8500-2 DIACAP - Security Controls
Information security controls protect the confidentiality, integrity and/or availability of information (the so-called CIA Triad). Again, some would add further categories such as non-repudiation and accountability, depending on how narrowly or broadly the CIA Triad is defined.
Individual controls are often designed to act together to increase effective protection. Systems of controls can be referred to as frameworks or standards. Frameworks can enable an organization to manage security controls across different types of assets with consistency. For example, a framework can help an organization manage controls over access regardless of the type of computer operating system. This also enables an organization to assess overall risk. Risk-aware organizations may choose proactively to specify, design, implement, operate and maintain their security controls, usually by assessing the risks and implementing a comprehensive security management framework such as ISO27001:2013, the Information Security Forum's Standard of Good Practice for Information Security, or NIST SP 800-53.
| Control | Impact Code | MAC Level / Confidentiality | Subject Area | Title | Description |
|---|---|---|---|---|---|
| Medium | MACIII | Continuity | Alternate Site Designation | An alternate site is identified that permits the partial restoration of mission or business essential functions. | |
| High | MACI,MACII | Continuity | Alternate Site Designation | An alternate site is identified that permits the restoration of all mission or business essential functions. | |
| High | MACI,MACII,MACIII | Continuity | Protection Of Backup And Restoration Assets | Procedures are in place assure the appropriate physical and technical protection of the backup and restoration hardware, firmware, and software, such as router tables, compilers, and other security-related system software. | |
| Low | MACIII | Continuity | Data Backup Procedures | Data backup is performed at least weekly. | |
| Medium | MACII | Continuity | Data Backup Procedures | Data backup is performed daily, and recovery media are stored off-site at a location that affords protection of the data in accordance with its mission assurance category and confidentiality level. | |
| Medium | MACI | Continuity | Data Backup Procedures | Data backup is accomplished by maintaining a redundant secondary system, not co-located, that can be activated without loss of data or disruption to the operation. | |
| Low | MACIII | Continuity | Disaster And Recovery Planning | A disaster plan exists that provides for the partial resumption of mission or business essential functions within 5 days of activation. (Disaster recovery procedures include business recovery plans, system contingency plans, facility disaster recovery pla | |
| Medium | MACII | Continuity | Disaster And Recovery Planning | A disaster plan exists that provides for the resumption of mission or business essential functions within 24 hours of activation. (Disaster recovery procedures include business recovery plans, system contingency plans, facility disaster recovery plans, an | |
| Medium | MACI | Continuity | Disaster And Recovery Planning | A disaster plan exists that provides for the smooth transfer of all mission or business essential functions to an alternate site for the duration of an event with little or no loss of operational continuity. (Disaster recovery procedures include business | |
| Medium | MACII,MACIII | Continuity | Enclave Boundary Defense | Enclave boundary defense at the alternate site provides security measures equivalent to the primary site. | |
| High | MACI | Continuity | Enclave Boundary Defense | Enclave boundary defense at the alternate site must be configured identically to that of the primary site. | |
| Low | MACII,MACIII | Continuity | Scheduled Exercises And Drills | The continuity of operations or disaster recovery plans are exercised annually. | |
| Medium | MACI | Continuity | Scheduled Exercises And Drills | The continuity of operations or disaster recovery plans or significant portions are exercised semi-annually. | |
| Low | MACIII | Continuity | Identification Of Essential Functions | Mission and business essential functions are identified for priority restoration planning. | |
| Medium | MACI,MACII | Continuity | Identification Of Essential Functions | Mission and business-essential functions are identified for priority restoration planning along with all assets supporting mission or business-essential functions (e.g., computer-based services, data and applications, communications, physical infrastructu | |
| Low | MACIII | Continuity | Maintenance Support | Maintenance support for key IT assets is available to respond within 24 hours of failure. | |
| Medium | MACI,MACII | Continuity | Maintenance Support | Maintenance support for key IT assets is available to respond 24 X 7 immediately upon failure. | |
| Low | MACIII | Continuity | Power Supply | Electrical power is restored to key IT assets by manually activated power generators upon loss of electrical power from the primary source. | |
| Medium | MACII | Continuity | Power Supply | Electrical systems are configured to allow continuous or uninterrupted power to key IT assets. This may include an uninterrupted power supply coupled with emergency generators. | |
| Medium | MACI | Continuity | Power Supply | Electrical systems are configured to allow continuous or uninterrupted power to key IT assets and all users accessing the key IT assets to perform mission or business-essential functions. This may include an uninterrupted power supply coupled with emergen | |
| Low | MACII,MACIII | Continuity | Spares And Parts | Maintenance spares and spare parts for key IT assets can be obtained within 24 hours of failure. | |
| Medium | MACI | Continuity | Spares And Parts | Maintenance spares and spare parts for key IT assets are available 24 X 7 immediately upon failure. | |
| High | MACI,MACII,MACIII | Continuity | Backup Copies Of Critical Sw | Back-up copies of the operating system and other critical software are stored in a fire rated container or otherwise not collocated with the operational software. | |
| High | MACI,MACII,MACIII | Continuity | Trusted Recovery | Recovery procedures and technical system features exist to ensure that recovery is done in a secure and verifiable manner. Circumstances that can inhibit a trusted recovery are documented and appropriate mitigating procedures have been put in place. | |
| Medium | MACI,MACII,MACIII | Security Design And Configuration | Procedural Review | An annual IA review is conducted that comprehensively evaluates existing policies and processes to ensure procedural consistency and to ensure that they fully support the goal of uninterrupted operations. | |
| High | CLASSIFIED,SENSITIVE,PUBLIC | Security Design And Configuration | Acquisition Standards | The acquisition of all IA- and IA-enabled GOTS IT products is limited to products that have been evaluated by the NSA or in accordance with NSA-approved processes. The acquisition of all IA- and IA-enabled COTS IT products is limited to products that have | |
| Medium | MACI,MACII,MACIII | Security Design And Configuration | Best Security Practices | The DoD information system security design incorporates best security practices such as single sign-on, PKE, smart card, and biometrics. | |
| Low | Security Design And Configuration | Control Board | All DoD information systems are under the control of a chartered configuration control board that meets regularly according to DCPR-1. | ||
| Medium | MACI,MACII,MACIII | Security Design And Configuration | Control Board | All information systems are under the control of a chartered Configuration Control Board that meets regularly according to DCPR-1. The IAM is a voting member of the CCB. | |
| High | MACIII | Security Design And Configuration | Configuration Specifications | A DoD reference document, such as a security technical implementation guide or security recommendation guide constitutes the primary source for security configuration or implementation guidance for the deployment of newly acquired IA- and IA-enabled IT pr | |
| High | MACI,MACII | Security Design And Configuration | Configuration Specifications | A DoD reference document such as a security technical implementation guide or security recommendation guide constitutes the primary source for security configuration or implementation guidance for the deployment of newly acquired IA- and IA-enabled IT pro | |
| Medium | MACI,MACII,MACIII | Security Design And Configuration | Compliance Testing | A comprehensive set of procedures is implemented that tests all patches, upgrades, and new AIS applications prior to deployment. | |
| Medium | MACI,MACII,MACIII | Security Design And Configuration | Dedicated Ia Services | Acquisition or outsourcing of dedicated IA services such as incident monitoring, analysis and response; operation of IA devices such as firewalls; or key management services are supported by a formal risk analysis and approved by the DoD Component CIO. | |
| Medium | MACI,MACII,MACIII | Security Design And Configuration | Functional Architecture For Ais Applications | For AIS applications, a functional architecture that identifies the following has been developed and is maintained: - all external interfaces, the information being exchanged, and the protection mechanisms associated with each interface - user roles requi | |
| High | MACI,MACII,MACIII | Security Design And Configuration | Hw Baseline | A current and comprehensive baseline inventory of all hardware (HW) (to include manufacturer, type, model, physical location and network topology or architecture) required to support enclave operations is maintained by the Configuration Control Board (CCB | |
| High | MACI,MACII,MACIII | Security Design And Configuration | Interconnection Documentation | For AIS applications, a list of all (potential) hosting enclaves is developed and maintained along with evidence of deployment planning and coordination and the exchange of connection rules and requirements. For enclaves, a list of all hosted AIS applicat | |
| Medium | MACI,MACII,MACIII | Security Design And Configuration | Ia Impact Assessment | Changes to the DoD information system are assessed for IA and accreditation impact prior to implementation. | |
| High | MACI,MACII,MACIII | Security Design And Configuration | Ia For It Services | Acquisition or outsourcing of IT services explicitly addresses Government, service provider, and end user IA roles and responsibilities. | |
| Medium | MACI,MACII,MACIII | Security Design And Configuration | Mobile Code | The acquisition, development, and/or use of mobile code to be deployed in DoD systems meets the following requirements: 1. Emerging mobile code technologies that have not undergone a risk assessment by NSA and been assigned to a Risk Category by the DoD C | |
| Medium | MACI,MACII,MACIII | Security Design And Configuration | Non-repudiation | NIST FIPS 140-2 validated cryptography (e.g., DoD PKI class 3 or 4 token) is used to implement encryption (e.g., AES, 3DES, DES, Skipjack), key exchange (e.g., FIPS 171), digital signature (e.g., DSA, RSA, ECDSA), and hash (e.g., SHA-1, SHA-256, SHA-384, | |
| Low | MACI,MACII | Security Design And Configuration | Partitioning The Application | User interface services (e.g., web services) are physically or logically separated from data storage and management services (e.g., database management systems). Separation may be accomplished through the use of different computers, different CPUs, differ | |
| High | MACI,MACII | Security Design And Configuration | Ia Program And Budget | A discrete line item for Information Assurance is established in programming and budget documentation. | |
| Medium | MACI,MACII,MACIII | Security Design And Configuration | Public Domain Software Controls | Binary or machine executable public domain software products and other software products with limited or no warranty such as those commonly known as freeware or shareware are not used in DoD information systems unless they are necessary for mission accomp | |
| Medium | MACI,MACII,MACIII | Security Design And Configuration | Ports, Protocols, And Services | DoD information systems comply with DoD ports, protocols, and services guidance. AIS applications, outsourced IT-based processes and platform IT identify the network ports, protocols, and services they plan to use as early in the life cycle as possible an | |
| High | MACI,MACII,MACIII | Security Design And Configuration | Cm Process | A configuration management (CM) process is implemented that includes requirements for: 1. Formally documented CM roles, responsibilities, and procedures to include the management of IA information and documentation; 2. A configuration control board that i | |
| High | MACI,MACII,MACIII | Security Design And Configuration | Ia Documentation | All appointments to required IA roles (e.g., DAA and IAM/IAO) are established in writing, to include assigned duties and appointment criteria such as training, security clearance, and IT-designation. A System Security Plan is established that describes th | |
| Medium | MACI,MACII,MACIII | Security Design And Configuration | System Library Management Controls | System libraries are managed and maintained to protect privileged programs and to prevent or minimize the introduction of unauthorized code. | |
| Medium | MACI,MACII | Security Design And Configuration | Security Support Structure Partitioning | The security support structure is isolated by means of partitions, domains, etc., including control of access to, and integrity of, hardware, software, and firmware that perform security functions. The security support structure maintains separate executi | |
| Medium | MACI,MACII,MACIII | Security Design And Configuration | Software Quality | Software quality requirements and validation methods that are focused on the minimization of flawed or malformed software that can negatively impact integrity or availability (e.g., buffer overruns) are specified for all software development initiatives. | |
| High | PUBLIC | Security Design And Configuration | Specified Robustness - Basic | At a minimum, basic-robustness COTS IA and IA-enabled products are used to protect publicly released information from malicious tampering or destruction and ensure its availability. The basic-robustness requirements for products are defined in the Protect | |
| High | SENSITIVE | Security Design And Configuration | Specified Robustness - Medium | At a minimum, medium-robustness COTS IA and IA-enabled products are used to protect sensitive information when the information transits public networks or the system handling the information is accessible by individuals who are not authorized to access th | |
| High | CLASSIFIED | Security Design And Configuration | Specified Robustness – High | Only high-robustness GOTS or COTS IA and IA-enabled IT products are used to protect classified information when the information transits networks that are at a lower classification level than the information being transported. High-robustness products hav | |
| High | MACIII | Security Design And Configuration | System State Changes | System initialization, shutdown, and aborts are configured to ensure that the system remains in a secure state. | |
| High | MACI,MACIICLASSIFIED | Security Design And Configuration | System State Changes | System initialization, shutdown, and aborts are configured to ensure that the system remains in a secure state. Tests are provided and periodically run to ensure the integrity of the system state. | |
| High | MACI,MACII,MACIII | Security Design And Configuration | Sw Baseline | A current and comprehensive baseline inventory of all software (SW) (to include manufacturer, type, and version and installation manuals and procedures) required to support DoD information system operations is maintained by the CCB and as part of the C&A | |
| Low | PUBLIC | Enclave Boundary Defense | Boundary Defense | Boundary defense mechanisms to include firewalls and network intrusion detection systems (IDS) are deployed at the enclave boundary to the wide area network, and Internet access is permitted from a demilitarized zone (DMZ) that meets the DoD requirement t | |
| Medium | SENSITIVE | Enclave Boundary Defense | Boundary Defense | Boundary defense mechanisms, to include firewalls and network intrusion detection systems (IDS) are deployed at the enclave boundary to the wide area network, at layered or internal enclave boundaries, or at key points in the network, as required. All I | |
| High | CLASSIFIED | Enclave Boundary Defense | Boundary Defense | Boundary defense mechanisms to include firewalls and network intrusion detection systems (IDS) are deployed at the enclave boundary to the wide area network, and at layered or internal enclave boundaries and key points in the network as required. All Inte | |
| Medium | MACI,MACII,MACIII | Enclave Boundary Defense | Connection Rules | The DoD information system is compliant with established DoD connection rules and approval processes. | |
| High | SENSITIVE,PUBLIC | Enclave Boundary Defense | Public Wan Connection | Connections between DoD enclaves and the Internet or other public or commercial wide area networks require a demilitarized zone (DMZ). | |
| High | CLASSIFIED,SENSITIVE | Enclave Boundary Defense | Remote Access For Privileged Functions | Remote access for privileged functions is discouraged, is permitted only for compelling operational needs, and is strictly controlled. In addition to EBRU-1, sessions employ security measures such as a VPN with blocking mode enabled. A complete audit trai | |
| High | CLASSIFIED,SENSITIVE | Enclave Boundary Defense | Remote Access For User Functions | All remote access to DoD information systems, to include telework access, is mediated through a managed access control point, such as a remote access server in a DMZ. Remote access always uses encryption to protect the confidentiality of the session. The | |
| Medium | MACI,MACII,MACIII | Enclave Boundary Defense | Vpn Controls | All VPN traffic is visible to network intrusion detection systems (IDS). | |
| Medium | CLASSIFIED,SENSITIVE | Enclave Computing Environment | Affiliation Display | To help prevent inadvertent disclosure of controlled information, all contractors are identified by the inclusion of the abbreviation "ctr" and all foreign nationals are identified by the inclusion of their two character country code in: - DoD user e-mail | |
| High | CLASSIFIED,SENSITIVE | Enclave Computing Environment | Access For Need-to-know | Access to all DoD information (classified, sensitive, and public) is determined by both its classification and user need-to-know. Need-to-know is established by the Information Owner and enforced by discretionary or role-based access controls. Access cont | |
| Low | PUBLIC | Enclave Computing Environment | Audit Record Content – Public Systems | Audit records include: · User ID. · Successful and unsuccessful attempts to access security files. · Date and time of the event. · Type of event. | |
| Medium | SENSITIVE | Enclave Computing Environment | Audit Record Content – Sensitive Systems | Audit records include: · User ID. · Successful and unsuccessful attempts to access security files. · Date and time of the event. · Type of event. · Success or failure of event. · Successful and unsuccessful logons. · Den | |
| High | CLASSIFIED | Enclave Computing Environment | Audit Record Content – Classified Systems | Audit records include: · User ID. · Successful and unsuccessful attempts to access security files. · Date and time of the event. · Type of event. · Success or failure of event. · Successful and unsuccessful logons. · Den | |
| Low | MACIIISENSITIVE,PUBLIC | Enclave Computing Environment | Audit Trail, Monitoring, Analysis And Reporting | Audit trail records from all available sources are regularly reviewed for indications of inappropriate or unusual activity. Suspected violations of IA policies are analyzed and reported in accordance with DoD information system IA procedures. | |
| Medium | MACI,MACIICLASSIFIED | Enclave Computing Environment | Audit Trail, Monitoring, Analysis And Reporting | An automated, continuous on-line monitoring and audit trail creation capability is deployed with the capability to immediately alert personnel of any unusual or inappropriate activity with potential IA implications, and with a user configurable capability | |
| Medium | MACIII | Enclave Computing Environment | Changes To Data | Access control mechanisms exist to ensure that data is accessed and changed only by authorized personnel. | |
| High | MACI,MACIICLASSIFIED | Enclave Computing Environment | Changes To Data | Access control mechanisms exist to ensure that data is accessed and changed only by authorized personnel. Access and changes to the data are recorded in transaction logs that are reviewed periodically or immediately upon system security events. Users are | |
| High | CLASSIFIED | Enclave Computing Environment | Comsec | COMSEC activities comply with DoD Directive C-5200.5. | |
| Low | SENSITIVE | Enclave Computing Environment | Encryption For Confidentiality (data At Rest) | If required by the information owner, NIST-certified cryptography is used to encrypt stored sensitive information. | |
| Medium | CLASSIFIED | Enclave Computing Environment | Encryption For Confidentiality (data At Rest) | If required by the information owner, NIST-certified cryptography is used to encrypt stored classified non-SAMI information. | |
| High | CLASSIFIED | Enclave Computing Environment | Encryption For Confidentiality (data At Rest) | If a classified enclave contains SAMI and is accessed by individuals lacking an appropriate clearance for SAMI, then NSA-approved cryptography is used to encrypt all SAMI stored within the enclave. | |
| Medium | SENSITIVE | Enclave Computing Environment | Encryption For Confidentiality (data At Transmit) | Unclassified, sensitive data transmitted through a commercial or wireless network are encrypted using NIST-certified cryptography (See also DCSR-2). | |
| High | CLASSIFIED | Enclave Computing Environment | Encryption For Confidentiality (data At Transmit) | Classified data transmitted through a network that is cleared to a lower level than the data being transmitted are separately encrypted using NSA-approved cryptography (See also DCSR-3). | |
| Medium | MACI,MACII | Enclave Computing Environment | Data Change Controls | Transaction-based systems (e.g., database management systems, transaction processing systems) implement transaction roll-back and transaction journaling, or technical equivalents. | |
| Medium | CLASSIFIED,SENSITIVE | Enclave Computing Environment | Interconnections Among Dod Systems And Enclaves | Discretionary access controls are a sufficient IA mechanism for connecting DoD information systems operating at the same classification, but with different need-to-know access rules. A controlled interface is required for interconnections among DoD inform | |
| Medium | MACI,MACII | Enclave Computing Environment | Host Based Ids | Host-based intrusion detection systems are deployed for major applications and for network management assets, such as routers, switches, and domain name servers (DNS). | |
| Medium | MACI,MACII,MACIII | Enclave Computing Environment | Instant Messaging | Instant messaging traffic to and from instant messaging clients that are independently configured by end users and that interact with a public service provider is prohibited within DoD information systems. Both inbound and outbound public service instant | |
| Low | CLASSIFIED | Enclave Computing Environment | Audit Of Security Label Changes | The system automatically records the creation, deletion, or modification of confidentiality or integrity labels, if required by the information owner. | |
| Medium | SENSITIVE | Enclave Computing Environment | Logon | Successive logon attempts are controlled using one or more of the following: · Access is denied after multiple unsuccessful logon attempts. · The number of access attempts in a given period is limited. · A time-delay control system is emplo | |
| Medium | CLASSIFIED | Enclave Computing Environment | Logon | Successive logon attempts are controlled using one or more of the following: · Access is denied after multiple unsuccessful logon attempts. · The number of access attempts in a given period is limited. · A time-delay control system is emplo | |
| High | CLASSIFIED,SENSITIVE,PUBLIC | Enclave Computing Environment | Least Privilege | Access procedures enforce the principles of separation of duties and "least privilege." Access to privileged accounts is limited to privileged users. Use of privileged accounts is limited to privileged functions; that is, privileged users use non-privil | |
| High | CLASSIFIED,SENSITIVE | Enclave Computing Environment | Marking And Labeling | Information and DoD information systems that store, process, transit, or display data in any form or format that is not approved for public release comply with all requirements for marking and labeling contained in policy and guidance documents such as Do | |
| Low | SENSITIVE,PUBLIC | Enclave Computing Environment | Conformance Monitoring And Testing | Conformance testing that includes periodic, unannounced in-depth monitoring and provides for specific penetration testing to ensure compliance with all vulnerability mitigation procedures such as the DoD IAVA or other DoD IA practices is planned, schedule | |
| Medium | CLASSIFIED | Enclave Computing Environment | Conformance Monitoring And Testing | Conformance testing that includes periodic, unannounced in-depth monitoring and provides for specific penetration testing to ensure compliance with all vulnerability mitigation procedures such as the DoD IAVA or other DoD IA practices is planned, schedule | |
| Low | MACIII | Enclave Computing Environment | Network Device Controls | An effective network device control program (e.g., routers, switches, firewalls) is implemented and includes: instructions for restart and recovery procedures; restrictions on source code access, system utility access, and system documentation; protection | |
| Medium | MACI,MACII | Enclave Computing Environment | Network Device Controls | An effective network device control program (e.g., routers, switches, firewalls) is implemented and includes: instructions for restart and recovery procedures; restrictions on source code access, system utility access, and system documentation; protection | |
| Medium | CLASSIFIED,SENSITIVE | Enclave Computing Environment | Encryption For Need-to-know | Information in transit through a network at the same classification level, but which must be separated for need-to-know reasons, is encrypted, at a minimum, with NIST-certified cryptography. This is in addition to ECCT (encryption for confidentiality – | |
| Medium | CLASSIFIED | Enclave Computing Environment | Encryption For Need-to-know | SAMI information in transit through a network at the same classification level is encrypted using NSA-approved cryptography. This is to separate it for need-to-know reasons. This is in addition to ECCT (encryption for confidentiality – data in transit). | |
| High | MACI,MACII,MACIII | Enclave Computing Environment | Privileged Account Control | All privileged user accounts are established and administered in accordance with a role-based access scheme that organizes all system and network privileges into roles (e.g., key management, network, system administration, database administration, web-adm | |
| Medium | MACIII | Enclave Computing Environment | Production Code Change Controls | Application programmer privileges to change production code and data are limited and are periodically reviewed. | |
| Medium | MACI,MACII | Enclave Computing Environment | Production Code Change Controls | Application programmer privileges to change production code and data are limited and reviewed every 3 months. | |
| Medium | CLASSIFIED,SENSITIVE | Enclave Computing Environment | Resource Control | All authorizations to the information contained within an object are revoked prior to initial assignment, allocation, or reallocation to a subject from the system's pool of unused objects. No information, including encrypted representations of information | |
| Low | MACI,MACII,MACIII | Enclave Computing Environment | Audit Reduction And Report Generation | Tools are available for the review of audit records and for report generation from audit records. | |
| Medium | CLASSIFIED,SENSITIVE,PUBLIC | Enclave Computing Environment | Audit Record Retention | If the DoD information system contains sources and methods intelligence (SAMI), then audit records are retained for 5 years. Otherwise, audit records are retained for at least 1 year. | |
| High | MACI,MACII,MACIII | Enclave Computing Environment | Security Configuration Compliance | For Enclaves and AIS applications, all DoD security configuration or implementation guides have been applied. | |
| Medium | MACIII | Enclave Computing Environment | Software Development Change Controls | Change controls for software development are in place to prevent unauthorized programs or modifications to programs from being implemented. | |
| High | MACI,MACII | Enclave Computing Environment | Software Development Change Controls | Change controls for software development are in place to prevent unauthorized programs or modifications to programs from being implemented. Change controls include review and approval of application change requests and technical system features to assure | |
| Medium | MACI,MACIICLASSIFIED | Enclave Computing Environment | Audit Trail Backup | The audit records are backed up not less than weekly onto a different system or media than the system being audited. | |
| High | CLASSIFIED,SENSITIVE | Enclave Computing Environment | Tempest Controls | Measures to protect against compromising emanations have been implemented according to DoD Directive S-5200.19. | |
| Medium | MACIII | Enclave Computing Environment | Transmission Integrity Controls | Good engineering practices with regards to the integrity mechanisms of COTS, GOTS and custom developed solutions are implemented for incoming and outgoing files, such as parity checks and cyclic redundancy checks (CRCs). | |
| Medium | MACI,MACII | Enclave Computing Environment | Transmission Integrity Controls | Good engineering practices with regards to the integrity mechanisms of COTS, GOTS, and custom developed solutions are implemented for incoming and outgoing files, such as parity checks and cyclic redundancy checks (CRCs). Mechanisms are in place to assure | |
| Medium | MACI,MACII,MACIII | Enclave Computing Environment | Audit Trail Protection | The contents of audit trails are protected against unauthorized access, modification or deletion. | |
| Medium | MACI,MACII,MACIII | Enclave Computing Environment | Voice-over-ip (voip) Protection | Voice over Internet Protocol (VoIP) traffic to and from workstation IP telephony clients that are independently configured by end users for personal use is prohibited within DoD information systems. Both inbound and outbound individually configured voice | |
| High | MACI,MACII,MACIII | Enclave Computing Environment | Virus Protection | All Servers, workstations and mobile computing devices (i.e. laptop, PDAs) implement virus protection that includes a capability for automatic updates. | |
| Low | CLASSIFIED,SENSITIVE,PUBLIC | Enclave Computing Environment | Warning Message | All users are warned that they are entering a Government information system, and are provided with appropriate privacy and security notices to include statements informing them that they are subject to monitoring, recording and auditing. | |
| High | MACI,MACII,MACIII | Enclave Computing Environment | Wireless Computing And Network | Wireless computing and networking capabilities from workstations, laptops, personal digital assistants (PDAs), handheld computers, cellular phones, or other portable electronic devices are implemented in accordance with DoD wireless policy, as issued. (Se | |
| High | CLASSIFIED,SENSITIVE | Identification And Authentication | Account Control | A comprehensive account management process is implemented to ensure that only authorized users can gain access to workstations, applications, and networks and that individual accounts designated as inactive, suspended, or terminated are promptly deactivat | |
| Medium | CLASSIFIED,SENSITIVE | Identification And Authentication | Group Authentication | Group authenticators for application or network access may be used only in conjunction with an individual authenticator. Any use of group authenticators not based on the DoD PKI has been explicitly approved by the Designated Approving Authority (DAA). | |
| High | SENSITIVE | Identification And Authentication | Individual Identification And Authentication | DoD information system access is gained through the presentation of an individual identifier (e.g., a unique token or user login ID) and password. For systems utilizing a logon ID as the individual identifier, passwords are, at a minimum, a case sensitive | |
| High | CLASSIFIED | Identification And Authentication | Individual Identification And Authentication | DoD information system access is gained through the presentation of an individual identifier (e.g., a unique token or user logon ID) and password. For systems utilizing a logon ID as the individual identifier, passwords are, at a minimum, a case sensitive | |
| Medium | MACIII | Identification And Authentication | Key Management | Symmetric Keys are produced, controlled, and distributed using NIST-approved key management technology and processes. Asymmetric Keys are produced, controlled, and distributed using DoD PKI Class 3 certificates or pre-placed keying material. | |
| Medium | MACI,MACII | Identification And Authentication | Key Management | Symmetric Keys are produced, controlled and distributed using NSA-approved key management technology and processes. Asymmetric Keys are produced, controlled, and distributed using DoD PKI Medium Assurance or High Assurance certificates and hardware secu | |
| Medium | CLASSIFIED | Identification And Authentication | Key Management | Symmetric and asymmetric keys are produced, controlled and distributed using NSA-approved key management technology and processes. | |
| Medium | MACIII | Identification And Authentication | Token And Certificate Standards | Identification and authentication is accomplished using the DoD PKI Class 3 certificate and hardware security token (when available). | |
| Medium | MACI,MACII | Identification And Authentication | Token And Certificate Standards | Identification and authentication is accomplished using the DoD PKI Class 3 or 4 certificate and hardware security token (when available) or an NSA-certified product. | |
| High | SENSITIVE | Physical And Environmental | Access To Computing Facilities | Only authorized personnel with a need-to-know are granted physical access to computing facilities that process sensitive information or unclassified information that has not been cleared for release. | |
| High | CLASSIFIED | Physical And Environmental | Access To Computing Facilities | Only authorized personnel with appropriate clearances are granted physical access to computing facilities that process classified information. | |
| High | SENSITIVE | Physical And Environmental | Clearing And Sanitizing | All documents, equipment, and machine-readable media containing sensitive data are cleared and sanitized before being released outside of the Department of Defense according to DoD 5200.1-R and ASD(C3I) Memorandum, dated June 4, 2001, subject: "Dispositio | |
| High | CLASSIFIED | Physical And Environmental | Clearing And Sanitizing | All documents, equipment, and machine-readable media containing classified data are cleared and sanitized before being released outside its security domain according to DoD 5200.1-R. | |
| High | CLASSIFIED | Physical And Environmental | Destruction | All documents, machine-readable media, and equipment are destroyed using procedures that comply with DoD policy (e.g., DoD 5200.1-R). | |
| High | CLASSIFIED,SENSITIVE | Physical And Environmental | Data Interception | Devices that display or output classified or sensitive information in human-readable form are positioned to deter unauthorized individuals from reading the information. | |
| Low | MACIII | Physical And Environmental | Emergency Lighting | An automatic emergency lighting system is installed that covers emergency exits and evacuation routes. | |
| Medium | MACI,MACII | Physical And Environmental | Emergency Lighting | An automatic emergency lighting system is installed that covers all areas necessary to maintain mission or business essential functions, to include emergency exits and evacuation routes. | |
| High | MACIII | Physical And Environmental | Fire Detection | Battery-operated or electric stand-alone smoke detectors are installed in the facility. | |
| High | MACI,MACII | Physical And Environmental | Fire Detection | A servicing fire department receives an automatic notification of any activation of the smoke detection or fire suppression system. | |
| Medium | MACI,MACII,MACIII | Physical And Environmental | Fire Inspection | Computing facilities undergo a periodic fire marshal inspection. Deficiencies are promptly resolved. | |
| Medium | MACIII | Physical And Environmental | Fire Suppression | Handheld fire extinguishers or fixed fire hoses are available should an alarm be sounded or a fire be detected. | |
| High | MACI,MACII | Physical And Environmental | Fire Suppression | A fully automatic fire suppression system is installed that automatically activates when it detects heat, smoke, or particles. | |
| Medium | MACIII | Physical And Environmental | Humidity Controls | Humidity controls are installed that provide an alarm of fluctuations potentially harmful to personnel or equipment operation; adjustments to humidifier/de-humidifier systems may be made manually. | |
| Medium | MACI,MACII | Physical And Environmental | Humidity Controls | Automatic humidity controls are installed to prevent humidity fluctuations potentially harmful to personnel or equipment operation. | |
| High | MACI,MACII,MACIII | Physical And Environmental | Master Power Switch | A master power switch or emergency cut-off switch to IT equipment is present. It is located near the main entrance of the IT area and it is labeled and protected by a cover to prevent accidental shut-off. | |
| High | SENSITIVE | Physical And Environmental | Physical Protection Of Facilities | Every physical access point to facilities housing workstations that process or display sensitive information or unclassified information that has not been cleared for release is controlled during working hours and guarded or locked during non-work hours. | |
| High | CLASSIFIED | Physical And Environmental | Physical Protection Of Facilities | Every physical access point to facilities housing workstations that process or display classified information is guarded or alarmed 24 X 7. Intrusion alarms are monitored. Two (2) forms of identification are required to gain access to the facility (e.g. | |
| Low | CLASSIFIED,SENSITIVE | Physical And Environmental | Physical Security Testing | A facility penetration testing process is in place that includes periodic, unannounced attempts to penetrate key computing facilities. | |
| Medium | MACI,MACII,MACIII | Physical And Environmental | Screen Lock | Unless there is an overriding technical or operational problem, workstation screen-lock functionality is associated with each workstation. When activated, the screen-lock function places an unclassified pattern onto the entire screen of the workstation, t | |
| Medium | CLASSIFIED,SENSITIVE | Physical And Environmental | Workplace Security Procedures | Procedures are implemented to ensure the proper handling and storage of information, such as end-of-day security checks, unannounced security checks, and, where appropriate, the imposition of a two-person rule within the computing facility. | |
| High | CLASSIFIED,SENSITIVE | Physical And Environmental | Storage | Documents and equipment are stored in approved containers or facilities with maintenance and accountability procedures that comply with DoD 5200.1-R. | |
| Low | MACIII | Physical And Environmental | Temperature Controls | Temperature controls are installed that provide an alarm when temperature fluctuations potentially harmful to personnel or equipment operation are detected; adjustments to heating or cooling systems may be made manually. | |
| Medium | MACI,MACII | Physical And Environmental | Temperature Controls | Automatic temperature controls are installed to prevent temperature fluctuations potentially harmful to personnel or equipment operation. | |
| Low | MACI,MACII,MACIII | Physical And Environmental | Environmental Control Training | Employees receive initial and periodic training in the operation of environmental controls. | |
| High | CLASSIFIED,SENSITIVE | Physical And Environmental | Visitor Control To Computing Facilities | Current signed procedures exist for controlling visitor access and maintaining a detailed log of all visitors to the computing facility. | |
| High | MACI,MACII,MACIII | Physical And Environmental | Voltage Regulators | Automatic voltage control is implemented for key IT assets. | |
| High | SENSITIVE | Personnel | Access To Information | Individuals requiring access to sensitive information are processed for access authorization in accordance with DoD personnel security policies. | |
| High | CLASSIFIED | Personnel | Access To Information | Individuals requiring access to classified information are processed for access authorization in accordance with DoD personnel security policies. | |
| High | SENSITIVE,PUBLIC | Personnel | Maintenance Personnel | Maintenance is performed only by authorized personnel. The processes for determining authorization and the list of authorized maintenance personnel is documented. | |
| High | CLASSIFIED | Personnel | Maintenance Personnel | Maintenance is performed only by authorized personnel. The processes for determining authorization and the list of authorized maintenance personnel is documented. Except as authorized by the DAA, personnel who perform maintenance on classified DoD informa | |
| High | CLASSIFIED,SENSITIVE,PUBLIC | Personnel | Access To Need-to-know Information | Only individuals who have a valid need-to-know that is demonstrated by assigned official Government duties and who satisfy all personnel security criteria (e.g., IT position sensitivity background investigation requirements outlined in DoD 5200.2-R) are g | |
| High | MACI,MACII,MACIII | Personnel | Security Rules Of Behavior Or Acceptable Use Policy | A set of rules that describe the IA operations of the DoD information system and clearly delineate IA responsibilities and expected behavior of all personnel is in place. The rules include the consequences of inconsistent behavior or non-compliance. Signe | |
| High | CLASSIFIED,SENSITIVE | Personnel | Information Assurance Training | A program is implemented to ensure that upon arrival and periodically thereafter, all personnel receive training and familiarization to perform their assigned IA responsibilities, to include familiarization with their prescribed roles in all IA- related p | |
| Medium | MACIII | Vulnerability And Incident Management | Incident Response Planning | An incident response plan exists that identifies the responsible CND Service Provider in accordance with DoD Instruction O-8530.2 and CJCS Instruction 6510.01D, defines reportable incidents, outlines a standard operating procedure for incident response to | |
| High | MACI,MACII | Vulnerability And Incident Management | Incident Response Planning | An incident response plan exists that identifies the responsible CND Service Provider in accordance with DoD Instruction O-8530.2 and CJCS Instruction 6510.01D, defines reportable incidents, outlines a standard operating procedure for incident response to | |
| Medium | MACI,MACII,MACIII | Vulnerability And Incident Management | Vulnerability Management | A comprehensive vulnerability management process that includes the systematic identification and mitigation of software and hardware vulnerabilities is in place. Wherever system capabilities permit, mitigation is independently validated through inspection |