8500-2 DIACAP - Security Controls -
Information security controls protect the confidentiality, integrity and/or availability of information (the so-called CIA Triad). Again, some would add further categories such as non-repudiation and accountability, depending on how narrowly or broadly the CIA Triad is defined.
Individual controls are often designed to act together to increase effective protection. Systems of controls can be referred to as frameworks or standards. Frameworks can enable an organization to manage security controls across different types of assets with consistency. For example, a framework can help an organization manage controls over access regardless of the type of computer operating system. This also enables an organization to assess overall risk. Risk-aware organizations may choose proactively to specify, design, implement, operate and maintain their security controls, usually by assessing the risks and implementing a comprehensive security management framework such as ISO27001:2013, the Information Security Forum's Standard of Good Practice for Information Security, or NIST SP 800-53.
| Control | Impact Code | MAC Level / Confidentiality | Subject Area | Title | Description |
|---|---|---|---|---|---|
| MEDIUM | MACIII | Continuity | Alternate Site Designation | An alternate site is identified that permits the partial restoration of mission or business essential functions. | |
| HIGH | MACI,MACII | Continuity | Alternate Site Designation | An alternate site is identified that permits the restoration of all mission or business essential functions. | |
| HIGH | MACI,MACII,MACIII | Continuity | Protection of Backup and Restoration Assets | Procedures are in place assure the appropriate physical and technical protection of the backup and restoration hardware, firmware, and software, such as router tables, compilers, and other security-related system software. | |
| LOW | MACIII | Continuity | Data Backup Procedures | Data backup is performed at least weekly. | |
| MEDIUM | MACII | Continuity | Data Backup Procedures | Data backup is performed daily, and recovery media are stored off-site at a location that affords protection of the data in accordance with its mission assurance category and confidentiality level. | |
| MEDIUM | MACI | Continuity | Data Backup Procedures | Data backup is accomplished by maintaining a redundant secondary system, not co-located, that can be activated without loss of data or disruption to the operation. | |
| LOW | MACIII | Continuity | Disaster and Recovery Planning | A disaster plan exists that provides for the partial resumption of mission or business essential functions within 5 days of activation. (Disaster recovery procedures include business recovery plans, system contingency plans, facility disaster recovery plans, and plan acceptance.) | |
| MEDIUM | MACII | Continuity | Disaster and Recovery Planning | A disaster plan exists that provides for the resumption of mission or business essential functions within 24 hours of activation. (Disaster recovery procedures include business recovery plans, system contingency plans, facility disaster recovery plans, and plan acceptance.) | |
| MEDIUM | MACI | Continuity | Disaster and Recovery Planning | A disaster plan exists that provides for the smooth transfer of all mission or business essential functions to an alternate site for the duration of an event with little or no loss of operational continuity. (Disaster recovery procedures include business recovery plans, system contingency plans, facility disaster recovery plans, and plan acceptance.) | |
| MEDIUM | MACII,MACIII | Continuity | Enclave Boundary Defense | Enclave boundary defense at the alternate site provides security measures equivalent to the primary site. | |
| HIGH | MACI | Continuity | Enclave Boundary Defense | Enclave boundary defense at the alternate site must be configured identically to that of the primary site. | |
| LOW | MACII,MACIII | Continuity | Scheduled Exercises and Drills | The continuity of operations or disaster recovery plans are exercised annually. | |
| MEDIUM | MACI | Continuity | Scheduled Exercises and Drills | The continuity of operations or disaster recovery plans or significant portions are exercised semi-annually. | |
| LOW | MACIII | Continuity | Identification of Essential Functions | Mission and business essential functions are identified for priority restoration planning. | |
| MEDIUM | MACI,MACII | Continuity | Identification of Essential Functions | Mission and business-essential functions are identified for priority restoration planning along with all assets supporting mission or business-essential functions (e.g., computer-based services, data and applications, communications, physical infrastructure). | |
| LOW | MACIII | Continuity | Maintenance Support | Maintenance support for key IT assets is available to respond within 24 hours of failure. | |
| MEDIUM | MACI,MACII | Continuity | Maintenance Support | Maintenance support for key IT assets is available to respond 24 X 7 immediately upon failure. | |
| LOW | MACIII | Continuity | Power Supply | Electrical power is restored to key IT assets by manually activated power generators upon loss of electrical power from the primary source. | |
| MEDIUM | MACII | Continuity | Power Supply | Electrical systems are configured to allow continuous or uninterrupted power to key IT assets. This may include an uninterrupted power supply coupled with emergency generators. | |
| MEDIUM | MACI | Continuity | Power Supply | Electrical systems are configured to allow continuous or uninterrupted power to key IT assets and all users accessing the key IT assets to perform mission or business-essential functions. This may include an uninterrupted power supply coupled with emergency generators or other alternate power source. | |
| LOW | MACII,MACIII | Continuity | Spares and Parts | Maintenance spares and spare parts for key IT assets can be obtained within 24 hours of failure. | |
| MEDIUM | MACI | Continuity | Spares and Parts | Maintenance spares and spare parts for key IT assets are available 24 X 7 immediately upon failure. | |
| HIGH | MACI,MACII,MACIII | Continuity | Backup Copies of Critical SW | Back-up copies of the operating system and other critical software are stored in a fire rated container or otherwise not collocated with the operational software. | |
| HIGH | MACI,MACII,MACIII | Continuity | Trusted Recovery | Recovery procedures and technical system features exist to ensure that recovery is done in a secure and verifiable manner. Circumstances that can inhibit a trusted recovery are documented and appropriate mitigating procedures have been put in place. | |
| MEDIUM | MACI,MACII,MACIII | Security Design and Configuration | Procedural Review | An annual IA review is conducted that comprehensively evaluates existing policies and processes to ensure procedural consistency and to ensure that they fully support the goal of uninterrupted operations. | |
| HIGH | CLASSIFIED,SENSITIVE,PUBLIC | Security Design and Configuration | Acquisition Standards | The acquisition of all IA- and IA-enabled GOTS IT products is limited to products that have been evaluated by the NSA or in accordance with NSA-approved processes. The acquisition of all IA- and IA-enabled COTS IT products is limited to products that have been evaluated or validated through one of the following sources - the International Common Criteria (CC) for Information Security Technology Evaluation Mutual Recognition Arrangement, the NIAP Evaluation and Validation Program, or the FIPS validation program. Robustness requirements, the mission, and customer needs will enable an experienced information systems security engineer to recommend a Protection Profile, a particular evaluated product or a security target with the appropriate assurance requirements for a product to be submitted for evaluation (See also DCSR-1). | |
| MEDIUM | MACI,MACII,MACIII | Security Design and Configuration | Best Security Practices | The DoD information system security design incorporates best security practices such as single sign-on, PKE, smart card, and biometrics. | |
| LOW | Security Design and Configuration | Control Board | All DoD information systems are under the control of a chartered configuration control board that meets regularly according to DCPR-1. | ||
| MEDIUM | MACI,MACII,MACIII | Security Design and Configuration | Control Board | All information systems are under the control of a chartered Configuration Control Board that meets regularly according to DCPR-1. The IAM is a voting member of the CCB. | |
| HIGH | MACIII | Security Design and Configuration | Configuration Specifications | A DoD reference document, such as a security technical implementation guide or security recommendation guide constitutes the primary source for security configuration or implementation guidance for the deployment of newly acquired IA- and IA-enabled IT products that require use of the product's IA capabilities. If a DoD reference document is not available, the following are acceptable in descending order as available: (1) Commercially accepted practices (e.g., SANS); (2) Independent testing results (e.g., ICSA); or (3) Vendor literature. | |
| HIGH | MACI,MACII | Security Design and Configuration | Configuration Specifications | A DoD reference document such as a security technical implementation guide or security recommendation guide constitutes the primary source for security configuration or implementation guidance for the deployment of newly acquired IA- and IA-enabled IT products that require use of the product's IA capabilities. If a DoD reference document is not available, the system owner works with DISA or NSA to draft configuration guidance for inclusion in a Departmental reference guide. | |
| MEDIUM | MACI,MACII,MACIII | Security Design and Configuration | Compliance Testing | A comprehensive set of procedures is implemented that tests all patches, upgrades, and new AIS applications prior to deployment. | |
| MEDIUM | MACI,MACII,MACIII | Security Design and Configuration | Dedicated IA Services | Acquisition or outsourcing of dedicated IA services such as incident monitoring, analysis and response; operation of IA devices such as firewalls; or key management services are supported by a formal risk analysis and approved by the DoD Component CIO. | |
| MEDIUM | MACI,MACII,MACIII | Security Design and Configuration | Functional Architecture for AIS Applications | For AIS applications, a functional architecture that identifies the following has been developed and is maintained: - all external interfaces, the information being exchanged, and the protection mechanisms associated with each interface - user roles required for access control and the access privileges assigned to each role (See ECAN) - unique security requirements (e.g., encryption of key data elements at rest) - categories of sensitive information processed or stored by the AIS application, and their specific protection plans (e.g., Privacy Act, HIPAA) - restoration priority of subsystems, processes, or information (See COEF). | |
| HIGH | MACI,MACII,MACIII | Security Design and Configuration | HW Baseline | A current and comprehensive baseline inventory of all hardware (HW) (to include manufacturer, type, model, physical location and network topology or architecture) required to support enclave operations is maintained by the Configuration Control Board (CCB) and as part of the SSAA. A backup copy of the inventory is stored in a fire-rated container or otherwise not collocated with the original. | |
| HIGH | MACI,MACII,MACIII | Security Design and Configuration | Interconnection Documentation | For AIS applications, a list of all (potential) hosting enclaves is developed and maintained along with evidence of deployment planning and coordination and the exchange of connection rules and requirements. For enclaves, a list of all hosted AIS applications, interconnected outsourced IT-based processes, and interconnected IT platforms is developed and maintained along with evidence of deployment planning and coordination and the exchange of connection rules and requirements. | |
| MEDIUM | MACI,MACII,MACIII | Security Design and Configuration | IA Impact Assessment | Changes to the DoD information system are assessed for IA and accreditation impact prior to implementation. | |
| HIGH | MACI,MACII,MACIII | Security Design and Configuration | IA for IT Services | Acquisition or outsourcing of IT services explicitly addresses Government, service provider, and end user IA roles and responsibilities. | |
| MEDIUM | MACI,MACII,MACIII | Security Design and Configuration | Mobile Code | The acquisition, development, and/or use of mobile code to be deployed in DoD systems meets the following requirements: 1. Emerging mobile code technologies that have not undergone a risk assessment by NSA and been assigned to a Risk Category by the DoD CIO is not used. 2. Category 1 mobile code is signed with a DoD-approved PKI code signing certificate; use of unsigned Category 1 mobile code is prohibited; use of Category 1 mobile code technologies that cannot block or disable unsigned mobile code (e.g., Windows Scripting Host) is prohibited. 3. Category 2 mobile code, which executes in a constrained environment without access to system resources (e.g., Windows registry, file system, system parameters, network connections to other than the originating host) may be used. 4. Category 2 mobile code that does not execute in a constrained environment may be used when obtained from a trusted source over an assured channel (e.g., SIPRNET, SSL connection, S/MIME, code is signed with a DoD-approved code signing certificate). 5. Category 3 mobile code may be used. 6. All DoD workstation and host software are configured, to the extent possible, to prevent the download and execution of mobile code that is prohibited. 7. The automatic execution of all mobile code in email is prohibited; email software is configured to prompt the user prior to executing mobile code in attachments. | |
| MEDIUM | MACI,MACII,MACIII | Security Design and Configuration | Non-repudiation | NIST FIPS 140-2 validated cryptography (e.g., DoD PKI class 3 or 4 token) is used to implement encryption (e.g., AES, 3DES, DES, Skipjack), key exchange (e.g., FIPS 171), digital signature (e.g., DSA, RSA, ECDSA), and hash (e.g., SHA-1, SHA-256, SHA-384, SHA-512). Newer standards should be applied as they become available. | |
| LOW | MACI,MACII | Security Design and Configuration | Partitioning the Application | User interface services (e.g., web services) are physically or logically separated from data storage and management services (e.g., database management systems). Separation may be accomplished through the use of different computers, different CPUs, different instances of the operating system, different network addresses, combinations of these methods, or other methods, as appropriate. | |
| HIGH | MACI,MACII | Security Design and Configuration | IA Program and Budget | A discrete line item for Information Assurance is established in programming and budget documentation. | |
| MEDIUM | MACI,MACII,MACIII | Security Design and Configuration | Public Domain Software Controls | Binary or machine executable public domain software products and other software products with limited or no warranty such as those commonly known as freeware or shareware are not used in DoD information systems unless they are necessary for mission accomplishment and there are no alternative IT solutions available. Such products are assessed for information assurance impacts, and approved for use by the DAA. The assessment addresses the fact that such software products are difficult or impossible to review, repair, or extend, given that the Government does not have access to the original source code and there is no owner who could make such repairs on behalf of the Government. | |
| MEDIUM | MACI,MACII,MACIII | Security Design and Configuration | Ports, Protocols, and Services | DoD information systems comply with DoD ports, protocols, and services guidance. AIS applications, outsourced IT-based processes and platform IT identify the network ports, protocols, and services they plan to use as early in the life cycle as possible and notify hosting enclaves. Enclaves register all active ports, protocols, and services in accordance with DoD and DoD Component guidance. | |
| HIGH | MACI,MACII,MACIII | Security Design and Configuration | CM Process | A configuration management (CM) process is implemented that includes requirements for: 1. Formally documented CM roles, responsibilities, and procedures to include the management of IA information and documentation; 2. A configuration control board that implements procedures to ensure a security review and approval of all proposed DoD information system changes, to include interconnections to other DoD information systems; 3. A testing process to verify proposed configuration changes prior to implementation in the operational environment; and 4. A verification process to provide additional assurance that the CM process is working effectively and that changes outside the CM process are technically or procedurally not permitted. | |
| HIGH | MACI,MACII,MACIII | Security Design and Configuration | IA Documentation | All appointments to required IA roles (e.g., DAA and IAM/IAO) are established in writing, to include assigned duties and appointment criteria such as training, security clearance, and IT-designation. A System Security Plan is established that describes the technical, administrative, and procedural IA program and policies that govern the DoD information system, and identifies all IA personnel and specific IA requirements and objectives (e.g., requirements for data handling or dissemination, system redundancy and backup, or emergency response). | |
| MEDIUM | MACI,MACII,MACIII | Security Design and Configuration | System Library Management Controls | System libraries are managed and maintained to protect privileged programs and to prevent or minimize the introduction of unauthorized code. | |
| MEDIUM | MACI,MACII | Security Design and Configuration | Security Support Structure Partitioning | The security support structure is isolated by means of partitions, domains, etc., including control of access to, and integrity of, hardware, software, and firmware that perform security functions. The security support structure maintains separate execution domains (e.g., address spaces) for each executing process. | |
| MEDIUM | MACI,MACII,MACIII | Security Design and Configuration | Software Quality | Software quality requirements and validation methods that are focused on the minimization of flawed or malformed software that can negatively impact integrity or availability (e.g., buffer overruns) are specified for all software development initiatives. | |
| HIGH | PUBLIC | Security Design and Configuration | Specified Robustness - Basic | At a minimum, basic-robustness COTS IA and IA-enabled products are used to protect publicly released information from malicious tampering or destruction and ensure its availability. The basic-robustness requirements for products are defined in the Protection Profile Consistency Guidance for Basic Robustness published under the IATF. | |
| HIGH | SENSITIVE | Security Design and Configuration | Specified Robustness - Medium | At a minimum, medium-robustness COTS IA and IA-enabled products are used to protect sensitive information when the information transits public networks or the system handling the information is accessible by individuals who are not authorized to access the information on the system. The medium-robustness requirements for products are defined in the Protection Profile Consistency Guidance for Medium Robustness published under the IATF. COTS IA and IA-enabled IT products used for access control, data separation, or privacy on sensitive systems already protected by approved medium-robustness products, at a minimum, satisfy the requirements for basic robustness. If these COTS IA and IA-enabled IT products are used to protect National Security Information by cryptographic means, NSA-approved key management may be required. | |
| HIGH | CLASSIFIED | Security Design and Configuration | Specified Robustness – High | Only high-robustness GOTS or COTS IA and IA-enabled IT products are used to protect classified information when the information transits networks that are at a lower classification level than the information being transported. High-robustness products have been evaluated by NSA or in accordance with NSA-approved processes. COTS IA and IA-enabled IT products used for access control, data separation or privacy on classified systems already protected by approved high-robustness products at a minimum, satisfy the requirements for basic robustness. If these COTS IA and IA-enabled IT products are used to protect National Security Information by cryptographic means, NSA-approved key management may be required. | |
| HIGH | MACIII | Security Design and Configuration | System State Changes | System initialization, shutdown, and aborts are configured to ensure that the system remains in a secure state. | |
| HIGH | MACI,MACIICLASSIFIED | Security Design and Configuration | System State Changes | System initialization, shutdown, and aborts are configured to ensure that the system remains in a secure state. Tests are provided and periodically run to ensure the integrity of the system state. | |
| HIGH | MACI,MACII,MACIII | Security Design and Configuration | SW Baseline | A current and comprehensive baseline inventory of all software (SW) (to include manufacturer, type, and version and installation manuals and procedures) required to support DoD information system operations is maintained by the CCB and as part of the C&A documentation. A backup copy of the inventory is stored in a fire-rated container or otherwise not collocated with the original. | |
| LOW | PUBLIC | Enclave Boundary Defense | Boundary Defense | Boundary defense mechanisms to include firewalls and network intrusion detection systems (IDS) are deployed at the enclave boundary to the wide area network, and Internet access is permitted from a demilitarized zone (DMZ) that meets the DoD requirement that such contacts are isolated from other DoD systems by physical or technical means. All Internet access points are under the management and control of the enclave. Internet access is permitted from a demilitarized zone (DMZ) that meets the DoD requirement that such contacts are isolated from other DoD systems by physical or technical means. All Internet access points are under the management and control of the enclave. | |
| MEDIUM | SENSITIVE | Enclave Boundary Defense | Boundary Defense | Boundary defense mechanisms, to include firewalls and network intrusion detection systems (IDS) are deployed at the enclave boundary to the wide area network, at layered or internal enclave boundaries, or at key points in the network, as required. All Internet access is proxied through Internet access points that are under the management and control of the enclave and are isolated from other DoD information systems by physical or technical means. | |
| HIGH | CLASSIFIED | Enclave Boundary Defense | Boundary Defense | Boundary defense mechanisms to include firewalls and network intrusion detection systems (IDS) are deployed at the enclave boundary to the wide area network, and at layered or internal enclave boundaries and key points in the network as required. All Internet access is prohibited. | |
| MEDIUM | MACI,MACII,MACIII | Enclave Boundary Defense | Connection Rules | The DoD information system is compliant with established DoD connection rules and approval processes. | |
| HIGH | SENSITIVE,PUBLIC | Enclave Boundary Defense | Public WAN Connection | Connections between DoD enclaves and the Internet or other public or commercial wide area networks require a demilitarized zone (DMZ). | |
| HIGH | CLASSIFIED,SENSITIVE | Enclave Boundary Defense | Remote Access for Privileged Functions | Remote access for privileged functions is discouraged, is permitted only for compelling operational needs, and is strictly controlled. In addition to EBRU-1, sessions employ security measures such as a VPN with blocking mode enabled. A complete audit trail of each remote session is recorded, and the IAM/IAO reviews the log for every remote session. | |
| HIGH | CLASSIFIED,SENSITIVE | Enclave Boundary Defense | Remote Access for User Functions | All remote access to DoD information systems, to include telework access, is mediated through a managed access control point, such as a remote access server in a DMZ. Remote access always uses encryption to protect the confidentiality of the session. The session-level encryption equals or exceeds the robustness established in ECCT. Authenticators are restricted to those that offer strong protection against spoofing. Information regarding remote access mechanisms (e.g., Internet address, dial-up connection telephone number) is protected. | |
| MEDIUM | MACI,MACII,MACIII | Enclave Boundary Defense | VPN Controls | All VPN traffic is visible to network intrusion detection systems (IDS). | |
| MEDIUM | CLASSIFIED,SENSITIVE | Enclave Computing Environment | Affiliation Display | To help prevent inadvertent disclosure of controlled information, all contractors are identified by the inclusion of the abbreviation "ctr" and all foreign nationals are identified by the inclusion of their two character country code in: - DoD user e-mail addresses (e.g., [email protected] [email protected]); - DoD user e-mail display names (e.g., John Smith, Contractor <[email protected]> or John Smith, United Kingdom <[email protected]>); and - automated signature blocks (e.g., John Smith, Contractor, J-6K, Joint Staff or John Doe, Australia, LNO, Combatant Command). Contractors who are also foreign nationals are identified as both (e.g.,[email protected]). Country codes and guidance regarding their use are in FIPS 10-4. | |
| HIGH | CLASSIFIED,SENSITIVE | Enclave Computing Environment | Access for Need-to-Know | Access to all DoD information (classified, sensitive, and public) is determined by both its classification and user need-to-know. Need-to-know is established by the Information Owner and enforced by discretionary or role-based access controls. Access controls are established and enforced for all shared or networked file systems and internal websites, whether classified, sensitive, or unclassified. All internal classified, sensitive, and unclassified websites are organized to provide at least three distinct levels of access: 1. Open access to general information that is made available to all DoD authorized users with network access. Access does not require an audit transaction. 2. Controlled access to information that is made available to all DoD authorized users upon the presentation of an individual authenticator. Access is recorded in an audit transaction. | |
| LOW | PUBLIC | Enclave Computing Environment | Audit Record Content – Public Systems | Audit records include: · User ID. · Successful and unsuccessful attempts to access security files. · Date and time of the event. · Type of event. | |
| MEDIUM | SENSITIVE | Enclave Computing Environment | Audit Record Content – Sensitive Systems | Audit records include: · User ID. · Successful and unsuccessful attempts to access security files. · Date and time of the event. · Type of event. · Success or failure of event. · Successful and unsuccessful logons. · Denial of access resulting from excessive number of logon attempts. · Blocking or blacklisting a user ID, terminal or access port and the reason for the action. · Activities that might modify, bypass, or negate safeguards controlled by the system. | |
| HIGH | CLASSIFIED | Enclave Computing Environment | Audit Record Content – Classified Systems | Audit records include: · User ID. · Successful and unsuccessful attempts to access security files. · Date and time of the event. · Type of event. · Success or failure of event. · Successful and unsuccessful logons. · Denial of access resulting from excessive number of logon attempts. · Blocking or blacklisting a user ID, terminal or access port, and the reason for the action. · Activities that might modify, bypass, or negate safeguards controlled by the system. · Data required auditing the possible use of covert channel mechanisms. · Privileged activities and other system-level access. · Starting and ending time for access to the system. · Security relevant actions associated with periods processing or the changing of security labels or categories of information. | |
| LOW | MACIIISENSITIVE,PUBLIC | Enclave Computing Environment | Audit Trail, Monitoring, Analysis and Reporting | Audit trail records from all available sources are regularly reviewed for indications of inappropriate or unusual activity. Suspected violations of IA policies are analyzed and reported in accordance with DoD information system IA procedures. | |
| MEDIUM | MACI,MACIICLASSIFIED | Enclave Computing Environment | Audit Trail, Monitoring, Analysis and Reporting | An automated, continuous on-line monitoring and audit trail creation capability is deployed with the capability to immediately alert personnel of any unusual or inappropriate activity with potential IA implications, and with a user configurable capability to automatically disable the system if serious IA violations are detected. | |
| MEDIUM | MACIII | Enclave Computing Environment | Changes to Data | Access control mechanisms exist to ensure that data is accessed and changed only by authorized personnel. | |
| HIGH | MACI,MACIICLASSIFIED | Enclave Computing Environment | Changes to Data | Access control mechanisms exist to ensure that data is accessed and changed only by authorized personnel. Access and changes to the data are recorded in transaction logs that are reviewed periodically or immediately upon system security events. Users are notified of time and date of the last change in data content. | |
| HIGH | CLASSIFIED | Enclave Computing Environment | COMSEC | COMSEC activities comply with DoD Directive C-5200.5. | |
| LOW | SENSITIVE | Enclave Computing Environment | Encryption for Confidentiality (Data at Rest) | If required by the information owner, NIST-certified cryptography is used to encrypt stored sensitive information. | |
| MEDIUM | CLASSIFIED | Enclave Computing Environment | Encryption for Confidentiality (Data at Rest) | If required by the information owner, NIST-certified cryptography is used to encrypt stored classified non-SAMI information. | |
| HIGH | CLASSIFIED | Enclave Computing Environment | Encryption for Confidentiality (Data at Rest) | If a classified enclave contains SAMI and is accessed by individuals lacking an appropriate clearance for SAMI, then NSA-approved cryptography is used to encrypt all SAMI stored within the enclave. | |
| MEDIUM | SENSITIVE | Enclave Computing Environment | Encryption for Confidentiality (Data at Transmit) | Unclassified, sensitive data transmitted through a commercial or wireless network are encrypted using NIST-certified cryptography (See also DCSR-2). | |
| HIGH | CLASSIFIED | Enclave Computing Environment | Encryption for Confidentiality (Data at Transmit) | Classified data transmitted through a network that is cleared to a lower level than the data being transmitted are separately encrypted using NSA-approved cryptography (See also DCSR-3). | |
| MEDIUM | MACI,MACII | Enclave Computing Environment | Data Change Controls | Transaction-based systems (e.g., database management systems, transaction processing systems) implement transaction roll-back and transaction journaling, or technical equivalents. | |
| MEDIUM | CLASSIFIED,SENSITIVE | Enclave Computing Environment | Interconnections among DoD Systems and Enclaves | Discretionary access controls are a sufficient IA mechanism for connecting DoD information systems operating at the same classification, but with different need-to-know access rules. A controlled interface is required for interconnections among DoD information systems operating at different classifications levels or between DoD and non-DoD systems or networks. Controlled interfaces are addressed in separate guidance. | |
| MEDIUM | MACI,MACII | Enclave Computing Environment | Host Based IDS | Host-based intrusion detection systems are deployed for major applications and for network management assets, such as routers, switches, and domain name servers (DNS). | |
| MEDIUM | MACI,MACII,MACIII | Enclave Computing Environment | Instant Messaging | Instant messaging traffic to and from instant messaging clients that are independently configured by end users and that interact with a public service provider is prohibited within DoD information systems. Both inbound and outbound public service instant messaging traffic is blocked at the enclave boundary. Note: This does not include IM services that are configured by a DoD AIS application or enclave to perform an authorized and official function. | |
| LOW | CLASSIFIED | Enclave Computing Environment | Audit of Security Label Changes | The system automatically records the creation, deletion, or modification of confidentiality or integrity labels, if required by the information owner. | |
| MEDIUM | SENSITIVE | Enclave Computing Environment | Logon | Successive logon attempts are controlled using one or more of the following: · Access is denied after multiple unsuccessful logon attempts. · The number of access attempts in a given period is limited. · A time-delay control system is employed. If the system allows for multiple logon sessions for each user ID, the system provides a capability to control the number of logon sessions. | |
| MEDIUM | CLASSIFIED | Enclave Computing Environment | Logon | Successive logon attempts are controlled using one or more of the following: · Access is denied after multiple unsuccessful logon attempts. · The number of access attempts in a given period is limited. · A time-delay control system is employed. If the system allows for multiple logon sessions for each user ID, the system provides a capability to control the number of logon sessions. Upon successful logon, the user is notified of the date and time of the user's last logon, the location of the user at last logon, and the number of unsuccessful logon attempts using this user ID since the last successful logon. | |
| HIGH | CLASSIFIED,SENSITIVE,PUBLIC | Enclave Computing Environment | Least Privilege | Access procedures enforce the principles of separation of duties and "least privilege." Access to privileged accounts is limited to privileged users. Use of privileged accounts is limited to privileged functions; that is, privileged users use non-privileged accounts for all non-privileged functions. This control is in addition to an appropriate security clearance and need-to-know authorization. | |
| HIGH | CLASSIFIED,SENSITIVE | Enclave Computing Environment | Marking and Labeling | Information and DoD information systems that store, process, transit, or display data in any form or format that is not approved for public release comply with all requirements for marking and labeling contained in policy and guidance documents such as DoD 5200.1R. Markings and labels clearly reflect the classification or sensitivity level, if applicable, and any special dissemination, handling, or distribution instructions. | |
| LOW | SENSITIVE,PUBLIC | Enclave Computing Environment | Conformance Monitoring and Testing | Conformance testing that includes periodic, unannounced in-depth monitoring and provides for specific penetration testing to ensure compliance with all vulnerability mitigation procedures such as the DoD IAVA or other DoD IA practices is planned, scheduled, and conducted. Testing is intended to ensure that the system's IA capabilities continue to provide adequate assurance against constantly evolving threats and vulnerabilities. | |
| MEDIUM | CLASSIFIED | Enclave Computing Environment | Conformance Monitoring and Testing | Conformance testing that includes periodic, unannounced in-depth monitoring and provides for specific penetration testing to ensure compliance with all vulnerability mitigation procedures such as the DoD IAVA or other DoD IA practices is planned, scheduled, conducted, and independently validated. Testing is intended to ensure that the system's IA capabilities continue to provide adequate assurance against constantly evolving threats and vulnerabilities. | |
| LOW | MACIII | Enclave Computing Environment | Network Device Controls | An effective network device control program (e.g., routers, switches, firewalls) is implemented and includes: instructions for restart and recovery procedures; restrictions on source code access, system utility access, and system documentation; protection from deletion of system and application files, and a structured process for implementation of directed solutions (e.g., IAVA). | |
| MEDIUM | MACI,MACII | Enclave Computing Environment | Network Device Controls | An effective network device control program (e.g., routers, switches, firewalls) is implemented and includes: instructions for restart and recovery procedures; restrictions on source code access, system utility access, and system documentation; protection from deletion of system and application files, and a structured process for implementation of directed solutions (e.g., IAVA). Audit or other technical measures are in place to ensure that the network device controls are not compromised. Change controls are periodically tested. | |
| MEDIUM | CLASSIFIED,SENSITIVE | Enclave Computing Environment | Encryption for Need-To-Know | Information in transit through a network at the same classification level, but which must be separated for need-to-know reasons, is encrypted, at a minimum, with NIST-certified cryptography. This is in addition to ECCT (encryption for confidentiality – data in transit). | |
| MEDIUM | CLASSIFIED | Enclave Computing Environment | Encryption for Need-To-Know | SAMI information in transit through a network at the same classification level is encrypted using NSA-approved cryptography. This is to separate it for need-to-know reasons. This is in addition to ECCT (encryption for confidentiality – data in transit). | |
| HIGH | MACI,MACII,MACIII | Enclave Computing Environment | Privileged Account Control | All privileged user accounts are established and administered in accordance with a role-based access scheme that organizes all system and network privileges into roles (e.g., key management, network, system administration, database administration, web-administration). The IAM tracks privileged role assignments. | |
| MEDIUM | MACIII | Enclave Computing Environment | Production Code Change Controls | Application programmer privileges to change production code and data are limited and are periodically reviewed. | |
| MEDIUM | MACI,MACII | Enclave Computing Environment | Production Code Change Controls | Application programmer privileges to change production code and data are limited and reviewed every 3 months. | |
| MEDIUM | CLASSIFIED,SENSITIVE | Enclave Computing Environment | Resource Control | All authorizations to the information contained within an object are revoked prior to initial assignment, allocation, or reallocation to a subject from the system's pool of unused objects. No information, including encrypted representations of information, produced by a prior subject's actions is available to any subject that obtains access to an object that has been released back to the system. There is absolutely no residual data from the former object. | |
| LOW | MACI,MACII,MACIII | Enclave Computing Environment | Audit Reduction and Report Generation | Tools are available for the review of audit records and for report generation from audit records. | |
| MEDIUM | CLASSIFIED,SENSITIVE,PUBLIC | Enclave Computing Environment | Audit Record Retention | If the DoD information system contains sources and methods intelligence (SAMI), then audit records are retained for 5 years. Otherwise, audit records are retained for at least 1 year. | |
| HIGH | MACI,MACII,MACIII | Enclave Computing Environment | Security Configuration Compliance | For Enclaves and AIS applications, all DoD security configuration or implementation guides have been applied. | |
| MEDIUM | MACIII | Enclave Computing Environment | Software Development Change Controls | Change controls for software development are in place to prevent unauthorized programs or modifications to programs from being implemented. | |
| HIGH | MACI,MACII | Enclave Computing Environment | Software Development Change Controls | Change controls for software development are in place to prevent unauthorized programs or modifications to programs from being implemented. Change controls include review and approval of application change requests and technical system features to assure that changes are executed by authorized personnel and are properly implemented. | |
| MEDIUM | MACI,MACIICLASSIFIED | Enclave Computing Environment | Audit Trail Backup | The audit records are backed up not less than weekly onto a different system or media than the system being audited. | |
| HIGH | CLASSIFIED,SENSITIVE | Enclave Computing Environment | Tempest Controls | Measures to protect against compromising emanations have been implemented according to DoD Directive S-5200.19. | |
| MEDIUM | MACIII | Enclave Computing Environment | Transmission Integrity Controls | Good engineering practices with regards to the integrity mechanisms of COTS, GOTS and custom developed solutions are implemented for incoming and outgoing files, such as parity checks and cyclic redundancy checks (CRCs). | |
| MEDIUM | MACI,MACII | Enclave Computing Environment | Transmission Integrity Controls | Good engineering practices with regards to the integrity mechanisms of COTS, GOTS, and custom developed solutions are implemented for incoming and outgoing files, such as parity checks and cyclic redundancy checks (CRCs). Mechanisms are in place to assure the integrity of all transmitted information (including labels and security parameters) and to detect or prevent the hijacking of a communication session (e.g., encrypted or covert communication channels). | |
| MEDIUM | MACI,MACII,MACIII | Enclave Computing Environment | Audit Trail Protection | The contents of audit trails are protected against unauthorized access, modification or deletion. | |
| MEDIUM | MACI,MACII,MACIII | Enclave Computing Environment | Voice-over-IP (VoIP) Protection | Voice over Internet Protocol (VoIP) traffic to and from workstation IP telephony clients that are independently configured by end users for personal use is prohibited within DoD information systems. Both inbound and outbound individually configured voice over IP traffic is blocked at the enclave boundary. Note: This does not include VoIP services that are configured by a DoD AIS application or enclave to perform an authorized and official function. | |
| HIGH | MACI,MACII,MACIII | Enclave Computing Environment | Virus Protection | All Servers, workstations and mobile computing devices (i.e. laptop, PDAs) implement virus protection that includes a capability for automatic updates. | |
| LOW | CLASSIFIED,SENSITIVE,PUBLIC | Enclave Computing Environment | Warning Message | All users are warned that they are entering a Government information system, and are provided with appropriate privacy and security notices to include statements informing them that they are subject to monitoring, recording and auditing. | |
| HIGH | MACI,MACII,MACIII | Enclave Computing Environment | Wireless Computing and Network | Wireless computing and networking capabilities from workstations, laptops, personal digital assistants (PDAs), handheld computers, cellular phones, or other portable electronic devices are implemented in accordance with DoD wireless policy, as issued. (See also ECCT). Unused wireless computing capabilities internally embedded in interconnected DoD IT assets are normally disabled by changing factory defaults, settings or configurations prior to issue to end users. Wireless computing and networking capabilities are not independently configured by end users. | |
| HIGH | CLASSIFIED,SENSITIVE | Identification and Authentication | Account Control | A comprehensive account management process is implemented to ensure that only authorized users can gain access to workstations, applications, and networks and that individual accounts designated as inactive, suspended, or terminated are promptly deactivated. | |
| MEDIUM | CLASSIFIED,SENSITIVE | Identification and Authentication | Group Authentication | Group authenticators for application or network access may be used only in conjunction with an individual authenticator. Any use of group authenticators not based on the DoD PKI has been explicitly approved by the Designated Approving Authority (DAA). | |
| HIGH | SENSITIVE | Identification and Authentication | Individual Identification and Authentication | DoD information system access is gained through the presentation of an individual identifier (e.g., a unique token or user login ID) and password. For systems utilizing a logon ID as the individual identifier, passwords are, at a minimum, a case sensitive 8-character mix of upper case letters, lower case letters, numbers, and special characters, including at least one of each (e.g., emPagd2!). At least four characters must be changed when a new password is created. Deployed/tactical systems with limited data input capabilities implement the password to the extent possible. Registration to receive a user ID and password includes authorization by a supervisor, and is done in person before a designated registration authority. Additionally, to the extent system capabilities permit, system mechanisms are implemented to enforce automatic expiration of passwords and to prevent password reuse. All factory set, default or standard-user IDs and passwords are removed or changed. Authenticators are protected commensurate with the classification or sensitivity of the information accessed; they are not shared; and they are not embedded in access scripts or stored on function keys. Passwords are encrypted both for storage and for transmission. | |
| HIGH | CLASSIFIED | Identification and Authentication | Individual Identification and Authentication | DoD information system access is gained through the presentation of an individual identifier (e.g., a unique token or user logon ID) and password. For systems utilizing a logon ID as the individual identifier, passwords are, at a minimum, a case sensitive, 8-character mix of upper case letters, lower case letters, numbers, and special characters, including at least one of each (e.g., emPagd2!). At least four characters must be changed when a new password is created. Deployed/tactical systems with limited data input capabilities implement these measures to the extent possible. Registration to receive a user ID and password includes authorization by a supervisor, and is done in person before a designated registration authority. Multiple forms of certification of individual identification such as a documentary evidence or a combination of documents and biometrics are presented to the registration authority. Additionally, to the extent capabilities permit, system mechanisms are implemented to enforce automatic expiration of passwords and to prevent password reuse, and processes are in place to validate that passwords are sufficiently strong to resist cracking and other attacks intended to discover a user's password). All factory set, default or standard-user IDs and passwords are removed or changed. Authenticators are protected commensurate with the classification or sensitivity of the information accessed; they are not shared; and they are not embedded in access scripts or stored on function keys. Passwords are encrypted both for storage and for transmission. | |
| MEDIUM | MACIII | Identification and Authentication | Key Management | Symmetric Keys are produced, controlled, and distributed using NIST-approved key management technology and processes. Asymmetric Keys are produced, controlled, and distributed using DoD PKI Class 3 certificates or pre-placed keying material. | |
| MEDIUM | MACI,MACII | Identification and Authentication | Key Management | Symmetric Keys are produced, controlled and distributed using NSA-approved key management technology and processes. Asymmetric Keys are produced, controlled, and distributed using DoD PKI Medium Assurance or High Assurance certificates and hardware security tokens that protect the user's private key. | |
| MEDIUM | CLASSIFIED | Identification and Authentication | Key Management | Symmetric and asymmetric keys are produced, controlled and distributed using NSA-approved key management technology and processes. | |
| MEDIUM | MACIII | Identification and Authentication | Token and Certificate Standards | Identification and authentication is accomplished using the DoD PKI Class 3 certificate and hardware security token (when available). | |
| MEDIUM | MACI,MACII | Identification and Authentication | Token and Certificate Standards | Identification and authentication is accomplished using the DoD PKI Class 3 or 4 certificate and hardware security token (when available) or an NSA-certified product. | |
| HIGH | SENSITIVE | Physical and Environmental | Access to Computing Facilities | Only authorized personnel with a need-to-know are granted physical access to computing facilities that process sensitive information or unclassified information that has not been cleared for release. | |
| HIGH | CLASSIFIED | Physical and Environmental | Access to Computing Facilities | Only authorized personnel with appropriate clearances are granted physical access to computing facilities that process classified information. | |
| HIGH | SENSITIVE | Physical and Environmental | Clearing and Sanitizing | All documents, equipment, and machine-readable media containing sensitive data are cleared and sanitized before being released outside of the Department of Defense according to DoD 5200.1-R and ASD(C3I) Memorandum, dated June 4, 2001, subject: "Disposition of Unclassified DoD Computer Hard Drives." | |
| HIGH | CLASSIFIED | Physical and Environmental | Clearing and Sanitizing | All documents, equipment, and machine-readable media containing classified data are cleared and sanitized before being released outside its security domain according to DoD 5200.1-R. | |
| HIGH | CLASSIFIED | Physical and Environmental | Destruction | All documents, machine-readable media, and equipment are destroyed using procedures that comply with DoD policy (e.g., DoD 5200.1-R). | |
| HIGH | CLASSIFIED,SENSITIVE | Physical and Environmental | Data Interception | Devices that display or output classified or sensitive information in human-readable form are positioned to deter unauthorized individuals from reading the information. | |
| LOW | MACIII | Physical and Environmental | Emergency Lighting | An automatic emergency lighting system is installed that covers emergency exits and evacuation routes. | |
| MEDIUM | MACI,MACII | Physical and Environmental | Emergency Lighting | An automatic emergency lighting system is installed that covers all areas necessary to maintain mission or business essential functions, to include emergency exits and evacuation routes. | |
| HIGH | MACIII | Physical and Environmental | Fire Detection | Battery-operated or electric stand-alone smoke detectors are installed in the facility. | |
| HIGH | MACI,MACII | Physical and Environmental | Fire Detection | A servicing fire department receives an automatic notification of any activation of the smoke detection or fire suppression system. | |
| MEDIUM | MACI,MACII,MACIII | Physical and Environmental | Fire Inspection | Computing facilities undergo a periodic fire marshal inspection. Deficiencies are promptly resolved. | |
| MEDIUM | MACIII | Physical and Environmental | Fire Suppression | Handheld fire extinguishers or fixed fire hoses are available should an alarm be sounded or a fire be detected. | |
| HIGH | MACI,MACII | Physical and Environmental | Fire Suppression | A fully automatic fire suppression system is installed that automatically activates when it detects heat, smoke, or particles. | |
| MEDIUM | MACIII | Physical and Environmental | Humidity Controls | Humidity controls are installed that provide an alarm of fluctuations potentially harmful to personnel or equipment operation; adjustments to humidifier/de-humidifier systems may be made manually. | |
| MEDIUM | MACI,MACII | Physical and Environmental | Humidity Controls | Automatic humidity controls are installed to prevent humidity fluctuations potentially harmful to personnel or equipment operation. | |
| HIGH | MACI,MACII,MACIII | Physical and Environmental | Master Power Switch | A master power switch or emergency cut-off switch to IT equipment is present. It is located near the main entrance of the IT area and it is labeled and protected by a cover to prevent accidental shut-off. | |
| HIGH | SENSITIVE | Physical and Environmental | Physical Protection of Facilities | Every physical access point to facilities housing workstations that process or display sensitive information or unclassified information that has not been cleared for release is controlled during working hours and guarded or locked during non-work hours. | |
| HIGH | CLASSIFIED | Physical and Environmental | Physical Protection of Facilities | Every physical access point to facilities housing workstations that process or display classified information is guarded or alarmed 24 X 7. Intrusion alarms are monitored. Two (2) forms of identification are required to gain access to the facility (e.g., ID badge, key card, cipher PIN, biometrics). A visitor log is maintained. | |
| LOW | CLASSIFIED,SENSITIVE | Physical and Environmental | Physical Security Testing | A facility penetration testing process is in place that includes periodic, unannounced attempts to penetrate key computing facilities. | |
| MEDIUM | MACI,MACII,MACIII | Physical and Environmental | Screen Lock | Unless there is an overriding technical or operational problem, workstation screen-lock functionality is associated with each workstation. When activated, the screen-lock function places an unclassified pattern onto the entire screen of the workstation, totally hiding what was previously visible on the screen. Such a capability is enabled either by explicit user action or a specified period of workstation inactivity (e.g., 15 minutes). Once the workstation screen-lock software is activated, access to the workstation requires knowledge of a unique authenticator. A screen lock function is not considered a substitute for logging out (unless a mechanism actually logs out the user when the user idle time is exceeded). | |
| MEDIUM | CLASSIFIED,SENSITIVE | Physical and Environmental | Workplace Security Procedures | Procedures are implemented to ensure the proper handling and storage of information, such as end-of-day security checks, unannounced security checks, and, where appropriate, the imposition of a two-person rule within the computing facility. | |
| HIGH | CLASSIFIED,SENSITIVE | Physical and Environmental | Storage | Documents and equipment are stored in approved containers or facilities with maintenance and accountability procedures that comply with DoD 5200.1-R. | |
| LOW | MACIII | Physical and Environmental | Temperature Controls | Temperature controls are installed that provide an alarm when temperature fluctuations potentially harmful to personnel or equipment operation are detected; adjustments to heating or cooling systems may be made manually. | |
| MEDIUM | MACI,MACII | Physical and Environmental | Temperature Controls | Automatic temperature controls are installed to prevent temperature fluctuations potentially harmful to personnel or equipment operation. | |
| LOW | MACI,MACII,MACIII | Physical and Environmental | Environmental Control Training | Employees receive initial and periodic training in the operation of environmental controls. | |
| HIGH | CLASSIFIED,SENSITIVE | Physical and Environmental | Visitor Control to Computing Facilities | Current signed procedures exist for controlling visitor access and maintaining a detailed log of all visitors to the computing facility. | |
| HIGH | MACI,MACII,MACIII | Physical and Environmental | Voltage Regulators | Automatic voltage control is implemented for key IT assets. | |
| HIGH | SENSITIVE | Personnel | Access to Information | Individuals requiring access to sensitive information are processed for access authorization in accordance with DoD personnel security policies. | |
| HIGH | CLASSIFIED | Personnel | Access to Information | Individuals requiring access to classified information are processed for access authorization in accordance with DoD personnel security policies. | |
| HIGH | SENSITIVE,PUBLIC | Personnel | Maintenance Personnel | Maintenance is performed only by authorized personnel. The processes for determining authorization and the list of authorized maintenance personnel is documented. | |
| HIGH | CLASSIFIED | Personnel | Maintenance Personnel | Maintenance is performed only by authorized personnel. The processes for determining authorization and the list of authorized maintenance personnel is documented. Except as authorized by the DAA, personnel who perform maintenance on classified DoD information systems are cleared to the highest level of information on the system. Cleared personnel who perform maintenance on a classified DoD information systems require an escort unless they have authorized access to the computing facility and the DoD information system. If uncleared or lower-cleared personnel are employed, a fully cleared and technically qualified escort monitors and records all activities in a maintenance log. The level of detail required in the maintenance log is determined by the IAM. All maintenance personnel comply with DAA requirements for U.S. citizenship, which are explicit for all classified systems. | |
| HIGH | CLASSIFIED,SENSITIVE,PUBLIC | Personnel | Access to Need-to-Know Information | Only individuals who have a valid need-to-know that is demonstrated by assigned official Government duties and who satisfy all personnel security criteria (e.g., IT position sensitivity background investigation requirements outlined in DoD 5200.2-R) are granted access to information with special protection measures or restricted distribution as established by the information owner. | |
| HIGH | MACI,MACII,MACIII | Personnel | Security Rules of Behavior or Acceptable Use Policy | A set of rules that describe the IA operations of the DoD information system and clearly delineate IA responsibilities and expected behavior of all personnel is in place. The rules include the consequences of inconsistent behavior or non-compliance. Signed acknowledgement of the rules is a condition of access. | |
| HIGH | CLASSIFIED,SENSITIVE | Personnel | Information Assurance Training | A program is implemented to ensure that upon arrival and periodically thereafter, all personnel receive training and familiarization to perform their assigned IA responsibilities, to include familiarization with their prescribed roles in all IA- related plans such as incident response, configuration management and COOP or disaster recovery. | |
| MEDIUM | MACIII | Vulnerability and Incident Management | Incident Response Planning | An incident response plan exists that identifies the responsible CND Service Provider in accordance with DoD Instruction O-8530.2 and CJCS Instruction 6510.01D, defines reportable incidents, outlines a standard operating procedure for incident response to include INFOCON, provides for user training, and establishes an incident response team. The plan is exercised at least annually. | |
| HIGH | MACI,MACII | Vulnerability and Incident Management | Incident Response Planning | An incident response plan exists that identifies the responsible CND Service Provider in accordance with DoD Instruction O-8530.2 and CJCS Instruction 6510.01D, defines reportable incidents, outlines a standard operating procedure for incident response to include INFOCON, provides for user training, and establishes an incident response team. The plan is exercised at least every 6 months. | |
| MEDIUM | MACI,MACII,MACIII | Vulnerability and Incident Management | Vulnerability Management | A comprehensive vulnerability management process that includes the systematic identification and mitigation of software and hardware vulnerabilities is in place. Wherever system capabilities permit, mitigation is independently validated through inspection and automated vulnerability assessment or state management tools. Vulnerability assessment tools have been acquired, personnel have been appropriately trained, procedures have been developed, and regular internal and external assessments are conducted. For improved interoperability, preference is given to tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and use the Open Vulnerability Assessment Language (OVAL) to test for the presence of vulnerabilities. |