoDI 8551.01. DoD has defined the information system prohibited or restricted functions, ports, protocols, and/or services as IAW DoDI 8551.01. The organization being inspected/assessed configures the information system to prohibit or restrict the use of functions, ports, protocols, and/or services IAW DoDI 8551.01. DoD has defined the information system prohibited or restricted functions, ports, protocols, and/or services as IAW DoDI 8551.01. Least Functionality CM-7 CM-7.3 Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. Related controls: AC-6, CM-2, RA-5, SA-5, SC-7. The organization: a. Configures the information system to provide only essential capabilities; and b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].
CCI-000383 The organization defines the frequency of information system reviews to identify and eliminate unnecessary functions, ports, protocols and/or services.
CCI-000384 The organization reviews the information system per organization-defined frequency to identify unnecessary and nonsecure functions, ports, protocols, and services. The organization conducting the inspection/assessment obtains and examines the documented process and audit trail of reviews to ensure the organization being inspected/assessed reviews the information system every 30 days to identify unnecessary and nonsecure functions, ports, protocols, and services. DoD has defined the frequency as every 30 days. The organization being inspected/assessed documents and implements a process to review the information system every 30 days to identify unnecessary and nonsecure functions, ports, protocols, and services. The organization must maintain an audit trail of the reviews. DoD has defined the frequency as every 30 days. Least Functionality | Periodic Review CM-7 (1) CM-7(1).1 The organization can either make a determination of the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are examples of less than secure protocols. Related controls: AC-18, CM-7, IA-2. The organization: (a) Reviews the information system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and (b) Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure].
CCI-000385 The organization reviews the information system per organization-defined frequency to eliminate unnecessary functions, ports, protocols, and/or services.
CCI-000386 The organization employs automated mechanisms to prevent program execution on the information system in accordance with the organization-defined specifications.
CCI-000387 The organization defines registration requirements for functions, ports, protocols, and services. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the registration requirements as IAW DoDI 8551.01. DoD has defined the registration requirements as IAW DoDI 8551.01. Least Functionality | Registration Compliance CM-7 (3) CM-7(3).1 Organizations use the registration process to manage, track, and provide oversight for information systems and implemented functions, ports, protocols, and services. The organization ensures compliance with [Assignment: organization-defined registration requirements for functions, ports, protocols, and services].
CCI-000388 The organization ensures compliance with organization-defined registration requirements for functions, ports, protocols, and services. The organization conducting the inspection/assessment obtains and examines a documented listing of ports, protocols, and services in use, and reviews a sampling of those ports, protocols, and services to ensure the organization being inspected/assessed is compliant with DoDI 8551.01. DoD has defined the registration requirements as IAW DoDI 8551.01. The organization being inspected/assessed implements DoDI 8551.01. DoD has defined the registration requirements as IAW DoDI 8551.01. Least Functionality | Registration Compliance CM-7 (3) CM-7(3).2 Organizations use the registration process to manage, track, and provide oversight for information systems and implemented functions, ports, protocols, and services. The organization ensures compliance with [Assignment: organization-defined registration requirements for functions, ports, protocols, and services].
CCI-001596 The organization defines the frequency with which to review and update the current contingency planning procedures. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as annually. DoD has defined the frequency as annually. Contingency Planning Policy And Procedures CP-1 CP-1.9 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and b. Reviews and updates the current: 1. Contingency planning policy [Assignment: organization-defined frequency]; and 2. Contingency planning procedures [Assignment: organization-defined frequency].
CCI-001597 The organization disseminates contingency planning procedures to organization-defined personnel or roles. DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and NIST SP 800-34. DoD disseminates DoDI 8500.01 organization-wide via the DoD Issuances website. http://www.dtic.mil/whs/directives/corres/dir.html NIST disseminates NIST SP 800-34 via http://csrc.nist.gov/publications/PubsSPs.html Contingency Planning Policy And Procedures CP-1 CP-1.5 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and b. Reviews and updates the current: 1. Contingency planning policy [Assignment: organization-defined frequency]; and 2. Contingency planning procedures [Assignment: organization-defined frequency].
CCI-001598 The organization reviews and updates the current contingency planning procedures in accordance with the organization-defined frequency. DoDI 8500.01 and NIST SP 800-34 meet the DoD requirements for contingency planning policy and procedures. DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and NIST SP 800-34. DoDI 8500.01 and NIST SP 800-34 meet the DoD requirements for contingency planning policy and procedures. DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and NIST SP 800-34. Contingency Planning Policy And Procedures CP-1 CP-1.10 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and b. Reviews and updates the current: 1. Contingency planning policy [Assignment: organization-defined frequency]; and 2. Contingency planning procedures [Assignment: organization-defined frequency].
CCI-000437 The organization defines the frequency with which to review and update the current contingency planning policy. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as every 5 years. DoD has defined the frequency as every 5 years. Contingency Planning Policy And Procedures CP-1 CP-1.7 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and b. Reviews and updates the current: 1. Contingency planning policy [Assignment: organization-defined frequency]; and 2. Contingency planning procedures [Assignment: organization-defined frequency].
CCI-000438 The organization develops and documents a contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. DoDI 8500.01 and NIST SP 800-34 meet the DoD requirements for contingency planning policy and procedures. DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and NIST SP 800-34. DoDI 8500.01 and NIST SP 800-34 meet the DoD requirements for contingency planning policy and procedures. DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and NIST SP 800-34. Contingency Planning Policy And Procedures CP-1 CP-1.1 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and b. Reviews and updates the current: 1. Contingency planning policy [Assignment: organization-defined frequency]; and 2. Contingency planning procedures [Assignment: organization-defined frequency].
CCI-000439 The organization disseminates a contingency planning policy to organization-defined personnel or roles. DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and NIST SP 800-34. DoD disseminates DoDI 8500.01 organization-wide via the DoD Issuances website. http://www.dtic.mil/whs/directives/corres/dir.html NIST disseminates NIST SP 800-34 via http://csrc.nist.gov/publications/PubsSPs.html Contingency Planning Policy And Procedures CP-1 CP-1.2 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and b. Reviews and updates the current: 1. Contingency planning policy [Assignment: organization-defined frequency]; and 2. Contingency planning procedures [Assignment: organization-defined frequency].
CCI-000440 The organization reviews and updates the current contingency planning policy in accordance with an organization-defined frequency. DoDI 8500.01 and NIST SP 800-34 meet the DoD requirements for contingency planning policy and procedures. DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and NIST SP 800-34. DoDI 8500.01 and NIST SP 800-34 meet the DoD requirements for contingency planning policy and procedures. DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and NIST SP 800-34. Contingency Planning Policy And Procedures CP-1 CP-1.8 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and b. Reviews and updates the current: 1. Contingency planning policy [Assignment: organization-defined frequency]; and 2. Contingency planning procedures [Assignment: organization-defined frequency].
CCI-000441 The organization develops and documents procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls. DoDI 8500.01 and NIST SP 800-34 meet the DoD requirements for contingency planning policy and procedures. DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and NIST SP 800-34. DoDI 8500.01 and NIST SP 800-34 meet the DoD requirements for contingency planning policy and procedures. DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and NIST SP 800-34. Contingency Planning Policy And Procedures CP-1 CP-1.4 This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and b. Reviews and updates the current: 1. Contingency planning policy [Assignment: organization-defined frequency]; and 2. Contingency planning procedures [Assignment: organization-defined frequency].
CCI-001599 The organization sustains operational continuity of essential missions until full information system restoration at primary processing and/or storage sites. The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it documents procedures to sustain operational continuity of essential missions until full information system restoration at primary processing and/or storage sites. The organization being inspected/assessed develops and documents procedures within the contingency plan to sustain operational continuity of essential missions until full information system restoration at primary processing and/or storage sites. Contingency Plan | Continue Essential Missions / Business Functions CP-2 (5) CP-2(5).3 Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency (e.g., backup sites may become primary sites). Related control: PE-12. The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites.
CCI-001600 The organization sustains operational continuity of essential business functions until full information system restoration at primary processing and/or storage sites. The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it documents procedures to sustain operational continuity of essential business functions until full information system restoration at primary processing and/or storage sites. The organization being inspected/assessed develops and documents procedures within the contingency plan to sustain operational continuity of essential business functions until full information system restoration at primary processing and/or storage sites. Contingency Plan | Continue Essential Missions / Business Functions CP-2 (5) CP-2(5).4 Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency (e.g., backup sites may become primary sites). Related control: PE-12. The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites.
CCI-001601 The organization sustains operational continuity of essential missions at alternate processing and/or storage sites until information system restoration at primary processing and/or storage sites. The organization conducting the inspection/assessment obtains and examines the continuity plan to ensure the organization being inspected/assessed documents a process for continuation of essential missions at alternate processing and/or storage sites until information system restoration at primary processing and/or storage sites. The organization being inspected/assessed documents within their continuity plan a process for continuation of essential missions at alternate processing and/or storage sites until information system restoration at primary processing and/or storage sites. Contingency Plan | Alternate Processing / Storage Site CP-2 (6) CP-2(6).3 Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency (e.g., backup sites may become primary sites). Related control: PE-12. The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through information system restoration to primary processing and/or storage sites.
CCI-001602 The organization sustains operational continuity of essential business functions at alternate processing and/or storage sites until information system restoration at primary processing and/or storage sites. The organization conducting the inspection/assessment obtains and examines the continuity plan to ensure the organization being inspected/assessed documents a process for continuation of essential business functions at alternate processing and/or storage sites until information system restoration at primary processing and/or storage sites. The organization being inspected/assessed documents within their continuity plan a process for continuation of essential business functions at alternate processing and/or storage sites until information system restoration at primary processing and/or storage sites. Contingency Plan | Alternate Processing / Storage Site CP-2 (6) CP-2(6).4 Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency (e.g., backup sites may become primary sites). Related control: PE-12. The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through information system restoration to primary processing and/or storage sites.
CCI-000443 The organization develops a contingency plan for the information system that identifies essential missions. The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents essential missions for its information system(s). The organization being inspected/assessed must clearly and accurately document essential missions for its information system(s). Impact of loss of essential mission functions must be defined using CNSSI 1253. Contingency Plan CP-2 CP-2.1 Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. The organization: a. Develops a contingency plan for the information system that: 1. Identifies essential missions and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure and modification.
CCI-000444 The organization develops a contingency plan for the information system that identifies essential business functions. The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents essential business functions for its information system(s). The organization being inspected/assessed must clearly and accurately document essential business functions for its information system(s). Impact of loss of essential business functions must be defined using CNSSI 1253. Contingency Plan CP-2 CP-2.2 Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. The organization: a. Develops a contingency plan for the information system that: 1. Identifies essential missions and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure and modification.
CCI-000445 The organization develops a contingency plan for the information system that identifies associated contingency requirements. The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents associated contingency requirements for its information system(s). The organization being inspected/assessed must clearly and accurately document associated contingency requirements for its information system(s). Contingency Plan CP-2 CP-2.3 Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. The organization: a. Develops a contingency plan for the information system that: 1. Identifies essential missions and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure and modification.
CCI-000446 The organization develops a contingency plan for the information system that provides recovery objectives. The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents recovery objectives for its information system(s). The organization being inspected/assessed must clearly and accurately document recovery objectives for its information system(s). Contingency Plan CP-2 CP-2.4 Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. The organization: a. Develops a contingency plan for the information system that: 1. Identifies essential missions and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure and modification.
CCI-000447 The organization develops a contingency plan for the information system that provides restoration priorities. The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents restoration priorities for its information system(s). The organization being inspected/assessed must clearly and accurately document restoration priorities for its information system(s). Contingency Plan CP-2 CP-2.5 Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. The organization: a. Develops a contingency plan for the information system that: 1. Identifies essential missions and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure and modification.
CCI-000448 The organization develops a contingency plan for the information system that provides metrics. The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents metrics for its information system(s). The organization being inspected/assessed must clearly and accurately document metrics for its information system(s). Contingency Plan CP-2 CP-2.6 Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. The organization: a. Develops a contingency plan for the information system that: 1. Identifies essential missions and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure and modification.
CCI-000449 The organization develops a contingency plan for the information system that addresses contingency roles, responsibilities, assigned individuals with contact information. The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents contingency roles, responsibilities, assigned individuals with contact information for its information system(s). The organization being inspected/assessed must clearly and accurately document contingency roles, responsibilities, assigned individuals with contact information for its information system(s). Contingency Plan CP-2 CP-2.7 Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. The organization: a. Develops a contingency plan for the information system that: 1. Identifies essential missions and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure and modification.
CCI-000450 The organization develops a contingency plan for the information system that addresses maintaining essential missions despite an information system disruption. The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents maintaining essential missions despite an information system disruption for its information system(s). The organization being inspected/assessed must clearly and accurately document maintaining essential missions despite an information system disruption for its information system(s). Contingency Plan CP-2 CP-2.8 Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. The organization: a. Develops a contingency plan for the information system that: 1. Identifies essential missions and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure and modification.
CCI-000451 The organization develops a contingency plan for the information system that addresses maintaining essential business functions despite an information system disruption. The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents maintaining business functions despite an information system disruption for its information system(s). The organization being inspected/assessed must clearly and accurately document maintaining business functions despite an information system disruption for its information system(s). Contingency Plan CP-2 CP-2.9 Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. The organization: a. Develops a contingency plan for the information system that: 1. Identifies essential missions and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure and modification.
CCI-000452 The organization develops a contingency plan for the information system that addresses maintaining essential missions despite an information system compromise. The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents maintaining essential missions despite an information system compromise for its information system(s). The organization being inspected/assessed must clearly and accurately document maintaining essential missions despite an information system compromise for its information system(s). Contingency Plan CP-2 CP-2.10 Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. The organization: a. Develops a contingency plan for the information system that: 1. Identifies essential missions and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure and modification.
CCI-000453 The organization develops a contingency plan for the information system that addresses maintaining essential business functions despite an information system compromise. The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents maintaining business functions despite an information system compromise for its information system(s). The organization being inspected/assessed must clearly and accurately document maintaining business functions despite an information system compromise for its information system(s). Contingency Plan CP-2 CP-2.11 Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. The organization: a. Develops a contingency plan for the information system that: 1. Identifies essential missions and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure and modification.
CCI-000454 The organization develops a contingency plan for the information system that addresses maintaining essential missions despite an information system failure. The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents maintaining essential missions despite an information system failure for its information system(s). The organization being inspected/assessed must clearly and accurately document maintaining essential missions despite an information system failure for its information system(s). Contingency Plan CP-2 CP-2.12 Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. The organization: a. Develops a contingency plan for the information system that: 1. Identifies essential missions and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure and modification.
CCI-000455 The organization develops a contingency plan for the information system that addresses maintaining essential business functions despite an information system failure. The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents maintaining business functions despite an information system failure for its information system(s). The organization being inspected/assessed must clearly and accurately document maintaining business functions despite an information system failure for its information system(s). Contingency Plan CP-2 CP-2.13 Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. The organization: a. Develops a contingency plan for the information system that: 1. Identifies essential missions and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure and modification.
CCI-000456 The organization develops a contingency plan for the information system that addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented. The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented for its information system(s). The organization being inspected/assessed must clearly and accurately document eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented for its information system(s). Contingency Plan CP-2 CP-2.14 Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. The organization: a. Develops a contingency plan for the information system that: 1. Identifies essential missions and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure and modification.
CCI-000457 The organization develops a contingency plan for the information system that is reviewed and approved by organization-defined personnel or roles. The organization conducting the inspection/assessment obtains and examines the audit trail to ensure the contingency plan has been reviewed and approved by at a minimum, the ISSM and ISSO. DoD has defined the personnel or roles as at a minimum, the ISSM and ISSO. The organization being inspected/assessed reviews and approves the contingency plan by at a minimum, the ISSM and ISSO. The organization must maintain an audit trail of the review and approval activity. DoD has defined the personnel or roles as at a minimum, the ISSM and ISSO. Contingency Plan CP-2 CP-2.15 Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. The organization: a. Develops a contingency plan for the information system that: 1. Identifies essential missions and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure and modification.
CCI-000458 The organization defines a list of key contingency personnel (identified by name and/or by role) and organizational elements designated to receive copies of the contingency plan. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the list as all stakeholders identified in the contingency plan. DoD has defined the list as all stakeholders identified in the contingency plan. Contingency Plan CP-2 CP-2.17 Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. The organization: a. Develops a contingency plan for the information system that: 1. Identifies essential missions and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure and modification.
CCI-000459 The organization distributes copies of the contingency plan to an organization-defined list of key contingency personnel (identified by name and/or by role) and organizational elements. The organization conducting the inspection/assessment obtains and examines the contingency plan via the inspected organization's information sharing capability (e.g. portal, intranet, email, etc.) to ensure it has been disseminated. The organization being inspected/assessed ensures the contingency plan is disseminated to all stakeholders identified in the contingency plan via an information sharing capibility. DoD has defined the list as all stakeholders identified in the contingency plan. Contingency Plan CP-2 CP-2.18 Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. The organization: a. Develops a contingency plan for the information system that: 1. Identifies essential missions and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure and modification.
CCI-000460 The organization coordinates contingency planning activities with incident handling activities. The organization conducting the inspection/assessment obtains and examines the contingency plan and the incident response plan (IR-8) to ensure they do not contradict each other's objectives or result in duplicate efforts/activities. The organization being inspected/assessed will coordinate the contingency plan and incident response plan (IR-8) to ensure they do not contradict each other's objectives or result in duplicate efforts/activities. Contingency Plan CP-2 CP-2.19 Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. The organization: a. Develops a contingency plan for the information system that: 1. Identifies essential missions and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure and modification.
CCI-000461 The organization defines the frequency with which to review the contingency plan for the information system. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as annually. DoD has defined the frequency as annually. Contingency Plan CP-2 CP-2.20 Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. The organization: a. Develops a contingency plan for the information system that: 1. Identifies essential missions and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure and modification.
CCI-000462 The organization reviews the contingency plan for the information system in accordance with organization-defined frequency. The organization conducting the inspection/assessment obtains and examines the audit trail to ensure the contingency plan is reviewed annually. The organization being inspected/assessed annually reviews the contingency plan. The organization must maintain an audit trail of annual reviews. Contingency Plan CP-2 CP-2.21 Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. The organization: a. Develops a contingency plan for the information system that: 1. Identifies essential missions and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure and modification.
CCI-000463 The organization updates the contingency plan to address changes to the organization. The organization conducting the inspection/assessment obtains and examines the contingency plan and audit trail to ensure the organization clearly and accurately updates the contingency plan to address organizational changes. The organization being inspected/assessed must clearly and accurately update the contingency plan to address organizational changes. The organization must document the update activities as an audit trail. Contingency Plan CP-2 CP-2.22 Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. The organization: a. Develops a contingency plan for the information system that: 1. Identifies essential missions and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure and modification.
CCI-000464 The organization updates the contingency plan to address changes to the information system. The organization conducting the inspection/assessment obtains and examines the contingency plan and audit trail to ensure the organization clearly and accurately updates the contingency plan to address information system changes. The organization being inspected/assessed must clearly and accurately update the contingency plan to address changes to the information system. The organization must document the update activities as an audit trail. Contingency Plan CP-2 CP-2.23 Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. The organization: a. Develops a contingency plan for the information system that: 1. Identifies essential missions and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure and modification.
CCI-000465 The organization updates the contingency plan to address changes to the environment of operation. The organization conducting the inspection/assessment obtains and examines the contingency plan and audit trail to ensure the organization clearly and accurately revises the contingency plan to address changes to the environment of operation. The organization being inspected/assessed must clearly and accurately revise the contingency plan to address changes to the environment of operation. The organization must document the update activities as an audit trail. Contingency Plan CP-2 CP-2.24 Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. The organization: a. Develops a contingency plan for the information system that: 1. Identifies essential missions and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure and modification.
CCI-000466 The organization updates the contingency plan to address problems encountered during contingency plan implementation, execution, or testing. The organization conducting the inspection/assessment obtains and examines the contingency plan and audit trail to ensure the organization clearly and accurately revises the contingency plan to address problems encountered during contingency plan implementation, execution, or testing. The organization being inspected/assessed must clearly and accurately revise the contingency plan to address problems encountered during contingency plan implementation, execution, or testing. The organization must document the update activities as an audit trail. Contingency Plan CP-2 CP-2.25 Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. The organization: a. Develops a contingency plan for the information system that: 1. Identifies essential missions and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure and modification.
CCI-000468 The organization communicates contingency plan changes to an organization-defined list of key contingency personnel (identified by name and/or by role) and organizational elements. The organization conducting the inspection/assessment examines the contingency plan via the inspected organization's information sharing capability (e.g. portal, intranet, email, etc.) to ensure the most current version has been communicated. The organization being inspected/assessed communicates contingency plan changes to all stakeholders identified in the contingency plan. DoD has defined the list as all stakeholders identified in the contingency plan. Contingency Plan CP-2 CP-2.26 Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. The organization: a. Develops a contingency plan for the information system that: 1. Identifies essential missions and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure and modification.
CCI-000469 The organization coordinates contingency plan development with organizational elements responsible for related plans. The organization conducting the inspection/assessment obtains and examines documentation of agreements with entities responsible for the contingency or related plans to ensure there is evidence of coordination of those plans. The organization being inspected/assessed coordinates the development of its contingency plan with other organizational elements responsible for related plans. The organization documents any applicable agreements with responsible internal or external entities. For external entities the agreements could entail MOUs, MOAs, SLAs or contracts. Contingency Plan | Coordinate With Related Plans CP-2 (1) CP-2(1).1 Plans related to contingency plans for organizational information systems include, for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, Insider Threat Implementation Plan, and Occupant Emergency Plans. The organization coordinates contingency plan development with organizational elements responsible for related plans.
CCI-000470 The organization conducts capacity planning so that necessary capacity for information processing exists during contingency operations. The organization conducting the inspection/assessment obtains and examines the documented capacity planning to ensure that the organization has performed capacity planning. The organization being inspected/assessed must conduct and document capacity planning to ensure that necessary capacity for information processing exists during contingency operations. Contingency Plan | Capacity Planning CP-2 (2) CP-2(2).1 Capacity planning is needed because different types of threats (e.g., natural disasters, targeted cyber attacks) can result in a reduction of the available processing, telecommunications, and support services originally intended to support the organizational missions/business functions. Organizations may need to anticipate degraded operations during contingency operations and factor such degradation into capacity planning. The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.
CCI-000471 The organization conducts capacity planning so that necessary capacity for telecommunications exists during contingency operations. The organization conducting the inspection/assessment obtains and examines the documented capacity planning to ensure that the organization has performed capacity planning. The organization being inspected/assessed must conduct and document capacity planning to ensure that necessary capacity for telecommunications exists during contingency operations. Contingency Plan | Capacity Planning CP-2 (2) CP-2(2).2 Capacity planning is needed because different types of threats (e.g., natural disasters, targeted cyber attacks) can result in a reduction of the available processing, telecommunications, and support services originally intended to support the organizational missions/business functions. Organizations may need to anticipate degraded operations during contingency operations and factor such degradation into capacity planning. The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.
CCI-000472 The organization conducts capacity planning so that necessary capacity for environmental support exists during contingency operations. The organization conducting the inspection/assessment obtains and examines the documented capacity planning to ensure that the organization has performed capacity planning. The organization being inspected/assessed must conduct and document capacity planning to ensure that necessary capacity for environmental support exists during contingency operations. Contingency Plan | Capacity Planning CP-2 (2) CP-2(2).3 Capacity planning is needed because different types of threats (e.g., natural disasters, targeted cyber attacks) can result in a reduction of the available processing, telecommunications, and support services originally intended to support the organizational missions/business functions. Organizations may need to anticipate degraded operations during contingency operations and factor such degradation into capacity planning. The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.
CCI-000473 The organization defines the time period for planning the resumption of essential missions as a result of contingency plan activation. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. DoD has defined the time period as 1 hour (Availability High) 12 hours (Availability Moderate) as defined in the contingency plan. Contingency Plan | Resume Essential Missions / Business Functions CP-2 (3) CP-2(3).1 Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of essential missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure. Related control: PE-12. The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation.
CCI-000474 The organization defines the time period for planning the resumption of essential business functions as a result of contingency plan activation. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the time period as 1 hour (Availability High) 12 hours (Availability Moderate) as defined in the contingency plan. DoD has defined the time period as 1 hour (Availability High) 12 hours (Availability Moderate) as defined in the contingency plan. Contingency Plan | Resume Essential Missions / Business Functions CP-2 (3) CP-2(3).2 Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of essential missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure. Related control: PE-12. The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation.
CCI-000475 The organization plans for the resumption of essential missions within the organization-defined time period of contingency plan activation. The organization conducting the inspection/assessment obtains the contingency plan to ensure it contains procedures for resumption of essential missions within 1 hour (Availability High) 12 hours (Availability Moderate) as defined in the contingency plan. The organization being inspected/assessed shall document within their contingency plan, procedures for resumption of essential missions within 1 hour (Availability High) 12 hours (Availability Moderate) as defined in the contingency plan. Contingency Plan | Resume Essential Missions / Business Functions CP-2 (3) CP-2(3).3 Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of essential missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure. Related control: PE-12. The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation.
CCI-000476 The organization plans for the resumption of essential business functions within the organization-defined time period of contingency plan activation. The organization conducting the inspection/assessment obtains the contingency plan to ensure it contains procedures for resumption of essential business functions within 1 hour (Availability High) 12 hours (Availability Moderate) as defined in the contingency plan. The organization being inspected/assessed shall document within their contingency plan, procedures for resumption of essential business functions within 1 hour (Availability High) 12 hours (Availability Moderate) as defined in the contingency plan. Contingency Plan | Resume Essential Missions / Business Functions CP-2 (3) CP-2(3).4 Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of essential missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure. Related control: PE-12. The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation.
CCI-000477 The organization defines the time period for planning the resumption of all missions as a result of contingency plan activation. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the time period as 1 hour (Availability High ) 1-5 days (Availability Moderate) 5-30 days (Availability Low) as defined in the contingency plan. DoD has defined the time period as 1 hour (Availability High ) 1-5 days (Availability Moderate) 5-30 days (Availability Low) as defined in the contingency plan. Contingency Plan | Resume All Missions / Business Functions CP-2 (4) CP-2(4).1 Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of all missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure. Related control: PE-12. The organization plans for the resumption of all missions and business functions within [Assignment: organization-defined time period] of contingency plan activation.
CCI-000478 The organization defines the time period for planning the resumption of all business functions as a result of contingency plan activation. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the time period as 1 hour (Availability High ) 1-5 days (Availability Moderate) 5-30 days (Availability Low) as defined in the contingency plan. DoD has defined the time period as 1 hour (Availability High ) 1-5 days (Availability Moderate) 5-30 days (Availability Low) as defined in the contingency plan. Contingency Plan | Resume All Missions / Business Functions CP-2 (4) CP-2(4).2 Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of all missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure. Related control: PE-12. The organization plans for the resumption of all missions and business functions within [Assignment: organization-defined time period] of contingency plan activation.
CCI-000479 The organization plans for the resumption of all missions within an organization-defined time period of contingency plan activation. The organization conducting the inspection/assessment obtains the contingency plan to ensure it contains procedures for full resumption of affected missions within 1 hour (Availability High ) 1-5 days (Availability Moderate) 5-30 days (Availability Low) as defined in the contingency plan. The organization being inspected/assessed shall document within their contingency plan, procedures for full resumption of affected missions within 1 hour (Availability High ) 1-5 days (Availability Moderate) 5-30 days (Availability Low) as defined in the contingency plan. Contingency Plan | Resume All Missions / Business Functions CP-2 (4) CP-2(4).3 Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of all missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure. Related control: PE-12. The organization plans for the resumption of all missions and business functions within [Assignment: organization-defined time period] of contingency plan activation.
CCI-000480 The organization plans for the resumption of all business functions within an organization-defined time period of contingency plan activation. The organization conducting the inspection/assessment obtains the contingency plan to ensure it contains procedures for full resumption of affected business functions within 1 hour (Availability High) 1-5 days (Availability Moderate) 5-30 days (Availability Low) as defined in the contingency plan. The organization being inspected/assessed shall document within their contingency plan, procedures for full resumption of affected business functions within 1 hour (Availability High) 1-5 days (Availability Moderate) 5-30 days (Availability Low) as defined in the contingency plan. Contingency Plan | Resume All Missions / Business Functions CP-2 (4) CP-2(4).4 Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of all missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure. Related control: PE-12. The organization plans for the resumption of all missions and business functions within [Assignment: organization-defined time period] of contingency plan activation.
CCI-000481 The organization plans for the continuance of essential missions with little or no loss of operational continuity. The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents maintaining essential missions despite an information system disruption for its information system(s). The organization being inspected/assessed plans for the continuance of essential missions with little or no loss of operational continuity IAW CP-2a. Contingency Plan | Continue Essential Missions / Business Functions CP-2 (5) CP-2(5).1 Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency (e.g., backup sites may become primary sites). Related control: PE-12. The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites.
CCI-000482 The organization plans for the continuance of essential business functions with little or no loss of operational continuity. The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents maintaining essential business functions despite an information system disruption for its information system(s). The organization being inspected/assessed plans for the continuance of essential business functions with little or no loss of operational continuity IAW CP-2a. Contingency Plan | Continue Essential Missions / Business Functions CP-2 (5) CP-2(5).2 Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency (e.g., backup sites may become primary sites). Related control: PE-12. The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites.
CCI-000483 The organization plans for the transfer of essential missions to alternate processing and/or storage sites with little or no loss of operational continuity. The organization conducting the inspection/assessment obtains and examines the continuity plan to ensure the organization being inspected/assessed documents a process to transfer essential missions to alternate processing and/or storage sites with little or no loss of operational continuity. The organization being inspected/assessed documents within their continuity plan, a process to transfer essential missions to alternate processing and/or storage sites with little or no loss of operational continuity. Contingency Plan | Alternate Processing / Storage Site CP-2 (6) CP-2(6).1 Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency (e.g., backup sites may become primary sites). Related control: PE-12. The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through information system restoration to primary processing and/or storage sites.
CCI-000484 The organization plans for the transfer of essential business functions to alternate processing and/or storage sites with little or no loss of operational continuity. The organization conducting the inspection/assessment obtains and examines the continuity plan to ensure the organization being inspected/assessed documents a process to transfer essential business functions to alternate processing and/or storage sites with little or no loss of operational continuity. The organization being inspected/assessed documents within their continuity plan, a process to transfer essential business functions to alternate processing and/or storage sites with little or no loss of operational continuity. Contingency Plan | Alternate Processing / Storage Site CP-2 (6) CP-2(6).2 Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency (e.g., backup sites may become primary sites). Related control: PE-12. The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through information system restoration to primary processing and/or storage sites.
CCI-001603 The contingency plan identifies the primary storage site hazards.
CCI-001604 The organization outlines explicit mitigation actions for organization identified accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster. The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure the organization has documented explicit mitigation actions for accessibility problems identified in CP-6 (3), CCI 509 to the alternate storage site in the event of an area-wide disruption or disaster. The organization being inspected/assessed must identify and document in the contingency plan explicit mitigation actions for accessibility problems identified in CP-6 (3), CCI 509 to the alternate storage site in the event of an area-wide disruption or disaster. Alternate Storage Site | Accessibility CP-6 (3) CP-6(3).2 Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include, for example: (i) duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites; or (ii) planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted. Related control: RA-3. The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.
CCI-000505 The organization establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information. The organization conducting the inspection/assessment obtains and examines the contingency plan to confirm the organization has established an alternate storage site. The organization being inspected/assessed establishes an alternate storage site and documents relevant information within the contingency plan. Alternate Storage Site CP-6 CP-6.1 Alternate storage sites are sites that are geographically distinct from primary storage sites. An alternate storage site maintains duplicate copies of information and data in the event that the primary storage site is not available. Items covered by alternate storage site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination of delivery/retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-7, CP-9, CP-10, MP-4. The organization: a. Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and b. Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.
CCI-000506 The organization initiates necessary alternate storage site agreements to permit the storage and recovery of information system backup information.
CCI-000507 The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats. The organization conducting the inspection/assessment obtains and examines the risk management strategy and the contingency plan to ensure the organization identifies an alternate storage site that is separated from the primary storage site so as not to be susceptible to the same threats identified at the primary site. The organization being inspected/assessed identifies and documents within the contingency plan an alternate storage site not susceptible to the same threats that exist at the primary storage site. The organization must document threats in the risk management strategy IAW PM-9, CCI 000227. Alternate Storage Site | Separation From Primary Site CP-6 (1) CP-6(1).1 Threats that affect alternate storage sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant. Related control: RA-3. The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.
CCI-000508 The organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives. The organization conducting the inspection/assessment obtains and examines the contingency plan and conducts a walk-through of the alternate storage site to ensure the organization's documented recovery time and recovery point objectives have been met. The organization being inspected/assessed configures the alternate storage site to facilitate recovery operations IAW CP-2, CCIs 446 and 447. Alternate Storage Site | Recovery Time / Point Objectives CP-6 (2) CP-6(2).1 The organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.
CCI-000509 The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster. The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure the organization has documented potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster. The organization being inspected/assessed must identify and document in the contingency plan potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster. Alternate Storage Site | Accessibility CP-6 (3) CP-6(3).1 Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include, for example: (i) duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites; or (ii) planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted. Related control: RA-3. The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.
CCI-001605 The contingency plan identifies the primary processing site hazards.
CCI-001606 The organization outlines explicit mitigation actions for organization-identified potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster. The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure the organization has documented explicit mitigation actions for accessibility problems identified in CP-7 (2), CCI 517 to the alternate processing site in the event of an area-wide disruption or disaster. The organization being inspected/assessed must identify and document in the contingency plan explicit mitigation actions for accessibility problems identified in CP-7 (2), CCI 517 to the alternate processing site in the event of an area-wide disruption or disaster. Alternate Processing Site | Accessibility CP-7 (2) CP-7(2).2 Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk. Related control: RA-3. The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.
CCI-000510 The organization defines the time period consistent with recovery time and recovery point objectives for essential missions/business functions to permit the transfer and resumption of organization-defined information system operations at an alternate processing site when the primary processing capabilities are unavailable. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. Alternate Processing Site CP-7 CP-7.1 Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6. The organization: a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable; b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site.
CCI-000511 The organization defines the time period for achieving the recovery time objectives for business functions within which processing must be resumed at the alternate processing site.
CCI-000512 The organization establishes an alternate processing site.
CCI-000513 The organization establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions within an organization-defined time period consistent with recovery time and recovery point objectives when the primary processing capabilities are unavailable. The organization conducting the inspection/assessment obtains and examines the approved alternate processing site agreements to ensure the organization has alternate processing site support that will permit the transfer and resumption of information system operations for essential missions within 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. The organization being inspected/assessed documents and gains approval for alternate processing site agreements that permit the transfer and resumption of information system operations for essential missions within 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. Alternate Processing Site CP-7 CP-7.2 Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6. The organization: a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable; b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site.
CCI-000514 The organization establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential business functions within an organization-defined time period consistent with recovery time and recovery point objectives when the primary processing capabilities are unavailable. The organization conducting the inspection/assessment obtains and examines the approved alternate processing site agreements to ensure the organization has alternate processing site support that will permit the transfer and resumption of information system operations for business functions within 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. The organization being inspected/assessed documents and gains approval for alternate processing site agreements that permit the transfer and resumption of information system operations for business functions within 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. Alternate Processing Site CP-7 CP-7.3 Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6. The organization: a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable; b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site.
CCI-000515 The organization ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption. The organization conducting the inspection/assessment obtains and examines: 1. Inventory of equipment and supplies or, 2. Contract documentation to ensure the organization has the equipment and supply resources necessary, or provisions to obtain the resources to transfer and resume operations at the alternate processing site within 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. The organization being inspected/assessed maintains an inventory of equipment and supplies required to transfer and resume operations, or engages contract support that meets required timelines to support 1 hour (Availability High) 12 hours (Availability Moderate) as defined in the contingency plan. Alternate Processing Site CP-7 CP-7.5 Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6. The organization: a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable; b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site.
CCI-000516 The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats. The organization conducting the inspection/assessment obtains and examines the risk management strategy and the contingency plan to ensure the organization identifies an alternate processing site that is separated from the primary processing site so as not to be susceptible to the same threats identified at the primary site. The organization being inspected/assessed identifies and documents within the contingency plan an alternate processing site not susceptible to the same threats that exist at the primary processing site. The organization must document threats in the risk management strategy IAW PM-9, CCI 000227. Alternate Processing Site | Separation From Primary Site CP-7 (1) CP-7(1).1 Threats that affect alternate processing sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant. Related control: RA-3. The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats.
CCI-000517 The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster. The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure the organization has documented potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster. The organization being inspected/assessed must identify and document in the contingency plan potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster. Alternate Processing Site | Accessibility CP-7 (2) CP-7(2).1 Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk. Related control: RA-3. The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.
CCI-000518 The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with the organizational availability requirements (including recovery time objectives). The organization conducting the inspection/assessment obtains and examines the approved alternate processing site agreements to ensure they contain priority-of-service provisions in accordance with CP-2, CCI 447 for alternate processing site support (including recovery time objectives). The organization being inspected/assessed documents and gains approval for alternate processing site agreements that contain priority-of-service provisions in accordance with CP-2, CCI 447 (including recovery time objectives). Alternate Processing Site | Priority Of Service CP-7 (3) CP-7(3).1 Priority-of-service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources at the alternate processing site. The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with the organization's availability requirements (including recovery time objectives).
CCI-000519 The organization prepares the alternate processing site so that it is ready to be used as the operational site supporting essential missions. The organization conducting the inspection/assessment obtains and examines the contingency plan and conducts a walk-through of the alternate processing site to ensure it is ready to be used as the operational site supporting essential missions. The organization being inspected/assessed prepares the alternate processing site so that it is ready to be used as the operational site supporting essential missions IAW CP-2, CCI 443. Alternate Processing Site | Preparation For Use CP-7 (4) CP-7(4).1 Site preparation includes, for example, establishing configuration settings for information system components at the alternate processing site consistent with the requirements for such settings at the primary site and ensuring that essential supplies and other logistical considerations are in place. Related controls: CM-2, CM-6. The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions.
CCI-000520 The organization prepares the alternate processing site so that it is ready to be used as the operational site supporting essential business functions. The organization conducting the inspection/assessment obtains and examines the contingency plan and conducts a walk-through of the alternate processing site to ensure it is ready to be used as the operational site supporting business functions. The organization being inspected/assessed prepares the alternate processing site so that it is ready to be used as the operational site supporting business functions IAW CP-2, CCI 444. Alternate Processing Site | Preparation For Use CP-7 (4) CP-7(4).2 Site preparation includes, for example, establishing configuration settings for information system components at the alternate processing site consistent with the requirements for such settings at the primary site and ensuring that essential supplies and other logistical considerations are in place. Related controls: CM-2, CM-6. The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions.
CCI-000521 The organization ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. The organization conducting the inspection/assessment obtains and examines the documentation of the primary/alternate site information security safeguards that are in place as well as evidence that the alternate site was approved based on an assessment that security is equivalent at the alternate site. The organization being inspected/assessed documents the information security safeguards that are in place at both the primary and alternate sites and evidence that the alternate site was approved based on an assessment that security is equivalent at the alternate site. Alternate Processing Site CP-7 CP-7.6 Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6. The organization: a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable; b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site.
CCI-001607 The organization establishes alternate telecommunications services to support the information system.
CCI-001608 The organization identifies the primary provider's telecommunications service hazards.
CCI-000522 The organization defines the time period within which to permit the resumption of organization-defined information system operations for essential missions when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. Telecommunications Services CP-8 CP-8.1 This control applies to telecommunications services (data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions/business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary/alternate sites. Alternate telecommunications services include, for example, additional organizational or commercial ground-based circuits/lines or satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements. Related controls: CP-2, CP-6, CP-7. The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization- defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
CCI-000523 The organization defines the time period within which to permit the resumption of organization-defined information system operations for essential business functions when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. Telecommunications Services CP-8 CP-8.2 This control applies to telecommunications services (data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions/business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary/alternate sites. Alternate telecommunications services include, for example, additional organizational or commercial ground-based circuits/lines or satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements. Related controls: CP-2, CP-6, CP-7. The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization- defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
CCI-000524 The organization establishes alternate telecommunication services including necessary agreements to permit the resumption of organization-defined information system operations for essential missions within an organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. The organization conducting the inspection/assessment obtains and examines the approved alternate telecommunications service agreements to ensure they permit the resumption of telecommunications services for essential mission IAW DoDI 8100.04. DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. The organization being inspected/assessed documents and gains approval for alternate telecommunications service agreements that permit the resumption of telecommunications services for essential missions IAW DoDI 8100.04. DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. Telecommunications Services CP-8 CP-8.3 This control applies to telecommunications services (data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions/business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary/alternate sites. Alternate telecommunications services include, for example, additional organizational or commercial ground-based circuits/lines or satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements. Related controls: CP-2, CP-6, CP-7. The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization- defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
CCI-000525 The organization establishes alternate telecommunication services including necessary agreements to permit the resumption of organization-defined information system operations for essential business functions within an organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. The organization conducting the inspection/assessment obtains and examines the approved alternate telecommunications service agreements to ensure they permit the resumption of telecommunications services for business functions IAW DoDI 8100.04. DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. The organization being inspected/assessed documents and gains approval for alternate telecommunications service agreements that permit the resumption of telecommunications services for business functions IAW DoDI 8100.04. DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. Telecommunications Services CP-8 CP-8.4 This control applies to telecommunications services (data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions/business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary/alternate sites. Alternate telecommunications services include, for example, additional organizational or commercial ground-based circuits/lines or satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements. Related controls: CP-2, CP-6, CP-7. The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization- defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
CCI-000526 The organization develops primary telecommunications service agreements that contain priority-of-service provisions in accordance with the organization^s availability requirements (including recovery time objectives). The organization conducting the inspection/assessment obtains and examines the approved primary telecommunications service agreements to ensure they contain priority-of-service provisions IAW DoDI 8100.04 (including recovery time objectives). The organization being inspected/assessed documents and gains approval for primary telecommunications service agreements that contain priority-of-service provisions IAW DoDI 8100.04 (including recovery time objectives). Telecommunications Services | Priority Of Service Provisions CP-8 (1) CP-8(1).1 Organizations consider the potential mission/business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions. The organization: (a) Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and (b) Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.
CCI-000527 The organization develops alternate telecommunications service agreements that contain priority-of-service provisions in accordance with the organization^s availability requirements (including recovery time objectives). The organization conducting the inspection/assessment obtains and examines the approved alternate telecommunications service agreements to ensure they contain priority-of-service provisions IAW DoDI 8100.04 (including recovery time objectives). The organization being inspected/assessed documents and gains approval for alternate telecommunications service agreements that contain priority-of-service provisions IAW DoDI 8100.04 (including recovery time objectives). Telecommunications Services | Priority Of Service Provisions CP-8 (1) CP-8(1).2 Organizations consider the potential mission/business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions. The organization: (a) Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and (b) Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.
CCI-000528 The organization requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary telecommunications services are provided by a common carrier. The organization conducting the inspection/assessment obtains and examines the contingency plan, the telecommunication service agreement, and any existing formal requests for Telecommunications Service Priority. The purpose of the review is to ensure the organization or the mid-tier provider has requested Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness where the primary telecommunications services are provided by a common carrier. The organization being inspected/assessed identifies and documents within the contingency plan any telecommunications services used for national security emergency preparedness. If the primary telecommunications services are provided by a common carrier, the organization formally requests Telecommunications Service Priority IAW the DHS Telecommunications Service Priority Process http://www.dhs.gov/telecommunications-service-priority-tsp. If the primary telecommunications services are provided by a mid-tier provider instead of a common carrier (for example, DISA) the organization must insure that their provider formally requests Telecommunications Service Priority on their behalf. Telecommunications Services | Priority Of Service Provisions CP-8 (1) CP-8(1).3 Organizations consider the potential mission/business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions. The organization: (a) Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and (b) Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.
CCI-000529 The organization requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the alternate telecommunications services are provided by a common carrier. The organization conducting the inspection/assessment obtains and examines the contingency plan, the telecommunication service agreement, and any existing formal requests for Telecommunications Service Priority. The purpose of the review is to ensure the organization has requested Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event the alternate telecommunications services are provided by a common carrier. The organization being inspected/assessed identifies and documents within the contingency plan telecommunications services used for national security emergency preparedness in the event the alternate telecommunications services are provided by a common carrier. For each service, the organization formally requests Telecommunications Service Priority, IAW the DHS Telecommunications Service Priority Process http://tsp.ncs.gov/request.html. Telecommunications Services | Priority Of Service Provisions CP-8 (1) CP-8(1).4 Organizations consider the potential mission/business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions. The organization: (a) Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and (b) Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.
CCI-000530 The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services. The organization conducting the inspection/assessment obtains and examines agreements with their service providers to ensure that a single point of failure is not shared. The organization being inspected/assessed obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services IAW DoDI 8100.04. Telecommunications Services | Single Points Of Failure CP-8 (2) CP-8(2).1 The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.
CCI-000531 The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats. The organization conducting the inspection/assessment obtains and examines agreements with alternate service providers to ensure they are not susceptible to the same hazards as the primary service provider. The organization being inspected/assessed obtains alternate telecommunications services from providers that are separated from primary service providers so as not to be susceptible to the same hazards IAW DoDI 8100.04. Telecommunications Services | Separation Of Primary / Alternate Providers CP-8 (3) CP-8(3).1 Threats that affect telecommunications services are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber/physical attacks, and errors of omission/commission. Organizations seek to reduce common susceptibilities by, for example, minimizing shared infrastructure among telecommunications service providers and achieving sufficient geographic separation between services. Organizations may consider using a single service provider in situations where the service provider can provide alternate telecommunications services meeting the separation needs addressed in the risk assessment. The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.
CCI-000532 The organization requires primary telecommunications service providers to have contingency plans. The organization conducting the inspection/assessment obtains and examines the primary telecommunications service provider agreements to ensure the organization requires the primary service provider to have contingency plans. The organization being inspected/assessed includes in their primary telecommunications service provider agreements requirements for the primary service provider to have contingency plans. Telecommunications Services | Provider Contingency Plan CP-8 (4) CP-8(4).1 Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security, state, and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training. The organization: (a) Requires primary and alternate telecommunications service providers to have contingency plans; (b) Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and (c) Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency].
CCI-000533 The organization requires alternate telecommunications service providers to have contingency plans. The organization conducting the inspection/assessment obtains and examines the alternate telecommunications service provider agreements to ensure the organization requires the alternate service provider to have contingency plans. The organization being inspected/assessed includes in their alternate telecommunications service provider agreements requirements for the alternate service provider to have contingency plans. Telecommunications Services | Provider Contingency Plan CP-8 (4) CP-8(4).2 Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security, state, and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training. The organization: (a) Requires primary and alternate telecommunications service providers to have contingency plans; (b) Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and (c) Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency].
CCI-001609 The organization can activate the redundant secondary information system that is not collocated with the primary system without loss of information or disruption to operations. The organization conducting the inspection/assessment determines if the organization has established a service level agreement for a redundant secondary system support that is not co-located with the primary system, and has configured the system so it can be activated to accomplish system backups without a loss of information or operational disruption. The organization being inspected/assessed establishes a service level agreement which will provide for redundant secondary system support that is not co-located with the primary system, and has configured the system so that it can be activated to accomplish system backups without a loss of information or operational disruption. Information System Backup | Redundant Secondary System CP-9 (6) CP-9(6).2 Related controls: CP-7, CP-10. The organization accomplishes information system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations.
CCI-000534 The organization defines the frequency of conducting user-level information backups to support recovery time objectives and recovery point objectives. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as at least weekly as defined in the contingency plan. DoD has defined the frequency as at least weekly as defined in the contingency plan. Information System Backup CP-9 CP-9.1 System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13. The organization: a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protects the confidentiality, integrity, and availability of backup information at storage locations.
CCI-000535 The organization conducts backups of user-level information contained in the information system per organization-defined frequency that is consistent with recovery time and recovery point objectives. The organization conducting the inspection/assessment obtains and reviews the backup strategy, and examines a sample of systems to ensure they are configured to perform back ups at least weekly as defined in the contingency plan. The organization being inspected/assessed must identify user level information within the backup strategy and configure the system to perform backups at least weekly as defined in the contingency plan. Information System Backup CP-9 CP-9.2 System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13. The organization: a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protects the confidentiality, integrity, and availability of backup information at storage locations.
CCI-000536 The organization defines the frequency of conducting system-level information backups to support recovery time objectives and recovery point objectives. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as at least weekly and as required by system baseline configuration changes in accordance with the contingency plan. DoD has defined the frequency as at least weekly and as required by system baseline configuration changes in accordance with the contingency plan. Information System Backup CP-9 CP-9.3 System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13. The organization: a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protects the confidentiality, integrity, and availability of backup information at storage locations.
CCI-000537 The organization conducts backups of system-level information contained in the information system per organization-defined frequency that is consistent with recovery time and recovery point objectives. The organization conducting the inspection/assessment obtains and reviews the backup strategy, and examines a sample of systems to ensure they are configured to perform back ups at least weekly and as required by system baseline configuration changes in accordance with the contingency plan. The organization being inspected/assessed must identify system-level information within the backup strategy and configure the system to perform backups at least weekly and as required by system baseline configuration changes in accordance with the contingency plan. Information System Backup CP-9 CP-9.4 System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13. The organization: a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protects the confidentiality, integrity, and availability of backup information at storage locations.
CCI-000538 The organization defines the frequency of conducting information system documentation backups, including security-related documentation, to support recovery time objectives and recovery point objectives. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as when created or received, when updated, and as required by system baseline configuration changes in accordance with the contingency plan. DoD has defined the frequency as when created or received, when updated, and as required by system baseline configuration changes in accordance with the contingency plan. Information System Backup CP-9 CP-9.5 System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13. The organization: a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protects the confidentiality, integrity, and availability of backup information at storage locations.
CCI-000539 The organization conducts backups of information system documentation, including security-related documentation, per an organization-defined frequency that is consistent with recovery time and recovery point objectives. The organization conducting the inspection/assessment obtains and examines the latest version of the information system documentation including security-related documentation to verify it is the same version as contained in backups. The organization being inspected/assessed conducts backups of information system documentation including security-related documentation when created or received, when updated, and as required by system baseline configuration changes in accordance with the contingency plan. Information System Backup CP-9 CP-9.6 System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13. The organization: a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protects the confidentiality, integrity, and availability of backup information at storage locations.
CCI-000540 The organization protects the confidentiality, integrity, and availability of backup information at storage locations. The organization conducting the inspection/assessment obtains and examines the system security plan and ensures backup information at the storage location is protected IAW the system security plan. The organization being inspected/assessed will protect the confidentiality, integrity, and availability of backup information at the storage location IAW the system security plan. Information System Backup CP-9 CP-9.7 System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13. The organization: a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protects the confidentiality, integrity, and availability of backup information at storage locations.
CCI-000541 The organization defines the frequency with which to test backup information to verify media reliability and information integrity. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as at least monthly in accordance with contingency plan. DoD has defined the frequency as at least monthly in accordance with contingency plan. Information System Backup | Testing For Reliability / Integrity CP-9 (1) CP-9(1).1 Related control: CP-4. The organization tests backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity.
CCI-000542 The organization tests backup information per an organization-defined frequency to verify media reliability and information integrity. The organization conducting the inspection/assessment obtains and examines the backup plan and verifies that the organization has tested and logged backup information. The organization being inspected/assessed tests and logs backup information at least monthly in accordance with contingency plan to verify media reliability and information integrity. Information System Backup | Testing For Reliability / Integrity CP-9 (1) CP-9(1).2 Related control: CP-4. The organization tests backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity.
CCI-000543 The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing. The organization conducting the inspection/assessment obtains and examines the contingency plan test results to verify that the sample of backup information was restored as part of the restoration of selected information system functions. The organization being inspected/assessed restores a sample of backup information as part of the restoration of selected information system functions during contingency plan testing. Organizations must identify a sample of backup information in the contingency plan test results. Information System Backup | Test Restoration Using Sampling CP-9 (2) CP-9(2).1 Related control: CP-4. The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing.
CCI-000544 The organization stores backup copies of the operating system in a separate facility or in a fire-rated container that is not colocated with the operational system.
CCI-000545 The organization stores backup copies of critical information system software in a separate facility or in a fire-rated container that is not colocated with the operational system.
CCI-000546 The organization stores backup copies of the information system inventory (including hardware, software, and firmware components) in a separate facility or in a fire-rated container that is not colocated with the operational system.
CCI-000547 The organization defines the time period and transfer rate of the information system backup information to the alternate storage site consistent with the recovery time and recovery point objectives. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the time period as Continuously (Availability High ) 24 hours (Availability Moderate) 7 days (Availability Low) as defined in the contingency plan. DoD has defined the time period as Continuously (Availability High ) 24 hours (Availability Moderate) 7 days (Availability Low) as defined in the contingency plan. Information System Backup | Transfer To Alternate Storage Site CP-9 (5) CP-9(5).1 Information system backup information can be transferred to alternate storage sites either electronically or by physical shipment of storage media. The organization transfers information system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives].
CCI-000548 The organization transfers information system backup information to the alternate storage site in accordance with the organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives. The organization conducting the inspection/assessment obtains and examines the contingency plan and related logs to ensure the organization transfers information system backup information to the alternate site Continuously (Availability High) 24 hours (Availability Moderate) 7 days (Availability Low) as defined in the contingency plan. The organization being inspected/assessed performs the transfer of information system backup information to the alternate site Continuously (Availability High) 24 hours (Availability Moderate) 7 days (Availability Low) as defined in the contingency plan. Information System Backup | Transfer To Alternate Storage Site CP-9 (5) CP-9(5).2 Information system backup information can be transferred to alternate storage sites either electronically or by physical shipment of storage media. The organization transfers information system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives].
CCI-000549 The organization maintains a redundant secondary information system that is not collocated with the primary system. The organization conducting the inspection/assessment determines if the organization is maintaining a redundant, secondary backup system that is not co-located with the primary system. The organization being inspected/assessed establishes and maintains a redundant, secondary backup system that is not co-located with the primary system. Information System Backup | Redundant Secondary System CP-9 (6) CP-9(6).1 Related controls: CP-7, CP-10. The organization accomplishes information system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations.
CCI-001610 The organization defines the time period (by authenticator type) for changing/refreshing authenticators. The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the time period as CAC - every 3 years, or 1 year from term of contract Password: 60 days Biometrics: every 3 years. DoD has defined the time period as CAC - every 3 years, or 1 year from term of contract Password: 60 days Biometrics: