Common Control Identifier (CCI)
The Control Correlation Identifier (CCI) provides a standard identifier and description for each of the singular, actionable statements that comprise an IA control or IA best practice. CCI bridges the gap between high-level policy expressions and low-level technical implementations. CCI allows a security requirement that is expressed in a high-level policy framework to be decomposed and explicitly associated with the low-level security setting(s) that must be assessed to determine compliance with the objectives of that specific security control. This ability to trace security requirements from their origin (e.g., regulations, IA frameworks) to their low-level implementation allows organizations to readily demonstrate compliance to multiple IA compliance frameworks. CCI also provides a means to objectively rollup and compare related compliance assessment results across disparate technologies.
| CCI | Status | Type | Published | Contributor | Definition | RMF | DIACAP |
|---|---|---|---|---|---|---|---|
| CCI-000001 | draft | policy | 2009-05-13 | DISA FSO | The organization develops an access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. | ||
| CCI-000002 | draft | policy | 2009-09-14 | DISA FSO | The organization disseminates the access control policy to organization-defined personnel or roles. | ||
| CCI-000003 | draft | policy | 2009-09-14 | DISA FSO | The organization reviews and updates the access control policy in accordance with organization-defined frequency. | ||
| CCI-000004 | draft | policy | 2009-05-13 | DISA FSO | The organization develops procedures to facilitate the implementation of the access control policy and associated access controls. | ||
| CCI-000005 | draft | policy | 2009-09-14 | DISA FSO | The organization disseminates the procedures to facilitate access control policy and associated access controls to the organization-defined personnel or roles. | ||
| CCI-000006 | draft | policy | 2009-09-14 | DISA FSO | The organization reviews and updates the access control procedures in accordance with organization-defined frequency. | ||
| CCI-000007 | draft | policy | 2009-05-13 | DISA FSO | The organization manages information system accounts by identifying account types (i.e., individual, group, system, application, guest/anonymous, and temporary). | ||
| CCI-000008 | draft | policy | 2009-09-14 | DISA FSO | The organization establishes conditions for group membership. | ||
| CCI-000009 | draft | policy | 2009-05-13 | DISA FSO | The organization manages information system accounts by identifying authorized users of the information system and specifying access privileges. | ||
| CCI-000010 | draft | policy | 2009-05-13 | DISA FSO | The organization requires approvals by organization-defined personnel or roles for requests to create information system accounts. | ||
| CCI-000011 | draft | policy | 2009-05-13 | DISA FSO | The organization creates, enables, modifies, disables, and removes information system accounts in accordance with organization-defined procedures or conditions. | ||
| CCI-000012 | draft | policy | 2009-09-14 | DISA FSO | The organization reviews information system accounts for compliance with account management requirements per organization-defined frequency. | ||
| CCI-000013 | draft | policy | 2009-09-14 | DISA FSO | The organization manages information system accounts by notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or need-to-know/need-to-share changes. | ||
| CCI-000014 | draft | policy | 2009-09-14 | DISA FSO | The organization manages information system accounts by granting access to the system based on a valid access authorization; intended system usage; and other attributes as required by the organization or associated missions/business functions. | ||
| CCI-000015 | draft | technical | 2009-05-13 | DISA FSO | The organization employs automated mechanisms to support the information system account management functions. | ||
| CCI-000016 | draft | technical | 2009-05-13 | DISA FSO | The information system automatically removes or disables temporary accounts after an organization-defined time period for each type of account. | ||
| CCI-000017 | draft | technical | 2009-05-13 | DISA FSO | The information system automatically disables inactive accounts after an organization-defined time period. | ||
| CCI-000018 | draft | technical | 2009-05-13 | DISA FSO | The information system automatically audits account creation actions. | ||
| CCI-000019 | draft | policy | 2009-09-14 | DISA FSO | The organization requires that users log out in accordance with the organization-defined time period of inactivity or description of when to log out. | ||
| CCI-000020 | draft | technical | 2009-09-14 | DISA FSO | The information system dynamically manages user privileges and associated access authorizations. | ||
| CCI-000021 | draft | technical | 2009-05-13 | DISA FSO | The information system enforces dual authorization for organization-defined privileged commands and/or other organization-defined actions. |
|
|
| CCI-000022 | draft | technical | 2009-05-13 | DISA FSO | The information system enforces one or more organization-defined nondiscretionary access control policies over an organization-defined set of users and resources. |
|
|
| CCI-000023 | draft | policy | 2009-11-03 | DISA FSO | The organization develops an organization-wide information security program plan that provides sufficient information about the program management controls and common controls (including specification of parameters for any assignment and selection operations either explicitly or by reference) to enable an implementation that is unambiguously compliant with the intent of the plan, and a determination of the risk to be incurred if the plan is implemented as intended. | ||
| CCI-000024 | draft | technical | 2009-09-14 | DISA FSO | The information system prevents access to organization-defined security-relevant information except during secure, non-operable system states. |
|
|
| CCI-000025 | draft | technical | 2009-09-14 | DISA FSO | The information system enforces information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions. |
|
|
| CCI-000026 | draft | technical | 2009-05-13 | DISA FSO | The information system uses protected processing domains to enforce organization-defined information flow control policies as a basis for flow control decisions. |
|
|
| CCI-000027 | draft | technical | 2009-05-13 | DISA FSO | The information system enforces dynamic information flow control based on organization-defined policies. |
|
|
| CCI-000028 | draft | policy | 2009-05-13 | DISA FSO | The information system prevents encrypted information from bypassing content-checking mechanisms by employing organization-defined procedures or methods. |
|
|
| CCI-000029 | draft | technical | 2009-05-13 | DISA FSO | The information system enforces organization-defined limitations on the embedding of data types within other data types. |
|
|
| CCI-000030 | draft | technical | 2009-05-13 | DISA FSO | The information system enforces information flow control based on organization-defined metadata. |
|
|
| CCI-000031 | draft | technical | 2009-05-13 | DISA FSO | The information system enforces organization-defined one-way flows using hardware mechanisms. |
|
|
| CCI-000032 | draft | technical | 2009-09-14 | DISA FSO | The information system enforces information flow control using organization-defined security policy filters as a basis for flow control decisions for organization-defined information flows. |
|
|
| CCI-000033 | draft | policy | 2009-05-13 | DISA FSO | The information system enforces the use of human review for organization-defined security policy filters when the system is not capable of making an information flow control decision. |
|
|
| CCI-000034 | draft | technical | 2009-05-13 | DISA FSO | The information system provides the capability for a privileged administrator to enable/disable organization-defined security policy filters under organization-defined conditions. |
|
|
| CCI-000035 | draft | technical | 2009-09-14 | DISA FSO | The information system provides the capability for privileged administrators to configure the organization-defined security policy filters to support different security policies. |
|
|
| CCI-000036 | draft | policy | 2009-05-19 | DISA FSO | The organization separates organization-defined duties of individuals. | ||
| CCI-000037 | draft | technical | 2009-09-14 | DISA FSO | The organization implements separation of duties through assigned information system access authorizations. | ||
| CCI-000038 | draft | policy | 2009-05-19 | DISA FSO | The organization explicitly authorizes access to organization-defined security functions and security-relevant information. |
|
|
| CCI-000039 | draft | policy | 2009-09-14 | DISA FSO | The organization requires that users of information system accounts or roles, with access to organization-defined security functions or security-relevant information, use non-privileged accounts, or roles, when accessing nonsecurity functions. |
|
|
| CCI-000040 | draft | technical | 2009-09-14 | DISA FSO | The organization audits any use of privileged accounts, or roles, with access to organization-defined security functions or security-relevant information, when accessing other system functions. |
|
|
| CCI-000041 | draft | policy | 2009-05-19 | DISA FSO | The organization authorizes network access to organization-defined privileged commands only for organization-defined compelling operational needs. |
|
|
| CCI-000042 | draft | policy | 2009-05-19 | DISA FSO | The organization documents the rationale for authorized network access to organization-defined privileged commands in the security plan for the information system. |
|
|
| CCI-000043 | draft | policy | 2009-05-19 | DISA FSO | The organization defines the maximum number of consecutive invalid logon attempts to the information system by a user during an organization-defined time period. | ||
| CCI-000044 | draft | technical | 2009-09-14 | DISA FSO | The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period. | ||
| CCI-000045 | draft | policy | 2009-09-14 | DISA FSO | The organization defines in the security plan, explicitly or by reference, the time period for lock out mode or delay period. | ||
| CCI-000046 | draft | policy | 2009-09-14 | DISA FSO | The organization selects either a lock out mode for the organization-defined time period or delays the next login prompt for the organization-defined delay period for information system responses to consecutive invalid access attempts. | ||
| CCI-000047 | draft | technical | 2009-09-14 | DISA FSO | The information system delays next login prompt according to the organization-defined delay algorithm, when the maximum number of unsuccessful attempts is exceeded, automatically locks the account/node for an organization-defined time period or locks the account/node until released by an Administrator IAW organizational policy. | ||
| CCI-000048 | draft | technical | 2009-05-19 | DISA FSO | The information system displays an organization-defined system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. | ||
| CCI-000049 | draft | policy | 2009-05-19 | DISA FSO | The organization defines a system use notification message or banner displayed before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: (i) users are accessing a U.S. Government information system; (ii) system usage may be monitored, recorded, and subject to audit; (iii) unauthorized use of the system is prohibited and subject to criminal and civil penalties; and (iv) use of the system indicates consent to monitoring and recording. | ||
| CCI-000050 | draft | technical | 2009-09-14 | DISA FSO | The information system retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system. | ||
| CCI-000051 | draft | policy | 2009-05-19 | DISA FSO | The organization approves the information system use notification message before its use. | ||
| CCI-000052 | draft | technical | 2009-09-14 | DISA FSO | The information system notifies the user, upon successful logon (access) to the system, of the date and time of the last logon (access). | ||
| CCI-000053 | draft | technical | 2009-09-14 | DISA FSO | The information system notifies the user, upon successful logon/access, of the number of unsuccessful logon/access attempts since the last successful logon/access. | ||
| CCI-000054 | draft | technical | 2009-05-19 | DISA FSO | The information system limits the number of concurrent sessions for each organization-defined account and/or account type to an organization-defined number of sessions. | ||
| CCI-000055 | draft | policy | 2009-05-19 | DISA FSO | The organization defines the maximum number of concurrent sessions to be allowed for each organization-defined account and/or account type. | ||
| CCI-000056 | draft | technical | 2009-09-14 | DISA FSO | The information system retains the session lock until the user reestablishes access using established identification and authentication procedures. | ||
| CCI-000057 | draft | technical | 2009-05-19 | DISA FSO | The information system initiates a session lock after the organization-defined time period of inactivity. | ||
| CCI-000058 | draft | technical | 2009-05-19 | DISA FSO | The information system provides the capability for users to directly initiate session lock mechanisms. | ||
| CCI-000059 | draft | policy | 2009-09-14 | DISA FSO | The organization defines the time period of inactivity after which the information system initiates a session lock. | ||
| CCI-000060 | draft | technical | 2009-05-19 | DISA FSO | The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. | ||
| CCI-000061 | draft | policy | 2009-09-14 | DISA FSO | The organization identifies and defines organization-defined user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions. | ||
| CCI-000062 | draft | policy | 2009-05-19 | DISA FSO | The organization permits actions to be performed without identification and authentication only to the extent necessary to accomplish mission/business objectives. | ||
| CCI-000063 | draft | policy | 2009-09-14 | DISA FSO | The organization defines allowed methods of remote access to the information system. |
|
|
| CCI-000064 | draft | policy | 2009-05-19 | DISA FSO | The organization establishes usage restrictions and implementation guidance for each allowed remote access method. |
|
|
| CCI-000065 | draft | policy | 2009-09-14 | DISA FSO | The organization authorizes remote access to the information system prior to allowing such connections. |
|
|
| CCI-000066 | draft | technical | 2009-09-14 | DISA FSO | The organization enforces requirements for remote connections to the information system. |
|
|
| CCI-000067 | draft | technical | 2009-09-14 | DISA FSO | The information system monitors remote access methods. |
|
|
| CCI-000068 | draft | technical | 2009-09-14 | DISA FSO | The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions. |
|
|
| CCI-000069 | draft | policy | 2009-05-19 | DISA FSO | The information system routes all remote accesses through an organization-defined number of managed network access control points. |
|
|
| CCI-000070 | draft | policy | 2009-05-19 | DISA FSO | The organization authorizes the execution of privileged commands via remote access only for organization-defined needs. |
|
|
| CCI-000071 | draft | technical | 2009-05-19 | DISA FSO | The organization monitors for unauthorized remote connections to the information system on an organization-defined frequency. |
|
|
| CCI-000072 | draft | policy | 2009-09-25 | DISA FSO | The organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure. |
|
|
| CCI-000073 | draft | policy | 2009-11-03 | DISA FSO | The organization develops an organization-wide information security program plan that provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements. | ||
| CCI-000074 | draft | policy | 2009-11-03 | DISA FSO | The organization develops an organization-wide information security program plan that is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation. | ||
| CCI-000075 | draft | policy | 2009-11-03 | DISA FSO | The organization reviews the organization-wide information security program plan on an organization-defined frequency. | ||
| CCI-000076 | draft | policy | 2009-11-03 | DISA FSO | The organization defines the frequency with which to review the organization-wide information security program plan. | ||
| CCI-000077 | draft | policy | 2009-11-03 | DISA FSO | The organization updates the plan to address organizational changes and problems identified during plan implementation or security control assessments. | ||
| CCI-000078 | draft | policy | 2009-11-03 | DISA FSO | The organization appoints a senior information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program. | ||
| CCI-000079 | draft | policy | 2009-09-14 | DISA FSO | The organization ensures that remote sessions for accessing an organization-defined list of security functions and security-relevant information employ organization-defined additional security measures. |
|
|
| CCI-000080 | draft | policy | 2009-11-03 | DISA FSO | The organization ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement. | ||
| CCI-000081 | draft | policy | 2009-11-03 | DISA FSO | The organization employs a business case/Exhibit 300/Exhibit 53 to record the resources required. | ||
| CCI-000082 | draft | policy | 2009-05-19 | DISA FSO | The organization establishes usage restrictions for organization-controlled mobile devices. | ||
| CCI-000083 | draft | policy | 2009-05-19 | DISA FSO | The organization establishes implementation guidance for organization-controlled mobile devices. | ||
| CCI-000084 | draft | policy | 2009-09-14 | DISA FSO | The organization authorizes connection of mobile devices to organizational information systems. | ||
| CCI-000085 | draft | technical | 2009-05-19 | DISA FSO | The organization monitors for unauthorized connections of mobile devices to organizational information systems. | ||
| CCI-000086 | draft | technical | 2009-05-19 | DISA FSO | The organization enforces requirements for the connection of mobile devices to organizational information systems. | ||
| CCI-000087 | draft | technical | 2009-05-19 | DISA FSO | The organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction. | ||
| CCI-000088 | draft | policy | 2009-09-14 | DISA FSO | The organization issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. | ||
| CCI-000089 | draft | policy | 2009-09-14 | DISA FSO | The organization applies organization-defined inspection and preventative measures to mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. | ||
| CCI-000090 | draft | policy | 2009-05-19 | DISA FSO | The organization restricts the use of writable, removable media in organizational information systems. | ||
| CCI-000091 | draft | policy | 2009-05-19 | DISA FSO | The organization prohibits the use of personally-owned, removable media in organizational information systems. | ||
| CCI-000092 | draft | policy | 2009-05-19 | DISA FSO | The organization prohibits the use of removable media in organizational information systems when the media has no identifiable owner. | ||
| CCI-000093 | draft | policy | 2009-09-14 | DISA FSO | The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to access the information system from the external information systems. | ||
| CCI-000094 | draft | policy | 2009-05-19 | DISA FSO | The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to process organization-controlled information using the external information systems. | ||
| CCI-000095 | draft | policy | 2009-05-19 | DISA FSO | The organization prohibits authorized individuals from using an external information system to access the information system except in situations where the organization can verify the implementation of required security controls on the external system as specified in the organization^s information security policy and security plan. | ||
| CCI-000096 | draft | policy | 2009-05-19 | DISA FSO | The organization prohibits authorized individuals from using an external information system to access the information system or to process, store, or transmit organization-controlled information except in situations where the organization has approved information system connection or processing agreements with the organizational entity hosting the external information system. | ||
| CCI-000097 | draft | policy | 2009-09-14 | DISA FSO | The organization restricts or prohibits the use of organization-controlled portable storage devices by authorized individuals on external information systems. | ||
| CCI-000098 | draft | policy | 2009-05-19 | DISA FSO | The organization facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for organization-defined information circumstances where user discretion is required. | ||
| CCI-000099 | draft | policy | 2009-05-19 | DISA FSO | The information system enforces information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared. | ||
| CCI-000100 | draft | policy | 2009-05-20 | DISA FSO | The organization develops and documents a security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. | ||
| CCI-000101 | draft | policy | 2009-05-20 | DISA FSO | The organization disseminates a security awareness and training policy to organization-defined personnel or roles. | ||
| CCI-000102 | draft | policy | 2009-05-20 | DISA FSO | The organization reviews and updates the current security awareness and training policy in accordance with organization-defined frequency. | ||
| CCI-000103 | draft | policy | 2009-05-20 | DISA FSO | The organization develops and documents procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls. | ||
| CCI-000104 | draft | policy | 2009-05-20 | DISA FSO | The organization disseminates security awareness and training procedures to organization-defined personnel or roles. | ||
| CCI-000105 | draft | policy | 2009-05-20 | DISA FSO | The organization reviews and updates the current security awareness and training procedures in accordance with an organization-defined frequency. | ||
| CCI-000106 | draft | policy | 2009-09-14 | DISA FSO | The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors) as part of initial training for new users. | ||
| CCI-000107 | draft | policy | 2009-05-20 | DISA FSO | The organization includes practical exercises in security awareness training that simulate actual cyber attacks. | ||
| CCI-000108 | draft | policy | 2009-05-20 | DISA FSO | The organization provides role-based security training to personnel with assigned security roles and responsibilities before authorizing access to the information system or performing assigned duties. | ||
| CCI-000109 | draft | policy | 2009-05-20 | DISA FSO | The organization provides role-based security training to personnel with assigned security roles and responsibilities when required by information system changes. | ||
| CCI-000110 | draft | policy | 2009-05-20 | DISA FSO | The organization provides refresher role-based security training to personnel with assigned security roles and responsibilities in accordance with organization-defined frequency. | ||
| CCI-000111 | draft | policy | 2009-05-20 | DISA FSO | The organization defines a frequency for providing refresher role-based security training. | ||
| CCI-000112 | draft | policy | 2009-05-20 | DISA FSO | The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors) when required by information system changes. | ||
| CCI-000113 | draft | policy | 2009-09-14 | DISA FSO | The organization documents individual information system security training activities, including basic security awareness training and specific information system security training. | ||
| CCI-000114 | draft | policy | 2009-09-14 | DISA FSO | The organization monitors individual information system security training activities, including basic security awareness training and specific information system security training. | ||
| CCI-000115 | draft | policy | 2009-09-14 | DISA FSO | The organization establishes contact with selected groups and associations within the security community to facilitate ongoing security education and training; to stay up to date with the latest recommended security practices, techniques, and technologies; and to share current security-related information including threats, vulnerabilities, and incidents. | ||
| CCI-000116 | draft | policy | 2009-09-14 | DISA FSO | The organization institutionalizes contact with selected groups and associations within the security community to facilitate ongoing security education and training; to stay up to date with the latest recommended security practices, techniques, and technologies; and to share current security-related information including threats, vulnerabilities, and incidents. | ||
| CCI-000117 | draft | policy | 2009-05-20 | DISA FSO | The organization develops and documents an audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. | ||
| CCI-000118 | draft | policy | 2009-05-20 | DISA FSO | The organization disseminates a formal, documented, audit and accountability policy to elements within the organization having associated audit and accountability roles and responsibilities. | ||
| CCI-000119 | draft | policy | 2009-05-20 | DISA FSO | The organization reviews and updates the audit and accountability policy on an organization-defined frequency. | ||
| CCI-000120 | draft | policy | 2009-05-20 | DISA FSO | The organization develops and documents procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls. | ||
| CCI-000121 | draft | policy | 2009-05-20 | DISA FSO | The organization disseminates formal, documented, procedures to elements within the organization having associated audit and accountability roles and responsibilities. | ||
| CCI-000122 | draft | policy | 2009-05-20 | DISA FSO | The organization reviews and updates the audit and accountability procedures on an organization-defined frequency. | ||
| CCI-000123 | draft | policy | 2009-09-15 | DISA FSO | The organization determines the information system must be capable of auditing an organization-defined list of auditable events. |
|
|
| CCI-000124 | draft | policy | 2009-09-15 | DISA FSO | The organization coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events. |
|
|
| CCI-000125 | draft | policy | 2009-09-15 | DISA FSO | The organization provides a rationale for why the list of auditable events is deemed to be adequate to support after-the-fact investigations of security incidents. |
|
|
| CCI-000126 | draft | policy | 2009-09-15 | DISA FSO | The organization determines that the organization-defined subset of the auditable events defined in AU-2 are to be audited within the information system. |
|
|
| CCI-000127 | draft | policy | 2009-05-20 | DISA FSO | The organization reviews and updates the list of organization-defined audited events on an organization-defined frequency. |
|
|
| CCI-000128 | draft | policy | 2009-05-20 | DISA FSO | The organization includes execution of privileged functions in the list of events to be audited by the information system. |
|
|
| CCI-000129 | draft | policy | 2009-09-15 | DISA FSO | The organization defines in the auditable events that the information system must be capable of auditing based on a risk assessment and mission/business needs. |
|
|
| CCI-000130 | draft | technical | 2009-05-20 | DISA FSO | The information system generates audit records containing information that establishes what type of event occurred. |
|
|
| CCI-000131 | draft | technical | 2009-05-20 | DISA FSO | The information system generates audit records containing information that establishes when an event occurred. |
|
|
| CCI-000132 | draft | technical | 2009-05-20 | DISA FSO | The information system generates audit records containing information that establishes where the event occurred. |
|
|
| CCI-000133 | draft | technical | 2009-05-20 | DISA FSO | The information system generates audit records containing information that establishes the source of the event. |
|
|
| CCI-000134 | draft | technical | 2009-05-20 | DISA FSO | The information system generates audit records containing information that establishes the outcome of the event. |
|
|
| CCI-000135 | draft | technical | 2009-05-20 | DISA FSO | The information system generates audit records containing the organization-defined additional, more detailed information that is to be included in the audit records. |
|
|
| CCI-000136 | draft | technical | 2009-05-20 | DISA FSO | The organization centrally manages the content of audit records generated by organization-defined information system components. |
|
|
| CCI-000137 | draft | policy | 2009-05-20 | DISA FSO | The organization allocates audit record storage capacity. | ||
| CCI-000138 | draft | technical | 2009-05-20 | DISA FSO | The organization configures auditing to reduce the likelihood of storage capacity being exceeded. | ||
| CCI-000139 | draft | technical | 2009-09-15 | DISA FSO | The information system alerts designated organization-defined personnel or roles in the event of an audit processing failure. | ||
| CCI-000140 | draft | technical | 2009-05-20 | DISA FSO | The information system takes organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records). | ||
| CCI-000141 | draft | policy | 2009-11-03 | DISA FSO | The organization ensures that information security resources are available for expenditure as planned. | ||
| CCI-000142 | draft | policy | 2009-11-03 | DISA FSO | The organization implements a process for ensuring that plans of action and milestones for the security program and the associated organizational information systems are maintained. | ||
| CCI-000143 | draft | technical | 2009-05-20 | DISA FSO | The information system provides a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity. | ||
| CCI-000144 | draft | technical | 2009-05-20 | DISA FSO | The information system provides a real-time alert when organization-defined audit failure events occur. | ||
| CCI-000145 | draft | policy | 2009-05-20 | DISA FSO | The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity by delaying or rejecting network traffic which exceeds the organization-defined thresholds. | ||
| CCI-000146 | draft | policy | 2009-05-20 | DISA FSO | The organization defines the percentage of maximum audit record storage capacity that when exceeded, a warning is provided. | ||
| CCI-000147 | draft | policy | 2009-05-22 | DISA FSO | The organization defines the audit failure events requiring real-time alerts. | ||
| CCI-000148 | draft | policy | 2009-05-22 | DISA FSO | The organization reviews and analyzes information system audit records on an organization-defined frequency for indications of organization-defined inappropriate or unusual activity. | ||
| CCI-000149 | draft | policy | 2009-05-22 | DISA FSO | The organization reports any findings to organization-defined personnel or roles for indications of organization-defined inappropriate or unusual activity. | ||
| CCI-000150 | draft | policy | 2009-09-15 | DISA FSO | The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk to organizational operations, organizational assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information. | ||
| CCI-000151 | draft | policy | 2009-09-15 | DISA FSO | The organization defines the frequency for the review and analysis of information system audit records for organization-defined inappropriate or unusual activity. | ||
| CCI-000152 | draft | technical | 2009-05-22 | DISA FSO | The information system integrates audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. | ||
| CCI-000153 | draft | policy | 2009-05-22 | DISA FSO | The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. | ||
| CCI-000154 | draft | technical | 2009-05-22 | DISA FSO | The information system provides the capability to centrally review and analyze audit records from multiple components within the system. | ||
| CCI-000155 | draft | policy | 2009-09-15 | DISA FSO | The organization integrates analysis of audit records with analysis of vulnerability scanning information, performance data, and network monitoring information to further enhance the ability to identify inappropriate or unusual activity. | ||
| CCI-000156 | draft | technical | 2009-05-22 | DISA FSO | The information system provides an audit reduction capability. | ||
| CCI-000157 | draft | technical | 2009-05-22 | DISA FSO | The information system provides a report generation capability. | ||
| CCI-000158 | draft | technical | 2009-05-22 | DISA FSO | The information system provides the capability to process audit records for events of interest based on organization-defined audit fields within audit records. | ||
| CCI-000159 | draft | technical | 2009-05-22 | DISA FSO | The information system uses internal system clocks to generate time stamps for audit records. | ||
| CCI-000160 | draft | technical | 2009-05-22 | DISA FSO | The information system synchronizes internal information system clocks on an organization-defined frequency with an organization-defined authoritative time source. | ||
| CCI-000161 | draft | policy | 2009-05-22 | DISA FSO | The organization defines the frequency for the synchronization of internal information system clocks. | ||
| CCI-000162 | draft | technical | 2009-05-22 | DISA FSO | The information system protects audit information from unauthorized access. | ||
| CCI-000163 | draft | technical | 2009-05-22 | DISA FSO | The information system protects audit information from unauthorized modification. | ||
| CCI-000164 | draft | technical | 2009-05-22 | DISA FSO | The information system protects audit information from unauthorized deletion. | ||
| CCI-000165 | draft | policy | 2009-05-22 | DISA FSO | The information system writes audit records to hardware-enforced, write-once media. | ||
| CCI-000166 | draft | technical | 2009-05-22 | DISA FSO | The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation. | ||
| CCI-000167 | draft | policy | 2009-05-22 | DISA FSO | The organization retains audit records for an organization-defined time period to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. | ||
| CCI-000168 | draft | policy | 2009-09-15 | DISA FSO | The organization defines the time period for retention of audit records, which is consistent with its records retention policy, to provide support for after-the-fact investigations of security incidents and meet regulatory and organizational information retention requirements. | ||
| CCI-000169 | draft | technical | 2009-05-22 | DISA FSO | The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components. | ||
| CCI-000170 | draft | policy | 2009-11-03 | DISA FSO | The organization implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation. | ||
| CCI-000171 | draft | technical | 2009-09-15 | DISA FSO | The information system allows organization-defined personnel or roles to select which auditable events are to be audited by specific components of the information system. | ||
| CCI-000172 | draft | technical | 2009-09-15 | DISA FSO | The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. | ||
| CCI-000173 | draft | policy | 2009-09-15 | DISA FSO | The organization defines the level of tolerance for relationship between time stamps of individual records in the audit trail that will be used for correlation. | ||
| CCI-000174 | draft | technical | 2009-05-22 | DISA FSO | The information system compiles audit records from organization-defined information system components into a system-wide (logical or physical) audit trail that is time-correlated to within an organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail. | ||
| CCI-000175 | draft | policy | 2009-05-22 | DISA FSO | The organization manages information system authenticators for users and devices by verifying, as part of the initial authenticator distribution, the identity of the individual and/or device receiving the authenticator. |
|
|
| CCI-000176 | draft | policy | 2009-05-22 | DISA FSO | The organization manages information system authenticators by establishing initial authenticator content for authenticators defined by the organization. |
|
|
| CCI-000177 | draft | policy | 2009-05-22 | DISA FSO | The organization manages information system authenticators for users and devices by establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised, or damaged authenticators, and for revoking authenticators. |
|
|
| CCI-000178 | draft | policy | 2009-05-22 | DISA FSO | The organization manages information system authenticators for users and devices by changing default content of authenticators upon information system installation. |
|
|
| CCI-000179 | draft | policy | 2009-05-22 | DISA FSO | The organization manages information system authenticators by establishing minimum lifetime restrictions for authenticators. |
|
|
| CCI-000180 | draft | policy | 2009-05-22 | DISA FSO | The organization manages information system authenticators by establishing maximum lifetime restrictions for authenticators. |
|
|
| CCI-000181 | draft | policy | 2009-05-22 | DISA FSO | The organization manages information system authenticators by establishing reuse conditions for authenticators. |
|
|
| CCI-000182 | draft | policy | 2009-05-22 | DISA FSO | The organization manages information system authenticators by changing/refreshing authenticators in accordance with the organization-defined time period by authenticator type. |
|
|
| CCI-000183 | draft | policy | 2009-05-22 | DISA FSO | The organization manages information system authenticators by protecting authenticator content from unauthorized disclosure. |
|
|
| CCI-000184 | draft | policy | 2009-05-22 | DISA FSO | The organization manages information system authenticators by requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators. |
|
|
| CCI-000185 | draft | technical | 2009-09-15 | DISA FSO | The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information. |
|
|
| CCI-000186 | draft | technical | 2009-09-15 | DISA FSO | The information system, for PKI-based authentication, enforces authorized access to the corresponding private key. |
|
|
| CCI-000187 | draft | technical | 2009-09-15 | DISA FSO | The information system, for PKI-based authentication, maps the authenticated identity to the account of the individual or group. |
|
|
| CCI-000188 | draft | policy | 2009-09-15 | DISA FSO | The organization requires that the registration process to receive an organizational-defined type of authenticator be carried out in person before a designated registration authority with authorization by a designated organizational official (e.g., a supervisor). |
|
|
| CCI-000189 | draft | policy | 2009-09-15 | DISA FSO | The organization employs automated tools to determine if authenticators are sufficiently strong to resist attacks intended to discover or otherwise compromise the authenticators. |
|
|
| CCI-000190 | draft | policy | 2009-09-15 | DISA FSO | The organization requires vendors/manufacturers of information system components to provide unique authenticators or change default authenticators prior to delivery. |
|
|
| CCI-000191 | deprecated | policy | 2009-09-15 | DISA FSO | The organization enforces password complexity by the number of special characters used. |
|
|
| CCI-000192 | draft | technical | 2009-09-15 | DISA FSO | The information system enforces password complexity by the minimum number of upper case characters used. |
|
|
| CCI-000193 | draft | technical | 2009-09-15 | DISA FSO | The information system enforces password complexity by the minimum number of lower case characters used. |
|
|
| CCI-000194 | draft | technical | 2009-09-15 | DISA FSO | The information system enforces password complexity by the minimum number of numeric characters used. |
|
|
| CCI-000195 | draft | technical | 2009-09-15 | DISA FSO | The information system, for password-based authentication, when new passwords are created, enforces that at least an organization-defined number of characters are changed. |
|
|
| CCI-000196 | draft | technical | 2009-09-15 | DISA FSO | The information system, for password-based authentication, stores only cryptographically-protected passwords. |
|
|
| CCI-000197 | draft | technical | 2009-09-15 | DISA FSO | The information system, for password-based authentication, transmits only cryptographically-protected passwords. |
|
|
| CCI-000198 | draft | technical | 2009-09-15 | DISA FSO | The information system enforces minimum password lifetime restrictions. |
|
|
| CCI-000199 | draft | technical | 2009-09-15 | DISA FSO | The information system enforces maximum password lifetime restrictions. |
|
|
| CCI-000200 | draft | technical | 2009-05-22 | DISA FSO | The information system prohibits password reuse for the organization-defined number of generations. |
|
|
| CCI-000201 | draft | policy | 2009-05-22 | DISA FSO | The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access. |
|
|
| CCI-000202 | draft | policy | 2009-05-22 | DISA FSO | The organization ensures unencrypted static authenticators are not embedded in access scripts. |
|
|
| CCI-000203 | draft | policy | 2009-05-22 | DISA FSO | The organization ensures unencrypted static authenticators are not stored on function keys. |
|
|
| CCI-000204 | draft | policy | 2009-05-22 | DISA FSO | The organization defines the security safeguards required to manage the risk of compromise due to individuals having accounts on multiple information systems. |
|
|
| CCI-000205 | draft | technical | 2009-05-22 | DISA FSO | The information system enforces minimum password length. |
|
|
| CCI-000206 | draft | technical | 2009-05-22 | DISA FSO | The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. | ||
| CCI-000207 | draft | policy | 2009-11-03 | DISA FSO | The organization develops and maintains an inventory of its information systems. | ||
| CCI-000208 | draft | policy | 2009-09-14 | DISA FSO | The organization determines normal time-of-day and duration usage for information system accounts. | ||
| CCI-000209 | draft | policy | 2009-11-03 | DISA FSO | The organization develops the results of information security measures of performance. | ||
| CCI-000210 | draft | policy | 2009-11-03 | DISA FSO | The organization monitors the results of information security measures of performance. | ||
| CCI-000211 | draft | policy | 2009-11-03 | DISA FSO | The organization reports on the results of information security measures of performance. | ||
| CCI-000212 | draft | policy | 2009-11-03 | DISA FSO | The organization develops an enterprise architecture with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation. | ||
| CCI-000213 | draft | technical | 2009-09-14 | DISA FSO | The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
|
|
| CCI-000214 | draft | policy | 2009-09-14 | DISA FSO | The organization establishes a Discretionary Access Control (DAC) policy that limits propagation of access rights. |
|
|
| CCI-000215 | draft | policy | 2009-09-14 | DISA FSO | The organization establishes a Discretionary Access Control (DAC) policy that includes or excludes access to the granularity of a single user. |
|
|
| CCI-000216 | draft | policy | 2009-11-03 | DISA FSO | The organization develops and documents a critical infrastructure and key resource protection plan that addresses information security issues. | ||
| CCI-000217 | draft | policy | 2009-09-24 | DISA FSO | The organization defines a time period after which inactive accounts are automatically disabled. | ||
| CCI-000218 | draft | technical | 2009-09-14 | DISA FSO | The information system, when transferring information between different security domains, identifies information flows by data type specification and usage. |
|
|
| CCI-000219 | draft | technical | 2009-09-14 | DISA FSO | The information system, when transferring information between different security domains, decomposes information into organization-defined policy-relevant subcomponents for submission to policy enforcement mechanisms. |
|
|
| CCI-000221 | draft | technical | 2009-09-14 | DISA FSO | The information system enforces security policies regarding information on interconnected systems. |
|
|
| CCI-000223 | draft | technical | 2009-09-14 | DISA FSO | The information system binds security attributes to information to facilitate information flow policy enforcement. |
|
|
| CCI-000224 | draft | technical | 2009-09-14 | DISA FSO | The information system tracks problems associated with the security attribute binding. |
|
|
| CCI-000225 | draft | policy | 2009-09-14 | DISA FSO | The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. |
|
|
| CCI-000226 | draft | technical | 2009-09-14 | DISA FSO | The information system provides the capability for a privileged administrator to configure organization-defined security policy filters to support different security policies. |
|
|
| CCI-000227 | draft | policy | 2009-11-03 | DISA FSO | The organization develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems. | ||
| CCI-000228 | draft | policy | 2009-11-03 | DISA FSO | The organization implements a comprehensive strategy to manage risk to organization operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems consistently across the organization. | ||
| CCI-000229 | draft | policy | 2009-11-03 | DISA FSO | The organization documents the security state of organizational information systems and the environments in which those systems operate through security authorization processes. | ||
| CCI-000230 | draft | policy | 2009-11-03 | DISA FSO | The organization tracks the security state of organizational information systems and the environments in which those systems operate through security authorization processes. | ||
| CCI-000231 | draft | policy | 2009-11-03 | DISA FSO | The organization reports the security state of organizational information systems and the environments in which those systems operate through security authorization processes. | ||
| CCI-000232 | draft | policy | 2009-09-14 | DISA FSO | The organization documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification and authentication. | ||
| CCI-000233 | draft | policy | 2009-11-03 | DISA FSO | The organization designates individuals to fulfill specific roles and responsibilities within the organizational risk management process. | ||
| CCI-000234 | draft | policy | 2009-11-03 | DISA FSO | The organization fully integrates the security authorization processes into an organization-wide risk management program. | ||
| CCI-000235 | draft | policy | 2009-11-04 | DISA FSO | The organization defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation. | ||
| CCI-000236 | draft | policy | 2009-11-04 | DISA FSO | The organization determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until an achievable set of protection needs are obtained. | ||
| CCI-000237 | draft | policy | 2009-06-23 | DISA FSO | The organization manages information system accounts by specifically authorizing and monitoring the use of guest/anonymous accounts and temporary accounts. | ||
| CCI-000238 | draft | policy | 2009-09-15 | DISA FSO | The organization defines the frequency to review and update the current security assessment and authorization policy. | ||
| CCI-000239 | draft | policy | 2009-09-15 | DISA FSO | The organization develops and documents a security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. | ||
| CCI-000240 | draft | policy | 2009-09-15 | DISA FSO | The organization disseminates to organization-defined personnel or roles a security assessment and authorization policy. | ||
| CCI-000241 | draft | policy | 2009-09-15 | DISA FSO | The organization reviews and updates the current security assessment and authorization policy in accordance with organization-defined frequency. | ||
| CCI-000242 | draft | policy | 2009-09-15 | DISA FSO | The organization develops and documents procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls. | ||
| CCI-000243 | draft | policy | 2009-09-15 | DISA FSO | The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls. | ||
| CCI-000244 | draft | policy | 2009-09-15 | DISA FSO | The organization reviews and updates the current security assessment and authorization procedures in accordance with organization-defined frequency. | ||
| CCI-000245 | draft | policy | 2009-09-15 | DISA FSO | The organization develops a security assessment plan for the information system and its environment of operation. | ||
| CCI-000246 | draft | policy | 2009-09-15 | DISA FSO | The organization's security assessment plan describes the security controls and control enhancements under assessment. | ||
| CCI-000247 | draft | policy | 2009-09-15 | DISA FSO | The organization's security assessment plan describes assessment procedures to be used to determine security control effectiveness. | ||
| CCI-000248 | draft | policy | 2009-09-15 | DISA FSO | The organization's security assessment plan describes assessment environment. | ||
| CCI-000249 | draft | policy | 2009-09-15 | DISA FSO | The organizations security assessment plan describes the assessment team. | ||
| CCI-000250 | draft | policy | 2009-09-15 | DISA FSO | The organization's security assessment plan describes assessment roles and responsibilities. | ||
| CCI-000251 | draft | policy | 2009-09-15 | DISA FSO | The organization assesses, on an organization-defined frequency, the security controls in the information system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements. | ||
| CCI-000252 | draft | policy | 2009-09-15 | DISA FSO | The organization defines the frequency on which the security controls in the information system and its environment of operation are assessed. | ||
| CCI-000253 | draft | policy | 2009-09-15 | DISA FSO | The organization produces a security assessment report that documents the results of the assessment against the information system and its environment of operation. | ||
| CCI-000254 | draft | policy | 2009-09-15 | DISA FSO | The organization provides the results of the security control assessment against the information system and its environment of operation to organization-defined individuals or roles. | ||
| CCI-000255 | draft | policy | 2009-09-15 | DISA FSO | The organization employs assessors or assessment teams with an organization-defined level of independence to conduct security control assessments of organizational information systems. | ||
| CCI-000256 | draft | policy | 2009-09-15 | DISA FSO | The organization includes, as part of security control assessments announced or unannounced, one or more of the following: in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; and organization-defined other forms of security assessment on an organization-defined frequency. | ||
| CCI-000257 | draft | policy | 2009-09-15 | DISA FSO | The organization authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements. | ||
| CCI-000258 | draft | policy | 2009-09-15 | DISA FSO | The organization documents, for each interconnection, the interface characteristics. | ||
| CCI-000259 | draft | policy | 2009-09-15 | DISA FSO | The organization documents, for each interconnection, the security requirements. | ||
| CCI-000260 | draft | policy | 2009-09-15 | DISA FSO | The organization documents, for each interconnection, the nature of the information communicated. | ||
| CCI-000261 | draft | policy | 2009-09-15 | DISA FSO | The organization monitors the information system connections on an ongoing basis to verify enforcement of security requirements. | ||
| CCI-000262 | draft | policy | 2009-09-15 | DISA FSO | The organization prohibits the direct connection of an organization-defined unclassified, national security system to an external network without the use of an organization-defined boundary protection device. | ||
| CCI-000263 | draft | policy | 2009-09-15 | DISA FSO | The organization prohibits the direct connection of a classified, national security system to an external network without the use of organization-defined boundary protection device. | ||
| CCI-000264 | draft | policy | 2009-09-15 | DISA FSO | The organization develops a plan of action and milestones for the information system to document the organization^s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system. | ||
| CCI-000265 | draft | policy | 2009-09-15 | DISA FSO | The organization defines the frequency with which to update the existing plan of action and milestones for the information system. | ||
| CCI-000266 | draft | policy | 2009-09-15 | DISA FSO | The organization updates, on an organization-defined frequency, the existing plan of action and milestones for the information system based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. | ||
| CCI-000267 | draft | policy | 2009-09-15 | DISA FSO | The organization employs automated mechanisms to help ensure the plan of action and milestones for the information system is accurate. | ||
| CCI-000268 | draft | policy | 2009-09-15 | DISA FSO | The organization employs automated mechanisms to help ensure the plan of action and milestones for the information system is up to date. | ||
| CCI-000269 | draft | policy | 2009-09-15 | DISA FSO | The organization employs automated mechanisms to help ensure the plan of action and milestones for the information system is readily available. | ||
| CCI-000270 | draft | policy | 2009-09-15 | DISA FSO | The organization assigns a senior-level executive or manager as the authorizing official for the information system. | ||
| CCI-000271 | draft | policy | 2009-09-15 | DISA FSO | The organization ensures the authorizing official authorizes the information system for processing before commencing operations. | ||
| CCI-000272 | draft | policy | 2009-09-15 | DISA FSO | The organization updates the security authorization on an organization-defined frequency. | ||
| CCI-000273 | draft | policy | 2009-09-15 | DISA FSO | The organization defines the frequency with which to update the security authorization. | ||
| CCI-000274 | draft | policy | 2009-09-15 | DISA FSO | The organization develops a continuous monitoring strategy. | ||
| CCI-000275 | draft | policy | 2009-09-15 | DISA FSO | The organization implements a continuous monitoring program that includes a configuration management process for the information system. | ||
| CCI-000276 | draft | policy | 2009-09-15 | DISA FSO | The organization implements a continuous monitoring program that includes a configuration management process for the information system constituent components. | ||
| CCI-000277 | draft | policy | 2009-09-15 | DISA FSO | The organization implements a continuous monitoring program that includes a determination of the security impact of changes to the information system. | ||
| CCI-000278 | draft | policy | 2009-09-15 | DISA FSO | The organization implements a continuous monitoring program that includes a determination of the security impact of changes to the environment of operation. | ||
| CCI-000279 | draft | policy | 2009-09-15 | DISA FSO | The organization implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. | ||
| CCI-000280 | draft | policy | 2009-09-15 | DISA FSO | The organization implements a continuous monitoring program that includes reporting the security status of the organization and the information system to organization-defined personnel or roles on an organization-defined frequency. | ||
| CCI-000281 | draft | policy | 2009-09-15 | DISA FSO | The organization defines the frequency with which to report the security status of the organization and the information system to organization-defined personnel or roles. | ||
| CCI-000282 | draft | policy | 2009-09-15 | DISA FSO | The organization employs assessors or assessment teams with an organization-defined level of independence to monitor the security controls in the information system on an ongoing basis. | ||
| CCI-000283 | draft | policy | 2009-09-15 | DISA FSO | The organization plans announced or unannounced assessments (in-depth monitoring, malicious user testing, penetration testing, red team exercises, or other organization-defined forms of security assessment), on an organization-defined frequency, to ensure compliance with all vulnerability mitigation procedures. | ||
| CCI-000284 | draft | policy | 2009-09-15 | DISA FSO | The organization schedules announced or unannounced assessments (in-depth monitoring, malicious user testing, penetration testing, red team exercises, or other organization-defined forms of security assessment), on an organization-defined frequency, to ensure compliance with all vulnerability mitigation procedures. | ||
| CCI-000285 | draft | policy | 2009-09-15 | DISA FSO | The organization conducts announced or unannounced assessments (in-depth monitoring, malicious user testing, penetration testing, red team exercises, or other organization-defined forms of security assessment), on an organization-defined frequency, to ensure compliance with all vulnerability mitigation procedures. | ||
| CCI-000286 | draft | policy | 2009-09-17 | DISA FSO | The organization defines a frequency with which to review and update the configuration management policies. | ||
| CCI-000287 | draft | policy | 2009-09-17 | DISA FSO | The organization develops and documents a configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. | ||
| CCI-000288 | draft | policy | 2009-09-17 | DISA FSO | The organization disseminates formal, documented configuration management policy to elements within the organization having associated configuration management roles and responsibilities. | ||
| CCI-000289 | draft | policy | 2009-09-17 | DISA FSO | The organization reviews and updates, on an organization-defined frequency, the configuration management policy. | ||
| CCI-000290 | draft | policy | 2009-09-17 | DISA FSO | The organization develops and documents procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. | ||
| CCI-000291 | draft | policy | 2009-09-17 | DISA FSO | The organization disseminates formal, documented procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. | ||
| CCI-000292 | draft | policy | 2009-09-17 | DISA FSO | The organization reviews and updates, on an organization-defined frequency, the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. | ||
| CCI-000293 | draft | policy | 2009-09-17 | DISA FSO | The organization develops a current baseline configuration of the information system. | ||
| CCI-000294 | draft | policy | 2009-09-17 | DISA FSO | The organization documents a baseline configuration of the information system. | ||
| CCI-000295 | draft | policy | 2009-09-17 | DISA FSO | The organization maintains, under configuration control, a current baseline configuration of the information system. | ||
| CCI-000296 | draft | policy | 2009-09-17 | DISA FSO | The organization reviews and updates the baseline configuration of the information system at an organization-defined frequency. | ||
| CCI-000297 | draft | policy | 2009-09-17 | DISA FSO | The organization reviews and updates the baseline configuration of the information system when required due to organization-defined circumstances. | ||
| CCI-000298 | draft | policy | 2009-09-17 | DISA FSO | The organization reviews and updates the baseline configuration of the information system as an integral part of information system component installations. | ||
| CCI-000299 | draft | policy | 2009-09-17 | DISA FSO | The organization reviews and updates the baseline configuration of the information system as an integral part of information system component upgrades. | ||
| CCI-000300 | draft | policy | 2009-09-17 | DISA FSO | The organization employs automated mechanisms to maintain a complete baseline configuration of the information system. | ||
| CCI-000301 | draft | policy | 2009-09-17 | DISA FSO | The organization employs automated mechanisms to maintain an up-to-date baseline configuration of the information system. | ||
| CCI-000302 | draft | policy | 2009-09-17 | DISA FSO | The organization employs automated mechanisms to maintain an accurate baseline configuration of the information system. | ||
| CCI-000303 | draft | policy | 2009-09-17 | DISA FSO | The organization employs automated mechanisms to maintain a readily available baseline configuration of the information system. | ||
| CCI-000304 | draft | policy | 2009-09-17 | DISA FSO | The organization retains organization-defined previous versions of baseline configurations of the information system to support rollback. | ||
| CCI-000305 | draft | policy | 2009-09-17 | DISA FSO | The organization develops a list of software programs not authorized to execute on the information system. | ||
| CCI-000306 | draft | policy | 2009-09-17 | DISA FSO | The organization maintains the list of software programs not authorized to execute on the information system. | ||
| CCI-000307 | draft | policy | 2009-09-17 | DISA FSO | The organization employs an allow-all, deny-by-exception authorization policy to identify software allowed to execute on the information system. | ||
| CCI-000308 | draft | policy | 2009-09-17 | DISA FSO | The organization develops the list of software programs authorized to execute on the information system. | ||
| CCI-000309 | draft | policy | 2009-09-17 | DISA FSO | The organization maintains the list of software programs authorized to execute on the information system. | ||
| CCI-000310 | draft | policy | 2009-09-17 | DISA FSO | The organization employs a deny-all, permit-by-exception authorization policy to identify software allowed to execute on the information system. | ||
| CCI-000311 | draft | policy | 2009-09-17 | DISA FSO | The organization maintains a baseline configuration for information system development environments that is managed separately from the operational baseline configuration. | ||
| CCI-000312 | draft | policy | 2009-09-17 | DISA FSO | The organization maintains a baseline configuration for information system test environments that is managed separately from the operational baseline configuration. | ||
| CCI-000313 | draft | policy | 2009-09-17 | DISA FSO | The organization determines the types of changes to the information system that are configuration controlled. |
|
|
| CCI-000314 | draft | policy | 2009-09-17 | DISA FSO | The organization approves or disapproves configuration-controlled changes to the information system, with explicit consideration for security impact analysis. |
|
|
| CCI-000315 | draft | policy | 2009-09-17 | DISA FSO | The organization documents approved configuration-controlled changes to the system. |
|
|
| CCI-000316 | draft | policy | 2009-09-17 | DISA FSO | The organization retains records of configuration-controlled changes to the information system for an organization-defined time period. |
|
|
| CCI-000317 | draft | policy | 2009-09-17 | DISA FSO | The organization reviews records of configuration-controlled changes to the system. |
|
|
| CCI-000318 | draft | policy | 2009-09-17 | DISA FSO | The organization audits and reviews activities associated with configuration-controlled changes to the system. |
|
|
| CCI-000319 | draft | policy | 2009-09-17 | DISA FSO | The organization coordinates and provides oversight for configuration change control activities through an organization-defined configuration change control element (e.g., committee, board) that convenes at the organization-defined frequency and/or for any organization-defined configuration change conditions. |
|
|
| CCI-000320 | draft | policy | 2009-09-17 | DISA FSO | The organization defines the frequency with which to convene the configuration change control element. |
|
|
| CCI-000321 | draft | policy | 2009-09-17 | DISA FSO | The organization defines configuration change conditions that prompt the configuration change control element to convene. |
|
|
| CCI-000322 | draft | policy | 2009-09-17 | DISA FSO | The organization employs automated mechanisms to document proposed changes to the information system. |
|
|
| CCI-000323 | draft | policy | 2009-09-17 | DISA FSO | The organization employs automated mechanisms to notify organization-defined approval authorities of proposed changes to the information system and request change approval. |
|
|
| CCI-000324 | draft | policy | 2009-09-17 | DISA FSO | The organization employs automated mechanisms to highlight proposed changes to the information system that have not been approved or disapproved by an organization-defined time period. |
|
|
| CCI-000325 | draft | policy | 2009-09-17 | DISA FSO | The organization employs automated mechanisms to prohibit changes to the information system until designated approvals are received. |
|
|
| CCI-000326 | draft | policy | 2009-09-17 | DISA FSO | The organization employs automated mechanisms to document all changes to the information system. |
|
|
| CCI-000327 | draft | policy | 2009-09-17 | DISA FSO | The organization tests changes to the information system before implementing the changes on the operational system. |
|
|
| CCI-000328 | draft | policy | 2009-09-17 | DISA FSO | The organization validates changes to the information system before implementing the changes on the operational system. |
|
|
| CCI-000329 | draft | policy | 2009-09-17 | DISA FSO | The organization documents changes to the information system before implementing the changes on the operational system. |
|
|
| CCI-000330 | draft | policy | 2009-09-17 | DISA FSO | The organization employs automated mechanisms to implement changes to the current information system baseline. |
|
|
| CCI-000331 | draft | policy | 2009-09-17 | DISA FSO | The organization deploys the updated information system baseline across the installed base. |
|
|
| CCI-000332 | draft | policy | 2009-09-17 | DISA FSO | The organization requires an information security representative to be a member of the organization-defined configuration change control element. |
|
|
| CCI-000333 | draft | policy | 2009-09-18 | DISA FSO | The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. | ||
| CCI-000334 | draft | policy | 2009-09-18 | DISA FSO | The organization analyzes new software in a separate test environment before installation in an operational environment. | ||
| CCI-000335 | draft | policy | 2009-09-18 | DISA FSO | The organization, after the information system is changed, checks the security functions to verify the functions are implemented correctly. | ||
| CCI-000336 | draft | policy | 2009-09-18 | DISA FSO | The organization, after the information system is changed, checks the security functions to verify the functions are operating as intended. | ||
| CCI-000337 | draft | policy | 2009-09-18 | DISA FSO | The organization, after the information system is changed, checks the security functions to verify the functions are producing the desired outcome with regard to meeting the security requirements for the system. | ||
| CCI-000338 | draft | policy | 2009-09-18 | DISA FSO | The organization defines physical access restrictions associated with changes to the information system. |
|
|
| CCI-000339 | draft | policy | 2009-09-18 | DISA FSO | The organization documents physical access restrictions associated with changes to the information system. |
|
|
| CCI-000340 | draft | policy | 2009-09-18 | DISA FSO | The organization approves physical access restrictions associated with changes to the information system. |
|
|
| CCI-000341 | draft | policy | 2009-09-18 | DISA FSO | The organization enforces physical access restrictions associated with changes to the information system. |
|
|
| CCI-000342 | draft | policy | 2009-09-18 | DISA FSO | The organization defines logical access restrictions associated with changes to the information system. |
|
|
| CCI-000343 | draft | policy | 2009-09-18 | DISA FSO | The organization documents logical access restrictions associated with changes to the information system. |
|
|
| CCI-000344 | draft | policy | 2009-09-18 | DISA FSO | The organization approves logical access restrictions associated with changes to the information system. |
|
|
| CCI-000345 | draft | policy | 2009-09-18 | DISA FSO | The organization enforces logical access restrictions associated with changes to the information system. |
|
|
| CCI-000346 | draft | technical | 2009-09-18 | DISA FSO | The organization employs automated mechanisms to enforce access restrictions. |
|
|
| CCI-000347 | draft | technical | 2009-09-18 | DISA FSO | The organization employs automated mechanisms to support auditing of the enforcement actions. |
|
|
| CCI-000348 | draft | policy | 2009-09-18 | DISA FSO | The organization defines a frequency with which to conduct reviews of information system changes. |
|
|
| CCI-000349 | draft | policy | 2009-09-18 | DISA FSO | The organization reviews information system changes per organization-defined frequency to determine whether unauthorized changes have occurred. |
|
|
| CCI-000350 | draft | policy | 2009-09-18 | DISA FSO | The organization reviews information system changes upon organization-defined circumstances to determine whether unauthorized changes have occurred. |
|
|
| CCI-000351 | draft | policy | 2009-09-18 | DISA FSO | The organization defines critical software programs that the information system will prevent from being installed if such software programs are not signed with a recognized and approved certificate. |
|
|
| CCI-000352 | draft | technical | 2009-09-18 | DISA FSO | The information system prevents the installation of organization-defined critical software programs that are not signed with a certificate that is recognized and approved by the organization. |
|
|
| CCI-000353 | draft | policy | 2009-09-18 | DISA FSO | The organization defines information system components requiring enforcement of a dual authorization for information system changes. |
|
|
| CCI-000354 | draft | policy | 2009-09-18 | DISA FSO | The organization enforces dual authorization for changes to organization-defined information system components. |
|
|
| CCI-000355 | draft | policy | 2009-09-18 | DISA FSO | The organization limits information system developer/integrator privileges to change hardware components directly within a production environment. |
|
|
| CCI-000356 | draft | policy | 2009-09-18 | DISA FSO | The organization limits information system developer/integrator privileges to change software components directly within a production environment. |
|
|
| CCI-000357 | draft | policy | 2009-09-18 | DISA FSO | The organization limits information system developer/integrator privileges to change firmware components directly within a production environment. |
|
|
| CCI-000358 | draft | policy | 2009-09-18 | DISA FSO | The organization limits information system developer/integrator privileges to change system information directly within a production environment. |
|
|
| CCI-000359 | draft | policy | 2009-09-18 | DISA FSO | The organization defines the frequency to review information system developer/integrator privileges. |
|
|
| CCI-000360 | draft | policy | 2009-09-18 | DISA FSO | The organization defines the frequency to reevaluate information system developer/integrator privileges. |
|
|
| CCI-000361 | draft | policy | 2009-09-18 | DISA FSO | The organization reviews information system developer/integrator privileges per organization-defined frequency. |
|
|
| CCI-000362 | draft | policy | 2009-09-18 | DISA FSO | The organization reevaluates information system developer/integrator privileges per organization-defined frequency. |
|
|
| CCI-000363 | draft | policy | 2009-09-18 | DISA FSO | The organization defines security configuration checklists to be used to establish and document configuration settings for the information system technology products employed. |
|
|
| CCI-000364 | draft | policy | 2009-09-18 | DISA FSO | The organization establishes configuration settings for information technology products employed within the information system using organization-defined security configuration checklists. |
|
|
| CCI-000365 | draft | policy | 2009-09-18 | DISA FSO | The organization documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists that reflect the most restrictive mode consistent with operational requirements. |
|
|
| CCI-000366 | draft | policy | 2009-09-18 | DISA FSO | The organization implements the security configuration settings. |
|
|
| CCI-000367 | draft | policy | 2009-09-18 | DISA FSO | The organization identifies any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements. |
|
|
| CCI-000368 | draft | policy | 2009-09-18 | DISA FSO | The organization documents any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements. |
|
|
| CCI-000369 | draft | policy | 2009-09-18 | DISA FSO | The organization approves any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements. |
|
|
| CCI-000370 | draft | policy | 2009-09-18 | DISA FSO | The organization employs automated mechanisms to centrally manage configuration settings for organization-defined information system components. |
|
|
| CCI-000371 | draft | policy | 2009-09-18 | DISA FSO | The organization employs automated mechanisms to centrally apply configuration settings for organization-defined information system components. |
|
|
| CCI-000372 | draft | policy | 2009-09-18 | DISA FSO | The organization employs automated mechanisms to centrally verify configuration settings for organization-defined information system components. |
|
|
| CCI-000373 | draft | policy | 2009-09-18 | DISA FSO | The organization defines configuration settings for which unauthorized changes are responded to by automated mechanisms. |
|
|
| CCI-000374 | draft | technical | 2009-09-18 | DISA FSO | The organization employs automated mechanisms to respond to unauthorized changes to organization-defined configuration settings. |
|
|
| CCI-000375 | draft | policy | 2009-09-18 | DISA FSO | The organization incorporates detection of unauthorized, security-relevant configuration changes into the organizations incident response capability. |
|
|
| CCI-000376 | draft | policy | 2009-09-18 | DISA FSO | The organization ensures unauthorized, security-relevant configuration changes detected are monitored. |
|
|
| CCI-000377 | draft | policy | 2009-09-18 | DISA FSO | The organization ensures unauthorized, security-relevant configuration changes detected are corrected. |
|
|
| CCI-000378 | draft | policy | 2009-09-18 | DISA FSO | The organization ensures unauthorized, security-relevant configuration changes detected are available for historical purposes. |
|
|
| CCI-000379 | draft | policy | 2009-09-18 | DISA FSO | The information system (including modifications to the baseline configuration) demonstrates conformance to security configuration guidance (i.e., security checklists) prior to being introduced into a production environment. |
|
|
| CCI-000380 | draft | policy | 2009-09-18 | DISA FSO | The organization defines prohibited or restricted functions, ports, protocols, and/or services for the information system. | ||
| CCI-000381 | draft | technical | 2009-09-18 | DISA FSO | The organization configures the information system to provide only essential capabilities. | ||
| CCI-000382 | draft | technical | 2009-09-18 | DISA FSO | The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services. | ||
| CCI-000383 | draft | policy | 2009-09-18 | DISA FSO | The organization defines the frequency of information system reviews to identify and eliminate unnecessary functions, ports, protocols and/or services. | ||
| CCI-000384 | draft | policy | 2009-09-18 | DISA FSO | The organization reviews the information system per organization-defined frequency to identify unnecessary and nonsecure functions, ports, protocols, and services. | ||
| CCI-000385 | draft | policy | 2009-09-18 | DISA FSO | The organization reviews the information system per organization-defined frequency to eliminate unnecessary functions, ports, protocols, and/or services. | ||
| CCI-000386 | draft | technical | 2009-09-18 | DISA FSO | The organization employs automated mechanisms to prevent program execution on the information system in accordance with the organization-defined specifications. | ||
| CCI-000387 | draft | policy | 2009-09-18 | DISA FSO | The organization defines registration requirements for functions, ports, protocols, and services. | ||
| CCI-000388 | draft | policy | 2009-09-18 | DISA FSO | The organization ensures compliance with organization-defined registration requirements for functions, ports, protocols, and services. | ||
| CCI-000389 | draft | policy | 2009-09-18 | DISA FSO | The organization develops an inventory of information system components that accurately reflects the current information system. | ||
| CCI-000390 | draft | policy | 2009-09-18 | DISA FSO | The organization documents an inventory of information system components that accurately reflects the current information system. | ||
| CCI-000391 | draft | policy | 2009-09-18 | DISA FSO | The organization maintains an inventory of information system components that accurately reflects the current information system. | ||
| CCI-000392 | draft | policy | 2009-09-18 | DISA FSO | The organization develops an inventory of information system components that includes all components within the authorization boundary of the information system. | ||
| CCI-000393 | draft | policy | 2009-09-18 | DISA FSO | The organization documents an inventory of information system components that includes all components within the authorization boundary of the information system. | ||
| CCI-000394 | draft | policy | 2009-09-18 | DISA FSO | The organization maintains an inventory of information system components that is consistent with the authorization boundary of the information system. | ||
| CCI-000395 | draft | policy | 2009-09-18 | DISA FSO | The organization develops an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting. | ||
| CCI-000396 | draft | policy | 2009-09-18 | DISA FSO | The organization documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting. | ||
| CCI-000397 | draft | policy | 2009-09-18 | DISA FSO | The organization maintains an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting. | ||
| CCI-000398 | draft | policy | 2009-09-18 | DISA FSO | The organization defines information deemed necessary to achieve effective information system component accountability. | ||
| CCI-000399 | draft | policy | 2009-09-18 | DISA FSO | The organization develops an inventory of information system components that includes organization-defined information deemed necessary to achieve effective information system component accountability. | ||
| CCI-000400 | draft | policy | 2009-09-18 | DISA FSO | The organization documents an inventory of information system components that includes organization-defined information deemed necessary to achieve effective information system component accountability. | ||
| CCI-000401 | draft | policy | 2009-09-18 | DISA FSO | The organization maintains an inventory of information system components that includes organization-defined information deemed necessary to achieve effective property accountability. | ||
| CCI-000402 | draft | policy | 2009-09-18 | DISA FSO | The organization develops an inventory of information system components that is available for review by designated organizational officials. | ||
| CCI-000403 | draft | policy | 2009-09-18 | DISA FSO | The organization documents an inventory of information system components that is available for review by designated organizational officials. | ||
| CCI-000404 | draft | policy | 2009-09-18 | DISA FSO | The organization maintains an inventory of information system components that is available for review by designated organizational officials. | ||
| CCI-000405 | draft | policy | 2009-09-18 | DISA FSO | The organization develops an inventory of information system components that is available for audit by designated organizational officials. | ||
| CCI-000406 | draft | policy | 2009-09-18 | DISA FSO | The organization documents an inventory of information system components that is available for audit by designated organizational officials. | ||
| CCI-000407 | draft | policy | 2009-09-18 | DISA FSO | The organization maintains an inventory of information system components that is available for audit by designated organizational officials. | ||
| CCI-000408 | draft | policy | 2009-09-18 | DISA FSO | The organization updates the inventory of information system components as an integral part of component installations. | ||
| CCI-000409 | draft | policy | 2009-09-18 | DISA FSO | The organization updates the inventory of information system components as an integral part of component removals. | ||
| CCI-000410 | draft | policy | 2009-09-18 | DISA FSO | The organization updates the inventory of information system components as an integral part of information system updates. | ||
| CCI-000411 | draft | policy | 2009-09-18 | DISA FSO | The organization employs automated mechanisms to help maintain an up-to-date inventory of information system components. | ||
| CCI-000412 | draft | policy | 2009-09-18 | DISA FSO | The organization employs automated mechanisms to help maintain a complete inventory of information system components. | ||
| CCI-000413 | draft | policy | 2009-09-18 | DISA FSO | The organization employs automated mechanisms to help maintain an accurate inventory of information system components. | ||
| CCI-000414 | draft | policy | 2009-09-18 | DISA FSO | The organization employs automated mechanisms to help maintain a readily available inventory of information system components. | ||
| CCI-000415 | draft | policy | 2009-09-18 | DISA FSO | The organization defines the frequency of employing automated mechanisms to detect the presence of unauthorized hardware, software, and firmware components within the information system. | ||
| CCI-000416 | draft | policy | 2009-09-18 | DISA FSO | The organization employs automated mechanisms, per organization-defined frequency, to detect the presence of unauthorized hardware, software, and firmware components within the information system. | ||
| CCI-000417 | draft | technical | 2009-09-18 | DISA FSO | The organization disables network access by unauthorized components/devices or notifies designated organizational officials. | ||
| CCI-000418 | draft | policy | 2009-09-18 | DISA FSO | The organization includes, in the information system component inventory information, a means for identifying by name, position, and/or role, individuals responsible/accountable for administering those components. | ||
| CCI-000419 | draft | policy | 2009-09-18 | DISA FSO | The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories. | ||
| CCI-000420 | draft | policy | 2009-09-18 | DISA FSO | The organization includes assessed component configurations and any approved deviations to current deployed configurations in the information system component inventory. | ||
| CCI-000421 | draft | policy | 2009-09-18 | DISA FSO | The organization develops a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures. | ||
| CCI-000422 | draft | policy | 2009-09-18 | DISA FSO | The organization documents a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures. | ||
| CCI-000423 | draft | policy | 2009-09-18 | DISA FSO | The organization implements a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures. | ||
| CCI-000424 | draft | policy | 2009-09-18 | DISA FSO | The organization develops a configuration management plan for the information system that defines the configuration items for the information system. | ||
| CCI-000425 | draft | policy | 2009-09-18 | DISA FSO | The organization documents a configuration management plan for the information system that defines the configuration items for the information system. | ||
| CCI-000426 | draft | policy | 2009-09-18 | DISA FSO | The organization implements a configuration management plan for the information system that defines the configuration items for the information system. | ||
| CCI-000427 | draft | policy | 2009-09-18 | DISA FSO | The organization develops a configuration management plan for the information system when in the system development life cycle the configuration items are placed under configuration management. | ||
| CCI-000428 | draft | policy | 2009-09-18 | DISA FSO | The organization documents a configuration management plan for the information system when in the system development life cycle the configuration items are placed under configuration management. | ||
| CCI-000429 | draft | policy | 2009-09-18 | DISA FSO | The organization implements a configuration management plan for the information system when in the system development life cycle the configuration items are placed under configuration management. | ||
| CCI-000430 | draft | policy | 2009-09-18 | DISA FSO | The organization develops a configuration management plan for the information system that establishes the means for identifying configuration items throughout the system development life cycle. | ||
| CCI-000431 | draft | policy | 2009-09-18 | DISA FSO | The organization documents a configuration management plan for the information system that establishes the means for identifying configuration items throughout the system development life cycle. | ||
| CCI-000432 | draft | policy | 2009-09-18 | DISA FSO | The organization implements a configuration management plan for the information system that establishes the means for identifying configuration items throughout the system development life cycle. | ||
| CCI-000433 | draft | policy | 2009-09-18 | DISA FSO | The organization develops a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items. | ||
| CCI-000434 | draft | policy | 2009-09-18 | DISA FSO | The organization documents a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items. | ||
| CCI-000435 | draft | policy | 2009-09-18 | DISA FSO | The organization implements a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items. | ||
| CCI-000436 | draft | policy | 2009-09-18 | DISA FSO | The organization assigns responsibility for developing the configuration management process to organizational personnel that are not directly involved in information system development. | ||
| CCI-000437 | draft | policy | 2009-09-18 | DISA FSO | The organization defines the frequency with which to review and update the current contingency planning policy. | ||
| CCI-000438 | draft | policy | 2009-09-18 | DISA FSO | The organization develops and documents a contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. | ||
| CCI-000439 | draft | policy | 2009-09-18 | DISA FSO | The organization disseminates a contingency planning policy to organization-defined personnel or roles. | ||
| CCI-000440 | draft | policy | 2009-09-18 | DISA FSO | The organization reviews and updates the current contingency planning policy in accordance with an organization-defined frequency. | ||
| CCI-000441 | draft | policy | 2009-09-18 | DISA FSO | The organization develops and documents procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls. | ||
| CCI-000443 | draft | policy | 2009-09-18 | DISA FSO | The organization develops a contingency plan for the information system that identifies essential missions. |
|
|
| CCI-000444 | draft | policy | 2009-09-18 | DISA FSO | The organization develops a contingency plan for the information system that identifies essential business functions. |
|
|
| CCI-000445 | draft | policy | 2009-09-18 | DISA FSO | The organization develops a contingency plan for the information system that identifies associated contingency requirements. |
|
|
| CCI-000446 | draft | policy | 2009-09-18 | DISA FSO | The organization develops a contingency plan for the information system that provides recovery objectives. |
|
|
| CCI-000447 | draft | policy | 2009-09-18 | DISA FSO | The organization develops a contingency plan for the information system that provides restoration priorities. |
|
|
| CCI-000448 | draft | policy | 2009-09-18 | DISA FSO | The organization develops a contingency plan for the information system that provides metrics. |
|
|
| CCI-000449 | draft | policy | 2009-09-18 | DISA FSO | The organization develops a contingency plan for the information system that addresses contingency roles, responsibilities, assigned individuals with contact information. |
|
|
| CCI-000450 | draft | policy | 2009-09-18 | DISA FSO | The organization develops a contingency plan for the information system that addresses maintaining essential missions despite an information system disruption. |
|
|
| CCI-000451 | draft | policy | 2009-09-18 | DISA FSO | The organization develops a contingency plan for the information system that addresses maintaining essential business functions despite an information system disruption. |
|
|
| CCI-000452 | draft | policy | 2009-09-18 | DISA FSO | The organization develops a contingency plan for the information system that addresses maintaining essential missions despite an information system compromise. |
|
|
| CCI-000453 | draft | policy | 2009-09-18 | DISA FSO | The organization develops a contingency plan for the information system that addresses maintaining essential business functions despite an information system compromise. |
|
|
| CCI-000454 | draft | policy | 2009-09-18 | DISA FSO | The organization develops a contingency plan for the information system that addresses maintaining essential missions despite an information system failure. |
|
|
| CCI-000455 | draft | policy | 2009-09-18 | DISA FSO | The organization develops a contingency plan for the information system that addresses maintaining essential business functions despite an information system failure. |
|
|
| CCI-000456 | draft | policy | 2009-09-18 | DISA FSO | The organization develops a contingency plan for the information system that addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented. |
|
|
| CCI-000457 | draft | policy | 2009-09-18 | DISA FSO | The organization develops a contingency plan for the information system that is reviewed and approved by organization-defined personnel or roles. |
|
|
| CCI-000458 | draft | policy | 2009-09-18 | DISA FSO | The organization defines a list of key contingency personnel (identified by name and/or by role) and organizational elements designated to receive copies of the contingency plan. |
|
|
| CCI-000459 | draft | policy | 2009-09-18 | DISA FSO | The organization distributes copies of the contingency plan to an organization-defined list of key contingency personnel (identified by name and/or by role) and organizational elements. |
|
|
| CCI-000460 | draft | policy | 2009-09-18 | DISA FSO | The organization coordinates contingency planning activities with incident handling activities. |
|
|
| CCI-000461 | draft | policy | 2009-09-18 | DISA FSO | The organization defines the frequency with which to review the contingency plan for the information system. |
|
|
| CCI-000462 | draft | policy | 2009-09-18 | DISA FSO | The organization reviews the contingency plan for the information system in accordance with organization-defined frequency. |
|
|
| CCI-000463 | draft | policy | 2009-09-18 | DISA FSO | The organization updates the contingency plan to address changes to the organization. |
|
|
| CCI-000464 | draft | policy | 2009-09-18 | DISA FSO | The organization updates the contingency plan to address changes to the information system. |
|
|
| CCI-000465 | draft | policy | 2009-09-18 | DISA FSO | The organization updates the contingency plan to address changes to the environment of operation. |
|
|
| CCI-000466 | draft | policy | 2009-09-18 | DISA FSO | The organization updates the contingency plan to address problems encountered during contingency plan implementation, execution, or testing. |
|
|
| CCI-000468 | draft | policy | 2009-09-18 | DISA FSO | The organization communicates contingency plan changes to an organization-defined list of key contingency personnel (identified by name and/or by role) and organizational elements. |
|
|
| CCI-000469 | draft | policy | 2009-09-18 | DISA FSO | The organization coordinates contingency plan development with organizational elements responsible for related plans. |
|
|
| CCI-000470 | draft | policy | 2009-09-18 | DISA FSO | The organization conducts capacity planning so that necessary capacity for information processing exists during contingency operations. |
|
|
| CCI-000471 | draft | policy | 2009-09-18 | DISA FSO | The organization conducts capacity planning so that necessary capacity for telecommunications exists during contingency operations. |
|
|
| CCI-000472 | draft | policy | 2009-09-18 | DISA FSO | The organization conducts capacity planning so that necessary capacity for environmental support exists during contingency operations. |
|
|
| CCI-000473 | draft | policy | 2009-09-18 | DISA FSO | The organization defines the time period for planning the resumption of essential missions as a result of contingency plan activation. |
|
|
| CCI-000474 | draft | policy | 2009-09-18 | DISA FSO | The organization defines the time period for planning the resumption of essential business functions as a result of contingency plan activation. |
|
|
| CCI-000475 | draft | policy | 2009-09-18 | DISA FSO | The organization plans for the resumption of essential missions within the organization-defined time period of contingency plan activation. |
|
|
| CCI-000476 | draft | policy | 2009-09-18 | DISA FSO | The organization plans for the resumption of essential business functions within the organization-defined time period of contingency plan activation. |
|
|
| CCI-000477 | draft | policy | 2009-09-18 | DISA FSO | The organization defines the time period for planning the resumption of all missions as a result of contingency plan activation. |
|
|
| CCI-000478 | draft | policy | 2009-09-18 | DISA FSO | The organization defines the time period for planning the resumption of all business functions as a result of contingency plan activation. |
|
|
| CCI-000479 | draft | policy | 2009-09-18 | DISA FSO | The organization plans for the resumption of all missions within an organization-defined time period of contingency plan activation. |
|
|
| CCI-000480 | draft | policy | 2009-09-18 | DISA FSO | The organization plans for the resumption of all business functions within an organization-defined time period of contingency plan activation. |
|
|
| CCI-000481 | draft | policy | 2009-09-18 | DISA FSO | The organization plans for the continuance of essential missions with little or no loss of operational continuity. |
|
|
| CCI-000482 | draft | policy | 2009-09-18 | DISA FSO | The organization plans for the continuance of essential business functions with little or no loss of operational continuity. |
|
|
| CCI-000483 | draft | policy | 2009-09-18 | DISA FSO | The organization plans for the transfer of essential missions to alternate processing and/or storage sites with little or no loss of operational continuity. |
|
|
| CCI-000484 | draft | policy | 2009-09-18 | DISA FSO | The organization plans for the transfer of essential business functions to alternate processing and/or storage sites with little or no loss of operational continuity. |
|
|
| CCI-000485 | draft | policy | 2009-09-21 | DISA FSO | The organization defines the frequency of refresher contingency training to information system users. | ||
| CCI-000486 | draft | policy | 2009-09-21 | DISA FSO | The organization provides contingency training to information system users consistent with assigned roles and responsibilities within an organization-defined time period of assuming a contingency role or responsibility. | ||
| CCI-000487 | draft | policy | 2009-09-21 | DISA FSO | The organization provides refresher contingency training to information system users consistent with assigned roles and responsibilities in accordance with organization-defined frequency. | ||
| CCI-000488 | draft | policy | 2009-09-21 | DISA FSO | The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations. | ||
| CCI-000489 | draft | policy | 2009-09-21 | DISA FSO | The organization employs automated mechanisms to provide a more thorough and realistic contingency training environment. | ||
| CCI-000490 | draft | policy | 2009-09-21 | DISA FSO | The organization defines the frequency with which to test the contingency plan for the information system. | ||
| CCI-000491 | draft | policy | 2009-09-21 | DISA FSO | The organization defines the frequency to exercise the contingency plan for the information system. | ||
| CCI-000492 | draft | policy | 2009-09-21 | DISA FSO | The organization defines contingency plan tests to be conducted for the information system. | ||
| CCI-000493 | draft | policy | 2009-09-21 | DISA FSO | The organization defines contingency plan exercises to be conducted for the information system. | ||
| CCI-000494 | draft | policy | 2009-09-21 | DISA FSO | The organization tests the contingency plan for the information system in accordance with organization-defined frequency using organization-defined tests to determine the effectiveness of the plan and the organizational readiness to execute the plan. | ||
| CCI-000495 | draft | policy | 2009-09-21 | DISA FSO | The organization exercises the contingency plan using organization-defined exercises in accordance with organization-defined frequency. | ||
| CCI-000496 | draft | policy | 2009-09-21 | DISA FSO | The organization reviews the contingency plan test results. | ||
| CCI-000497 | draft | policy | 2009-09-21 | DISA FSO | The organization initiates corrective actions, if needed, after reviewing the contingency plan test results. | ||
| CCI-000498 | draft | policy | 2009-09-21 | DISA FSO | The organization coordinates contingency plan testing with organizational elements responsible for related plans. | ||
| CCI-000499 | draft | policy | 2009-09-21 | DISA FSO | The organization coordinates contingency plan exercises with organizational elements responsible for related plans. | ||
| CCI-000500 | draft | policy | 2009-09-21 | DISA FSO | The organization tests the contingency plan at the alternate processing site to familiarize contingency personnel with the facility and available resources. | ||
| CCI-000501 | draft | policy | 2009-09-21 | DISA FSO | The organization exercises the contingency plan at the alternate processing site to familiarize contingency personnel with the facility and available resources and to evaluate the site^s capabilities to support contingency operations. | ||
| CCI-000502 | draft | policy | 2009-09-21 | DISA FSO | The organization employs automated mechanisms to more thoroughly and effectively test the contingency plan. | ||
| CCI-000503 | draft | policy | 2009-09-21 | DISA FSO | The organization employs automated mechanisms to more thoroughly and effectively exercise the contingency plan by providing more complete coverage of contingency issues, selecting more realistic exercise scenarios and environments, and more effectively stressing the information and supported missions. | ||
| CCI-000504 | draft | policy | 2009-09-21 | DISA FSO | The organization includes a full recovery and reconstitution of the information system to a known state as part of contingency plan testing. | ||
| CCI-000505 | draft | policy | 2009-09-21 | DISA FSO | The organization establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information. | ||
| CCI-000506 | draft | policy | 2009-09-21 | DISA FSO | The organization initiates necessary alternate storage site agreements to permit the storage and recovery of information system backup information. | ||
| CCI-000507 | draft | policy | 2009-09-21 | DISA FSO | The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats. | ||
| CCI-000508 | draft | policy | 2009-09-21 | DISA FSO | The organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives. | ||
| CCI-000509 | draft | policy | 2009-09-21 | DISA FSO | The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster. | ||
| CCI-000510 | draft | policy | 2009-09-21 | DISA FSO | The organization defines the time period consistent with recovery time and recovery point objectives for essential missions/business functions to permit the transfer and resumption of organization-defined information system operations at an alternate processing site when the primary processing capabilities are unavailable. |
|
|
| CCI-000511 | draft | policy | 2009-09-21 | DISA FSO | The organization defines the time period for achieving the recovery time objectives for business functions within which processing must be resumed at the alternate processing site. |
|
|
| CCI-000512 | draft | policy | 2009-09-21 | DISA FSO | The organization establishes an alternate processing site. |
|
|
| CCI-000513 | draft | policy | 2009-09-21 | DISA FSO | The organization establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions within an organization-defined time period consistent with recovery time and recovery point objectives when the primary processing capabilities are unavailable. |
|
|
| CCI-000514 | draft | policy | 2009-09-21 | DISA FSO | The organization establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential business functions within an organization-defined time period consistent with recovery time and recovery point objectives when the primary processing capabilities are unavailable. |
|
|
| CCI-000515 | draft | policy | 2009-09-21 | DISA FSO | The organization ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption. |
|
|
| CCI-000516 | draft | policy | 2009-09-21 | DISA FSO | The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats. |
|
|
| CCI-000517 | draft | policy | 2009-09-21 | DISA FSO | The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster. |
|
|
| CCI-000518 | draft | policy | 2009-09-21 | DISA FSO | The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with the organizational availability requirements (including recovery time objectives). |
|
|
| CCI-000519 | draft | policy | 2009-09-21 | DISA FSO | The organization prepares the alternate processing site so that it is ready to be used as the operational site supporting essential missions. |
|
|
| CCI-000520 | draft | policy | 2009-09-21 | DISA FSO | The organization prepares the alternate processing site so that it is ready to be used as the operational site supporting essential business functions. |
|
|
| CCI-000521 | draft | policy | 2009-09-21 | DISA FSO | The organization ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. |
|
|
| CCI-000522 | draft | policy | 2009-09-21 | DISA FSO | The organization defines the time period within which to permit the resumption of organization-defined information system operations for essential missions when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. | ||
| CCI-000523 | draft | policy | 2009-09-21 | DISA FSO | The organization defines the time period within which to permit the resumption of organization-defined information system operations for essential business functions when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. | ||
| CCI-000524 | draft | policy | 2009-09-21 | DISA FSO | The organization establishes alternate telecommunication services including necessary agreements to permit the resumption of organization-defined information system operations for essential missions within an organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. | ||
| CCI-000525 | draft | policy | 2009-09-21 | DISA FSO | The organization establishes alternate telecommunication services including necessary agreements to permit the resumption of organization-defined information system operations for essential business functions within an organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. | ||
| CCI-000526 | draft | policy | 2009-09-21 | DISA FSO | The organization develops primary telecommunications service agreements that contain priority-of-service provisions in accordance with the organization^s availability requirements (including recovery time objectives). | ||
| CCI-000527 | draft | policy | 2009-09-21 | DISA FSO | The organization develops alternate telecommunications service agreements that contain priority-of-service provisions in accordance with the organization^s availability requirements (including recovery time objectives). | ||
| CCI-000528 | draft | policy | 2009-09-21 | DISA FSO | The organization requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary telecommunications services are provided by a common carrier. | ||
| CCI-000529 | draft | policy | 2009-09-21 | DISA FSO | The organization requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the alternate telecommunications services are provided by a common carrier. | ||
| CCI-000530 | draft | policy | 2009-09-21 | DISA FSO | The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services. | ||
| CCI-000531 | draft | policy | 2009-09-21 | DISA FSO | The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats. | ||
| CCI-000532 | draft | policy | 2009-09-21 | DISA FSO | The organization requires primary telecommunications service providers to have contingency plans. | ||
| CCI-000533 | draft | policy | 2009-09-21 | DISA FSO | The organization requires alternate telecommunications service providers to have contingency plans. | ||
| CCI-000534 | draft | policy | 2009-09-21 | DISA FSO | The organization defines the frequency of conducting user-level information backups to support recovery time objectives and recovery point objectives. |
|
|
| CCI-000535 | draft | policy | 2009-09-21 | DISA FSO | The organization conducts backups of user-level information contained in the information system per organization-defined frequency that is consistent with recovery time and recovery point objectives. |
|
|
| CCI-000536 | draft | policy | 2009-09-21 | DISA FSO | The organization defines the frequency of conducting system-level information backups to support recovery time objectives and recovery point objectives. |
|
|
| CCI-000537 | draft | policy | 2009-09-21 | DISA FSO | The organization conducts backups of system-level information contained in the information system per organization-defined frequency that is consistent with recovery time and recovery point objectives. |
|
|
| CCI-000538 | draft | policy | 2009-09-21 | DISA FSO | The organization defines the frequency of conducting information system documentation backups, including security-related documentation, to support recovery time objectives and recovery point objectives. |
|
|
| CCI-000539 | draft | policy | 2009-09-21 | DISA FSO | The organization conducts backups of information system documentation, including security-related documentation, per an organization-defined frequency that is consistent with recovery time and recovery point objectives. |
|
|
| CCI-000540 | draft | policy | 2009-09-21 | DISA FSO | The organization protects the confidentiality, integrity, and availability of backup information at storage locations. |
|
|
| CCI-000541 | draft | policy | 2009-09-21 | DISA FSO | The organization defines the frequency with which to test backup information to verify media reliability and information integrity. |
|
|
| CCI-000542 | draft | policy | 2009-09-21 | DISA FSO | The organization tests backup information per an organization-defined frequency to verify media reliability and information integrity. |
|
|
| CCI-000543 | draft | policy | 2009-09-21 | DISA FSO | The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing. |
|
|
| CCI-000544 | draft | policy | 2009-09-21 | DISA FSO | The organization stores backup copies of the operating system in a separate facility or in a fire-rated container that is not colocated with the operational system. |
|
|
| CCI-000545 | draft | policy | 2009-09-21 | DISA FSO | The organization stores backup copies of critical information system software in a separate facility or in a fire-rated container that is not colocated with the operational system. |
|
|
| CCI-000546 | draft | policy | 2009-09-21 | DISA FSO | The organization stores backup copies of the information system inventory (including hardware, software, and firmware components) in a separate facility or in a fire-rated container that is not colocated with the operational system. |
|
|
| CCI-000547 | draft | policy | 2009-09-21 | DISA FSO | The organization defines the time period and transfer rate of the information system backup information to the alternate storage site consistent with the recovery time and recovery point objectives. |
|
|
| CCI-000548 | draft | policy | 2009-09-21 | DISA FSO | The organization transfers information system backup information to the alternate storage site in accordance with the organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives. |
|
|
| CCI-000549 | draft | policy | 2009-09-21 | DISA FSO | The organization maintains a redundant secondary information system that is not collocated with the primary system. |
|
|
| CCI-000550 | draft | policy | 2009-09-21 | DISA FSO | The organization provides for the recovery and reconstitution of the information system to a known state after a disruption. |
|
|
| CCI-000551 | draft | policy | 2009-09-21 | DISA FSO | The organization provides for the recovery and reconstitution of the information system to a known state after a compromise. |
|
|
| CCI-000552 | draft | policy | 2009-09-21 | DISA FSO | The organization provides for the recovery and reconstitution of the information system to a known state after a failure. |
|
|
| CCI-000553 | draft | policy | 2009-09-21 | DISA FSO | The information system implements transaction recovery for systems that are transaction-based. |
|
|
| CCI-000554 | draft | policy | 2009-09-21 | DISA FSO | The organization defines in the security plan, explicitly or by reference, the circumstances that can inhibit recovery and reconstitution of the information system to a known state. |
|
|
| CCI-000555 | draft | policy | 2009-09-21 | DISA FSO | The organization provides compensating security controls for organization-defined circumstances that can inhibit recovery and reconstitution of the information system to a known state. |
|
|
| CCI-000556 | draft | policy | 2009-09-21 | DISA FSO | The organization defines restoration time periods within which to restore information system components from configuration-controlled and integrity-protected information representing a known, operational state for the components. |