8500-2 DIACAP - Security Controls -       


Information security controls protect the confidentiality, integrity and/or availability of information (the so-called CIA Triad). Again, some would add further categories such as non-repudiation and accountability, depending on how narrowly or broadly the CIA Triad is defined.

Individual controls are often designed to act together to increase effective protection. Systems of controls can be referred to as frameworks or standards. Frameworks can enable an organization to manage security controls across different types of assets with consistency. For example, a framework can help an organization manage controls over access regardless of the type of computer operating system. This also enables an organization to assess overall risk. Risk-aware organizations may choose proactively to specify, design, implement, operate and maintain their security controls, usually by assessing the risks and implementing a comprehensive security management framework such as ISO27001:2013, the Information Security Forum's Standard of Good Practice for Information Security, or NIST SP 800-53.

Control Impact Code MAC Level / Confidentiality Subject Area Title Description
Medium MACIII Continuity Alternate Site Designation An alternate site is identified that permits the partial restoration of mission or business essential functions.
High MACI,MACII Continuity Alternate Site Designation An alternate site is identified that permits the restoration of all mission or business essential functions.
High MACI,MACII,MACIII Continuity Protection Of Backup And Restoration Assets Procedures are in place assure the appropriate physical and technical protection of the backup and restoration hardware, firmware, and software, such as router tables, compilers, and other security-related system software.
Low MACIII Continuity Data Backup Procedures Data backup is performed at least weekly.
Medium MACII Continuity Data Backup Procedures Data backup is performed daily, and recovery media are stored off-site at a location that affords protection of the data in accordance with its mission assurance category and confidentiality level.
Medium MACI Continuity Data Backup Procedures Data backup is accomplished by maintaining a redundant secondary system, not co-located, that can be activated without loss of data or disruption to the operation.
Low MACIII Continuity Disaster And Recovery Planning A disaster plan exists that provides for the partial resumption of mission or business essential functions within 5 days of activation. (Disaster recovery procedures include business recovery plans, system contingency plans, facility disaster recovery pla
Medium MACII Continuity Disaster And Recovery Planning A disaster plan exists that provides for the resumption of mission or business essential functions within 24 hours of activation. (Disaster recovery procedures include business recovery plans, system contingency plans, facility disaster recovery plans, an
Medium MACI Continuity Disaster And Recovery Planning A disaster plan exists that provides for the smooth transfer of all mission or business essential functions to an alternate site for the duration of an event with little or no loss of operational continuity. (Disaster recovery procedures include business
Medium MACII,MACIII Continuity Enclave Boundary Defense Enclave boundary defense at the alternate site provides security measures equivalent to the primary site.
High MACI Continuity Enclave Boundary Defense Enclave boundary defense at the alternate site must be configured identically to that of the primary site.
Low MACII,MACIII Continuity Scheduled Exercises And Drills The continuity of operations or disaster recovery plans are exercised annually.
Medium MACI Continuity Scheduled Exercises And Drills The continuity of operations or disaster recovery plans or significant portions are exercised semi-annually.
Low MACIII Continuity Identification Of Essential Functions Mission and business essential functions are identified for priority restoration planning.
Medium MACI,MACII Continuity Identification Of Essential Functions Mission and business-essential functions are identified for priority restoration planning along with all assets supporting mission or business-essential functions (e.g., computer-based services, data and applications, communications, physical infrastructu
Low MACIII Continuity Maintenance Support Maintenance support for key IT assets is available to respond within 24 hours of failure.
Medium MACI,MACII Continuity Maintenance Support Maintenance support for key IT assets is available to respond 24 X 7 immediately upon failure.
Low MACIII Continuity Power Supply Electrical power is restored to key IT assets by manually activated power generators upon loss of electrical power from the primary source.
Medium MACII Continuity Power Supply Electrical systems are configured to allow continuous or uninterrupted power to key IT assets. This may include an uninterrupted power supply coupled with emergency generators.
Medium MACI Continuity Power Supply Electrical systems are configured to allow continuous or uninterrupted power to key IT assets and all users accessing the key IT assets to perform mission or business-essential functions. This may include an uninterrupted power supply coupled with emergen
Low MACII,MACIII Continuity Spares And Parts Maintenance spares and spare parts for key IT assets can be obtained within 24 hours of failure.
Medium MACI Continuity Spares And Parts Maintenance spares and spare parts for key IT assets are available 24 X 7 immediately upon failure.
High MACI,MACII,MACIII Continuity Backup Copies Of Critical Sw Back-up copies of the operating system and other critical software are stored in a fire rated container or otherwise not collocated with the operational software.
High MACI,MACII,MACIII Continuity Trusted Recovery Recovery procedures and technical system features exist to ensure that recovery is done in a secure and verifiable manner. Circumstances that can inhibit a trusted recovery are documented and appropriate mitigating procedures have been put in place.
Medium MACI,MACII,MACIII Security Design And Configuration Procedural Review An annual IA review is conducted that comprehensively evaluates existing policies and processes to ensure procedural consistency and to ensure that they fully support the goal of uninterrupted operations.
High CLASSIFIED,SENSITIVE,PUBLIC Security Design And Configuration Acquisition Standards The acquisition of all IA- and IA-enabled GOTS IT products is limited to products that have been evaluated by the NSA or in accordance with NSA-approved processes. The acquisition of all IA- and IA-enabled COTS IT products is limited to products that have
Medium MACI,MACII,MACIII Security Design And Configuration Best Security Practices The DoD information system security design incorporates best security practices such as single sign-on, PKE, smart card, and biometrics.
Low Security Design And Configuration Control Board All DoD information systems are under the control of a chartered configuration control board that meets regularly according to DCPR-1.
Medium MACI,MACII,MACIII Security Design And Configuration Control Board All information systems are under the control of a chartered Configuration Control Board that meets regularly according to DCPR-1. The IAM is a  voting member of the CCB.
High MACIII Security Design And Configuration Configuration Specifications A DoD reference document, such as a security technical implementation guide or security recommendation guide constitutes the primary source for security configuration or implementation guidance for the deployment of newly acquired IA- and IA-enabled IT pr
High MACI,MACII Security Design And Configuration Configuration Specifications A DoD reference document such as a security technical implementation guide or security recommendation guide constitutes the primary source for security configuration or implementation guidance for the deployment of newly acquired IA- and IA-enabled IT pro
Medium MACI,MACII,MACIII Security Design And Configuration Compliance Testing A comprehensive set of procedures is implemented that tests all patches, upgrades, and new AIS applications prior to deployment.
Medium MACI,MACII,MACIII Security Design And Configuration Dedicated Ia Services Acquisition or outsourcing of dedicated IA services such as incident monitoring, analysis and response; operation of IA devices such as firewalls; or key management services are supported by a formal risk analysis and approved by the DoD Component CIO.
Medium MACI,MACII,MACIII Security Design And Configuration Functional Architecture For Ais Applications For AIS applications, a functional architecture that identifies the following has been developed and is maintained: - all external interfaces, the information being exchanged, and the protection mechanisms associated with each interface - user roles requi
High MACI,MACII,MACIII Security Design And Configuration Hw Baseline A current and comprehensive baseline inventory of all hardware (HW) (to include manufacturer, type, model, physical location and network topology or architecture) required to support enclave operations is maintained by the Configuration Control Board (CCB
High MACI,MACII,MACIII Security Design And Configuration Interconnection Documentation For AIS applications, a list of all (potential) hosting enclaves is developed and maintained along with evidence of deployment planning and coordination and the exchange of connection rules and requirements. For enclaves, a list of all hosted AIS applicat
Medium MACI,MACII,MACIII Security Design And Configuration Ia Impact Assessment Changes to the DoD information system are assessed for IA and accreditation impact prior to implementation.
High MACI,MACII,MACIII Security Design And Configuration Ia For It Services Acquisition or outsourcing of IT services explicitly addresses Government, service provider, and end user IA roles and responsibilities.
Medium MACI,MACII,MACIII Security Design And Configuration Mobile Code The acquisition, development, and/or use of mobile code to be deployed in DoD systems meets the following requirements: 1. Emerging mobile code technologies that have not undergone a risk assessment by NSA and been assigned to a Risk Category by the DoD C
Medium MACI,MACII,MACIII Security Design And Configuration Non-repudiation NIST FIPS 140-2 validated cryptography (e.g., DoD PKI class 3 or 4 token) is used to implement encryption (e.g., AES, 3DES, DES, Skipjack), key exchange (e.g., FIPS 171), digital signature (e.g., DSA, RSA, ECDSA), and hash (e.g., SHA-1, SHA-256, SHA-384,
Low MACI,MACII Security Design And Configuration Partitioning The Application User interface services (e.g., web services) are physically or logically separated from data storage and management services (e.g., database management systems). Separation may be accomplished through the use of different computers, different CPUs, differ
High MACI,MACII Security Design And Configuration Ia Program And Budget A discrete line item for Information Assurance is established in programming and budget documentation.
Medium MACI,MACII,MACIII Security Design And Configuration Public Domain Software Controls Binary or machine executable public domain software products and other software products with limited or no warranty such as those commonly known as freeware or shareware are not used in DoD information systems unless they are necessary for mission accomp
Medium MACI,MACII,MACIII Security Design And Configuration Ports, Protocols, And Services DoD information systems comply with DoD ports, protocols, and services guidance. AIS applications, outsourced IT-based processes and platform IT identify the network ports, protocols, and services they plan to use as early in the life cycle as possible an
High MACI,MACII,MACIII Security Design And Configuration Cm Process A configuration management (CM) process is implemented that includes requirements for: 1. Formally documented CM roles, responsibilities, and procedures to include the management of IA information and documentation; 2. A configuration control board that i
High MACI,MACII,MACIII Security Design And Configuration Ia Documentation All appointments to required IA roles (e.g., DAA and IAM/IAO) are established in writing, to include assigned duties and appointment criteria such as training, security clearance, and IT-designation. A System Security Plan is established that describes th
Medium MACI,MACII,MACIII Security Design And Configuration System Library Management Controls System libraries are managed and maintained to protect privileged programs and to prevent or minimize the introduction of unauthorized code.
Medium MACI,MACII Security Design And Configuration Security Support Structure Partitioning The security support structure is isolated by means of partitions, domains, etc., including control of access to, and integrity of, hardware, software, and firmware that perform security functions. The security support structure maintains separate executi
Medium MACI,MACII,MACIII Security Design And Configuration Software Quality Software quality requirements and validation methods that are focused on the minimization of flawed or malformed software that can negatively impact integrity or availability (e.g., buffer overruns) are specified for all software development initiatives.
High PUBLIC Security Design And Configuration Specified Robustness - Basic At a minimum, basic-robustness COTS IA and IA-enabled products are used to protect publicly released information from malicious tampering or destruction and ensure its availability. The basic-robustness requirements for products are defined in the Protect
High SENSITIVE Security Design And Configuration Specified Robustness - Medium At a minimum, medium-robustness COTS IA and IA-enabled products are used to protect sensitive information when the information transits public networks or the system handling the information is accessible by individuals who are not authorized to access th
High CLASSIFIED Security Design And Configuration Specified Robustness – High Only high-robustness GOTS or COTS IA and IA-enabled IT products are used to protect classified information when the information transits networks that are at a lower classification level than the information being transported. High-robustness products hav
High MACIII Security Design And Configuration System State Changes System initialization, shutdown, and aborts are configured to ensure that the system remains in a secure state.
High MACI,MACIICLASSIFIED Security Design And Configuration System State Changes System initialization, shutdown, and aborts are configured to ensure that the system remains in a secure state. Tests are provided and periodically run to ensure the integrity of the system state.
High MACI,MACII,MACIII Security Design And Configuration Sw Baseline A current and comprehensive baseline inventory of all software (SW) (to include manufacturer, type, and version and installation manuals and procedures) required to support DoD information system operations is maintained by the CCB and as part of the C&A
Low PUBLIC Enclave Boundary Defense Boundary Defense Boundary defense mechanisms to include firewalls and network intrusion detection systems (IDS) are deployed at the enclave boundary to the wide area network, and Internet access is permitted from a demilitarized zone (DMZ) that meets the DoD requirement t
Medium SENSITIVE Enclave Boundary Defense Boundary Defense Boundary defense mechanisms, to include firewalls and network intrusion detection systems (IDS) are deployed at the enclave boundary to the wide area network, at layered or internal enclave boundaries, or at key points in the network, as required.  All I
High CLASSIFIED Enclave Boundary Defense Boundary Defense Boundary defense mechanisms to include firewalls and network intrusion detection systems (IDS) are deployed at the enclave boundary to the wide area network, and at layered or internal enclave boundaries and key points in the network as required. All Inte
Medium MACI,MACII,MACIII Enclave Boundary Defense Connection Rules The DoD information system is compliant with established DoD connection rules and approval processes.
High SENSITIVE,PUBLIC Enclave Boundary Defense Public Wan Connection Connections between DoD enclaves and the Internet or other public or commercial wide area networks require a demilitarized zone (DMZ).
High CLASSIFIED,SENSITIVE Enclave Boundary Defense Remote Access For Privileged Functions Remote access for privileged functions is discouraged, is permitted only for compelling operational needs, and is strictly controlled. In addition to EBRU-1, sessions employ security measures such as a VPN with blocking mode enabled. A complete audit trai
High CLASSIFIED,SENSITIVE Enclave Boundary Defense Remote Access For User Functions All remote access to DoD information systems, to include telework access, is mediated through a managed access control point, such as a remote access server in a DMZ. Remote access always uses encryption to protect the confidentiality of the session. The
Medium MACI,MACII,MACIII Enclave Boundary Defense Vpn Controls All VPN traffic is visible to network intrusion detection systems (IDS).
Medium CLASSIFIED,SENSITIVE Enclave Computing Environment Affiliation Display To help prevent inadvertent disclosure of controlled information, all contractors are identified by the inclusion of the abbreviation "ctr" and all foreign nationals are identified by the inclusion of their two character country code in: - DoD user e-mail
High CLASSIFIED,SENSITIVE Enclave Computing Environment Access For Need-to-know Access to all DoD information (classified, sensitive, and public) is determined by both its classification and user need-to-know. Need-to-know is established by the Information Owner and enforced by discretionary or role-based access controls. Access cont
Low PUBLIC Enclave Computing Environment Audit Record Content – Public Systems Audit records include:   · User ID.   · Successful and unsuccessful attempts to access security files.   · Date and time of the event.   · Type of event.
Medium SENSITIVE Enclave Computing Environment Audit Record Content – Sensitive Systems Audit records include:   · User ID.   · Successful and unsuccessful attempts to access security files.   · Date and time of the event.   · Type of event.   · Success or failure of event.   · Successful and unsuccessful logons.   · Den
High CLASSIFIED Enclave Computing Environment Audit Record Content – Classified Systems Audit records include:   · User ID.   · Successful and unsuccessful attempts to access security files.   · Date and time of the event.   · Type of event.   · Success or failure of event.   · Successful and unsuccessful logons.   · Den
Low MACIIISENSITIVE,PUBLIC Enclave Computing Environment Audit Trail, Monitoring, Analysis And Reporting Audit trail records from all available sources are regularly reviewed for indications of inappropriate or unusual activity. Suspected violations of IA policies are analyzed and reported in accordance with DoD information system IA procedures.
Medium MACI,MACIICLASSIFIED Enclave Computing Environment Audit Trail, Monitoring, Analysis And Reporting An automated, continuous on-line monitoring and audit trail creation capability is deployed with the capability to immediately alert personnel of any unusual or inappropriate activity with potential IA implications, and with a user configurable capability
Medium MACIII Enclave Computing Environment Changes To Data Access control mechanisms exist to ensure that data is accessed and changed only by authorized personnel.
High MACI,MACIICLASSIFIED Enclave Computing Environment Changes To Data Access control mechanisms exist to ensure that data is accessed and changed only by authorized personnel. Access and changes to the data are recorded in transaction logs that are reviewed periodically or immediately upon system security events. Users are
High CLASSIFIED Enclave Computing Environment Comsec COMSEC activities comply with DoD Directive C-5200.5.
Low SENSITIVE Enclave Computing Environment Encryption For Confidentiality (data At Rest) If required by the information owner, NIST-certified cryptography is used to encrypt stored sensitive information.
Medium CLASSIFIED Enclave Computing Environment Encryption For Confidentiality (data At Rest) If required by the information owner, NIST-certified cryptography is used to encrypt stored classified non-SAMI information.
High CLASSIFIED Enclave Computing Environment Encryption For Confidentiality (data At Rest) If a classified enclave contains SAMI and is accessed by individuals lacking an appropriate clearance for SAMI, then NSA-approved cryptography is used to encrypt all SAMI stored within the enclave.
Medium SENSITIVE Enclave Computing Environment Encryption For Confidentiality (data At Transmit) Unclassified, sensitive data transmitted through a commercial or wireless network are encrypted using NIST-certified cryptography (See also DCSR-2).
High CLASSIFIED Enclave Computing Environment Encryption For Confidentiality (data At Transmit) Classified data transmitted through a network that is cleared to a lower level than the data being transmitted are separately encrypted using NSA-approved cryptography (See also DCSR-3).
Medium MACI,MACII Enclave Computing Environment Data Change Controls Transaction-based systems (e.g., database management systems, transaction processing systems) implement transaction roll-back and transaction journaling, or technical equivalents.
Medium CLASSIFIED,SENSITIVE Enclave Computing Environment Interconnections Among Dod Systems And Enclaves Discretionary access controls are a sufficient IA mechanism for connecting DoD information systems operating at the same classification, but with different need-to-know access rules. A controlled interface is required for interconnections among DoD inform
Medium MACI,MACII Enclave Computing Environment Host Based Ids Host-based intrusion detection systems are deployed for major applications and for network management assets, such as routers, switches, and domain name servers (DNS).
Medium MACI,MACII,MACIII Enclave Computing Environment Instant Messaging Instant messaging traffic to and from instant messaging clients that are independently configured by end users and that interact with a public service provider is prohibited within DoD information systems. Both inbound and outbound public service instant
Low CLASSIFIED Enclave Computing Environment Audit Of Security Label Changes The system automatically records the creation, deletion, or modification of confidentiality or integrity labels, if required by the information owner.
Medium SENSITIVE Enclave Computing Environment Logon Successive logon attempts are controlled using one or more of the following:   · Access is denied after multiple unsuccessful logon attempts.   · The number of access attempts in a given period is limited.   · A time-delay control system is emplo
Medium CLASSIFIED Enclave Computing Environment Logon Successive logon attempts are controlled using one or more of the following:   · Access is denied after multiple unsuccessful logon attempts.   · The number of access attempts in a given period is limited.   · A time-delay control system is emplo
High CLASSIFIED,SENSITIVE,PUBLIC Enclave Computing Environment Least Privilege Access procedures enforce the principles of separation of duties and "least privilege."  Access to privileged accounts is limited to privileged users. Use of privileged accounts is limited to privileged functions; that is, privileged users use non-privil
High CLASSIFIED,SENSITIVE Enclave Computing Environment Marking And Labeling Information and DoD information systems that store, process, transit, or display data in any form or format that is not approved for public release comply with all requirements for marking and labeling contained in policy and guidance documents such as Do
Low SENSITIVE,PUBLIC Enclave Computing Environment Conformance Monitoring And Testing Conformance testing that includes periodic, unannounced in-depth monitoring and provides for specific penetration testing to ensure compliance with all vulnerability mitigation procedures such as the DoD IAVA or other DoD IA practices is planned, schedule
Medium CLASSIFIED Enclave Computing Environment Conformance Monitoring And Testing Conformance testing that includes periodic, unannounced in-depth monitoring and provides for specific penetration testing to ensure compliance with all vulnerability mitigation procedures such as the DoD IAVA or other DoD IA practices is planned, schedule
Low MACIII Enclave Computing Environment Network Device Controls An effective network device control program (e.g., routers, switches, firewalls) is implemented and includes: instructions for restart and recovery procedures; restrictions on source code access, system utility access, and system documentation; protection
Medium MACI,MACII Enclave Computing Environment Network Device Controls An effective network device control program (e.g., routers, switches, firewalls) is implemented and includes: instructions for restart and recovery procedures; restrictions on source code access, system utility access, and system documentation; protection
Medium CLASSIFIED,SENSITIVE Enclave Computing Environment Encryption For Need-to-know Information in transit through a network at the same classification level, but which must be separated for need-to-know reasons, is encrypted, at a minimum, with NIST-certified cryptography. This is in addition to ECCT (encryption for confidentiality –
Medium CLASSIFIED Enclave Computing Environment Encryption For Need-to-know SAMI information in transit through a network at the same classification level is encrypted using NSA-approved cryptography. This is to separate it for need-to-know reasons. This is in addition to ECCT (encryption for confidentiality – data in transit).
High MACI,MACII,MACIII Enclave Computing Environment Privileged Account Control All privileged user accounts are established and administered in accordance with a role-based access scheme that organizes all system and network privileges into roles (e.g., key management, network, system administration, database administration, web-adm
Medium MACIII Enclave Computing Environment Production Code Change Controls Application programmer privileges to change production code and data are limited and are periodically reviewed.
Medium MACI,MACII Enclave Computing Environment Production Code Change Controls Application programmer privileges to change production code and data are limited and reviewed every 3 months.
Medium CLASSIFIED,SENSITIVE Enclave Computing Environment Resource Control All authorizations to the information contained within an object are revoked prior to initial assignment, allocation, or reallocation to a subject from the system's pool of unused objects. No information, including encrypted representations of information
Low MACI,MACII,MACIII Enclave Computing Environment Audit Reduction And Report Generation Tools are available for the review of audit records and for report generation from audit records.
Medium CLASSIFIED,SENSITIVE,PUBLIC Enclave Computing Environment Audit Record Retention If the DoD information system contains sources and methods intelligence (SAMI), then audit records are retained for 5 years. Otherwise, audit records are retained for at least 1 year.
High MACI,MACII,MACIII Enclave Computing Environment Security Configuration Compliance For Enclaves and AIS applications, all DoD security configuration or implementation guides have been applied.
Medium MACIII Enclave Computing Environment Software Development Change Controls Change controls for software development are in place to prevent unauthorized programs or modifications to programs from being implemented.
High MACI,MACII Enclave Computing Environment Software Development Change Controls Change controls for software development are in place to prevent unauthorized programs or modifications to programs from being implemented. Change controls include review and approval of application change requests and technical system features to assure
Medium MACI,MACIICLASSIFIED Enclave Computing Environment Audit Trail Backup The audit records are backed up not less than weekly onto a different system or media than the system being audited.
High CLASSIFIED,SENSITIVE Enclave Computing Environment Tempest Controls Measures to protect against compromising emanations have been implemented according to DoD Directive S-5200.19.
Medium MACIII Enclave Computing Environment Transmission Integrity Controls Good engineering practices with regards to the integrity mechanisms of COTS, GOTS and custom developed solutions are implemented for incoming and outgoing files, such as parity checks and cyclic redundancy checks (CRCs).
Medium MACI,MACII Enclave Computing Environment Transmission Integrity Controls Good engineering practices with regards to the integrity mechanisms of COTS, GOTS, and custom developed solutions are implemented for incoming and outgoing files, such as parity checks and cyclic redundancy checks (CRCs). Mechanisms are in place to assure
Medium MACI,MACII,MACIII Enclave Computing Environment Audit Trail Protection The contents of audit trails are protected against unauthorized access, modification or deletion.
Medium MACI,MACII,MACIII Enclave Computing Environment Voice-over-ip (voip) Protection Voice over Internet Protocol (VoIP) traffic to and from workstation IP telephony clients that are independently configured by end users for personal use is prohibited within DoD information systems. Both inbound and outbound individually configured voice
High MACI,MACII,MACIII Enclave Computing Environment Virus Protection All Servers, workstations and mobile computing devices (i.e. laptop, PDAs) implement virus protection that includes a capability for automatic updates.
Low CLASSIFIED,SENSITIVE,PUBLIC Enclave Computing Environment Warning Message All users are warned that they are entering a Government information system, and are provided with appropriate privacy and security notices to include statements informing them that they are subject to monitoring, recording and auditing.
High MACI,MACII,MACIII Enclave Computing Environment Wireless Computing And Network Wireless computing and networking capabilities from workstations, laptops, personal digital assistants (PDAs), handheld computers, cellular phones, or other portable electronic devices are implemented in accordance with DoD wireless policy, as issued. (Se
High CLASSIFIED,SENSITIVE Identification And Authentication Account Control A comprehensive account management process is implemented to ensure that only authorized users can gain access to workstations, applications, and networks and that individual accounts designated as inactive, suspended, or terminated are promptly deactivat
Medium CLASSIFIED,SENSITIVE Identification And Authentication Group Authentication Group authenticators for application or network access may be used only in conjunction with an individual authenticator. Any use of group authenticators not based on the DoD PKI has been explicitly approved by the Designated Approving Authority (DAA).
High SENSITIVE Identification And Authentication Individual Identification And Authentication DoD information system access is gained through the presentation of an individual identifier (e.g., a unique token or user login ID) and password. For systems utilizing a logon ID as the individual identifier, passwords are, at a minimum, a case sensitive
High CLASSIFIED Identification And Authentication Individual Identification And Authentication DoD information system access is gained through the presentation of an individual identifier (e.g., a unique token or user logon ID) and password. For systems utilizing a logon ID as the individual identifier, passwords are, at a minimum, a case sensitive
Medium MACIII Identification And Authentication Key Management Symmetric Keys are produced, controlled, and distributed using NIST-approved key management technology and processes. Asymmetric Keys are produced, controlled, and distributed using DoD PKI Class 3 certificates or pre-placed keying material.
Medium MACI,MACII Identification And Authentication Key Management Symmetric Keys are produced, controlled and distributed using NSA-approved key management technology and processes. Asymmetric Keys are produced, controlled, and distributed using DoD PKI Medium Assurance or High Assurance  certificates and hardware secu
Medium CLASSIFIED Identification And Authentication Key Management Symmetric and asymmetric keys are produced, controlled and distributed using NSA-approved key management technology and processes.
Medium MACIII Identification And Authentication Token And Certificate Standards Identification and authentication is accomplished using the DoD PKI Class 3 certificate and hardware security token (when available).
Medium MACI,MACII Identification And Authentication Token And Certificate Standards Identification and authentication is accomplished using the DoD PKI Class 3 or 4 certificate and hardware security token (when available) or an NSA-certified product.
High SENSITIVE Physical And Environmental Access To Computing Facilities Only authorized personnel with a need-to-know are granted physical access to computing facilities that process sensitive information or unclassified information that has not been cleared for release.
High CLASSIFIED Physical And Environmental Access To Computing Facilities Only authorized personnel with appropriate clearances are granted physical access to computing facilities that process classified information.
High SENSITIVE Physical And Environmental Clearing And Sanitizing All documents, equipment, and machine-readable media containing sensitive data are cleared and sanitized before being released outside of the Department of Defense according to DoD 5200.1-R and ASD(C3I) Memorandum, dated June 4, 2001, subject: "Dispositio
High CLASSIFIED Physical And Environmental Clearing And Sanitizing All documents, equipment, and machine-readable media containing classified data are cleared and sanitized before being released outside its security domain according to DoD 5200.1-R.
High CLASSIFIED Physical And Environmental Destruction All documents, machine-readable media, and equipment are destroyed using procedures that comply with DoD policy (e.g., DoD 5200.1-R).
High CLASSIFIED,SENSITIVE Physical And Environmental Data Interception Devices that display or output classified or sensitive information in human-readable form are positioned to deter unauthorized individuals from reading the information.
Low MACIII Physical And Environmental Emergency Lighting An automatic emergency lighting system is installed that covers emergency exits and evacuation routes.
Medium MACI,MACII Physical And Environmental Emergency Lighting An automatic emergency lighting system is installed that covers all areas necessary to maintain mission or business essential functions, to include emergency exits and evacuation routes.
High MACIII Physical And Environmental Fire Detection Battery-operated or electric stand-alone smoke detectors are installed in the facility.
High MACI,MACII Physical And Environmental Fire Detection A servicing fire department receives an automatic notification of any activation of the smoke detection or fire suppression system.
Medium MACI,MACII,MACIII Physical And Environmental Fire Inspection Computing facilities undergo a periodic fire marshal inspection. Deficiencies are promptly resolved.
Medium MACIII Physical And Environmental Fire Suppression Handheld fire extinguishers or fixed fire hoses are available should an alarm be sounded or a fire be detected.
High MACI,MACII Physical And Environmental Fire Suppression A fully automatic fire suppression system is installed that automatically activates when it detects heat, smoke, or particles.
Medium MACIII Physical And Environmental Humidity Controls Humidity controls are installed that provide an alarm of fluctuations potentially harmful to personnel or equipment operation; adjustments to humidifier/de-humidifier systems may be made manually.
Medium MACI,MACII Physical And Environmental Humidity Controls Automatic humidity controls are installed to prevent humidity fluctuations potentially harmful to personnel or equipment operation.
High MACI,MACII,MACIII Physical And Environmental Master Power Switch A master power switch or emergency cut-off switch to IT equipment is present. It is located near the main entrance of the IT area and it is labeled and protected by a cover to prevent accidental shut-off.
High SENSITIVE Physical And Environmental Physical Protection Of Facilities Every physical access point to facilities housing workstations that process or display sensitive information or unclassified information that has not been cleared for release is controlled during working hours and guarded or locked during non-work hours.
High CLASSIFIED Physical And Environmental Physical Protection Of Facilities Every physical access point to facilities housing workstations that process or display classified information is guarded or alarmed 24 X 7. Intrusion alarms are monitored.  Two (2) forms of identification are required to gain access to the facility (e.g.
Low CLASSIFIED,SENSITIVE Physical And Environmental Physical Security Testing A facility penetration testing process is in place that includes periodic, unannounced attempts to penetrate key computing facilities.
Medium MACI,MACII,MACIII Physical And Environmental Screen Lock Unless there is an overriding technical or operational problem, workstation screen-lock functionality is associated with each workstation. When activated, the screen-lock function places an unclassified pattern onto the entire screen of the workstation, t
Medium CLASSIFIED,SENSITIVE Physical And Environmental Workplace Security Procedures Procedures are implemented to ensure the proper handling and storage of information, such as end-of-day security checks, unannounced security checks, and, where appropriate, the imposition of a two-person rule within the computing facility.
High CLASSIFIED,SENSITIVE Physical And Environmental Storage Documents and equipment are stored in approved containers or facilities with maintenance and accountability procedures that comply with DoD 5200.1-R.
Low MACIII Physical And Environmental Temperature Controls Temperature controls are installed that provide an alarm when temperature fluctuations potentially harmful to personnel or equipment operation are detected; adjustments to heating or cooling systems may be made manually.
Medium MACI,MACII Physical And Environmental Temperature Controls Automatic temperature controls are installed to prevent temperature fluctuations potentially harmful to personnel or equipment operation.
Low MACI,MACII,MACIII Physical And Environmental Environmental Control Training Employees receive initial and periodic training in the operation of environmental controls.
High CLASSIFIED,SENSITIVE Physical And Environmental Visitor Control To Computing Facilities Current signed procedures exist for controlling visitor access and maintaining a detailed log of all visitors to the computing facility.
High MACI,MACII,MACIII Physical And Environmental Voltage Regulators Automatic voltage control is implemented for key IT assets.
High SENSITIVE Personnel Access To Information Individuals requiring access to sensitive information are processed for access authorization in accordance with DoD personnel security policies.
High CLASSIFIED Personnel Access To Information Individuals requiring access to classified information are processed for access authorization in accordance with DoD personnel security policies.
High SENSITIVE,PUBLIC Personnel Maintenance Personnel Maintenance is performed only by authorized personnel. The processes for determining authorization and the list of authorized maintenance personnel is documented.
High CLASSIFIED Personnel Maintenance Personnel Maintenance is performed only by authorized personnel. The processes for determining authorization and the list of authorized maintenance personnel is documented. Except as authorized by the DAA, personnel who perform maintenance on classified DoD informa
High CLASSIFIED,SENSITIVE,PUBLIC Personnel Access To Need-to-know Information Only individuals who have a valid need-to-know that is demonstrated by assigned official Government duties and who satisfy all personnel security criteria (e.g., IT position sensitivity background investigation requirements outlined in DoD 5200.2-R) are g
High MACI,MACII,MACIII Personnel Security Rules Of Behavior Or Acceptable Use Policy A set of rules that describe the IA operations of the DoD information system and clearly delineate IA responsibilities and expected behavior of all personnel is in place. The rules include the consequences of inconsistent behavior or non-compliance. Signe
High CLASSIFIED,SENSITIVE Personnel Information Assurance Training A program is implemented to ensure that upon arrival and periodically thereafter, all personnel receive training and familiarization to perform their assigned IA responsibilities, to include familiarization with their prescribed roles in all IA- related p
Medium MACIII Vulnerability And Incident Management Incident Response Planning An incident response plan exists that identifies the responsible CND Service Provider in accordance with DoD Instruction O-8530.2 and CJCS Instruction 6510.01D, defines reportable incidents, outlines a standard operating procedure for incident response to
High MACI,MACII Vulnerability And Incident Management Incident Response Planning An incident response plan exists that identifies the responsible CND Service Provider in accordance with DoD Instruction O-8530.2 and CJCS Instruction 6510.01D, defines reportable incidents, outlines a standard operating procedure for incident response to
Medium MACI,MACII,MACIII Vulnerability And Incident Management Vulnerability Management A comprehensive vulnerability management process that includes the systematic identification and mitigation of software and hardware vulnerabilities is in place. Wherever system capabilities permit, mitigation is independently validated through inspection