System and Information Integrity Plan

Approach basics → §4.x

Tooling and one-line summaries that anchor the rest of the plan.

Vulnerability scanning tool * Primary scanner (e.g., 'Tenable.sc', 'Qualys VMDR', 'Rapid7 InsightVM', 'AWS Inspector + Trivy').

Malicious-code protection tooling * AV / EDR platform (e.g., 'CrowdStrike Falcon', 'Microsoft Defender for Endpoint', 'SentinelOne', 'Carbon Black').

System monitoring / detection tooling * IDS / IPS / NDR / EDR feeding monitoring (often the same tool as malware protection plus a network-side counterpart).

Security alert / advisory source summary Brief phrase summarizing where alerts come from. Detail goes in the dedicated sub-section.

Integrity verification mechanism (one-liner) How software / firmware / file integrity is verified (e.g., 'Tripwire FIM + signed Git tags + SBOM verification at build').

Flaw Remediation (SI-2) → §4.x

Vulnerability scanning, patch evaluation, and remediation SLAs.

Vulnerability scan cadence — Select — Continuous (agent-based + cloud-native) Daily authenticated scans Weekly authenticated scans Monthly authenticated scans

Scan scope

All hosts in authorization boundary External-facing (DMZ + public) Container images at build Container runtime Cloud configuration (CSPM) Web application (DAST) Source code (SAST) Software composition (SCA) Network appliances Mobile applications

Patch SLAs by severity Map CVSS / vendor severity to patch SLA. Example: 'Critical (CVSS 9.0+ or KEV catalog): 15 days; High (7.0–8.9): 30 days; Medium (4.0–6.9): 90 days; Low: best-effort.' Federal systems often follow BOD 22-01 timelines for KEVs.

CISA KEV catalog handling How CISA's Known Exploited Vulnerabilities catalog drives expedited remediation. BOD 22-01 timelines if applicable. Reference for federal agencies.

Patch evaluation + deployment workflow From CVE published → tested → CCB approved → deployed → verified. Reference §4 of the CM plan for the change workflow.

Vulnerability exception process When a patch can't be applied within SLA: deviation request, compensating control, time-bound POA&M item.

Malicious Code Protection (SI-3) → §4.x

AV / EDR coverage, signature management, and response on detection.

Coverage

All endpoints Servers Container hosts Email gateway Web proxy / SWG DNS filtering USB / removable media scanning Cloud workload protection (CWPP)

Signature update cadence — Select — Continuous (cloud-delivered, sub-hour) Hourly Daily Multiple times per day per vendor schedule

Detection modes

Signature-based Heuristic / behavioral Machine learning / AI Sandboxing (file detonation) Memory-resident detection Cloud reputation lookup

Default response on detection — Select — Quarantine + alert Block + delete + alert Alert only (audit mode) Configurable per severity

User reporting channel for suspected malware How users report suspected malware (e.g., 'phish report button in email client; ServiceNow Security Incident form').

System Monitoring (SI-4) → §4.x

IDS / IPS / EDR / NDR / WAF and what they monitor for.

Monitoring layers deployed

Network IDS / IPS (NIDS / NIPS) Host-based IDS (HIDS) Endpoint Detection and Response (EDR) Network Detection and Response (NDR) Web Application Firewall (WAF) Runtime Application Self-Protection (RASP) DNS monitoring / DNS filtering DLP (data-loss prevention) Cloud workload protection (CWPP) Anomaly detection (UEBA)

Events monitored for

Authentication anomalies Privilege escalation Network exfiltration Lateral movement Process injection / DLL sideloading Persistence mechanisms Cryptomining / coinminer Ransomware behavior patterns Web exploit attempts SQL injection / OS command injection Reverse shell / C2 beaconing Insider-threat patterns

Alert routing destination Where SI-4 alerts land (typically SIEM + IR ticketing — see §4 of AU and IR plans).

Coverage attestation cadence How often the org attests that all in-scope assets have monitoring agents installed and reporting.

Security Alerts and Advisories (SI-5) → §4.x

Sources of advisories and how they're triaged.

Advisory sources subscribed

CISA (Cybersecurity Advisories + KEV catalog) US-CERT MS-ISAC Sector ISAC (FS / H / E / etc.) Vendor advisories (specific vendors) NVD / CVE feeds Coordinated disclosure platforms (HackerOne / Bugcrowd) Internal red-team / bug bounty

Advisory ingestion mechanism How advisories flow into the workflow (email distribution → triage → ticket; automated TIP / SOAR ingestion).

Advisory triage SLA Time from advisory publication to triage decision (apply / not applicable / monitor / accept risk).

Internal dissemination Who internal to the org receives advisories that affect this system (System Owner, Engineering, ISSO, CCB chair).

Integrity Verification (SI-6, SI-7) → §4.x

Software / firmware / file integrity, and security-function verification.

File integrity monitoring (FIM) tool Tool monitoring the filesystem for unauthorized changes (e.g., 'Tripwire', 'OSSEC / Wazuh', 'AIDE', 'Defender for Endpoint integrity rules').

FIM scope Which files / directories are under FIM (system binaries, config dirs, web content, application code, etc.).

Software / firmware integrity verification Code signing for installed software, signed package repositories, secure boot for firmware. Reference SBOM if applicable.

Security-function verification cadence (SI-6) How often security functions (e.g., crypto, access control) are verified to be operating correctly.

Action on security-function verification failure — Select — Notify security operations + continue Notify + restrict to safe-mode operations Halt the system component Configurable per function

Input Validation (SI-10) → §4.x

How input from users, services, and external sources is validated.

Input validation strategy Whitelist vs blacklist, schema validation, parameterized queries, OWASP ASVS alignment level.

Validation enforcement layers

Web Application Firewall (WAF) API gateway Application middleware Framework-level (e.g., FormRequest, Pydantic, Zod) Database layer (parameterized queries, stored procedures) Client-side (UX hint only — never security boundary)

OWASP ASVS alignment level — Select — Level 1 (basic) Level 2 (standard for most apps) Level 3 (high-assurance) Not formally aligned with ASVS

Review cadence for validation rules How often validation rules are reviewed against new attack patterns (e.g., 'After each major release', 'Quarterly with security').

Error Handling (SI-11) → §4.x

What's exposed in error messages vs what's logged for debugging.

User-facing error policy What users see on errors. Best practice: generic messages with a correlation ID; sensitive details in logs only.

Logged error content What's captured in audit / application logs (stack trace, query, parameters). Reference AU plan privacy_redaction for what's masked.

Error log review cadence How often error logs are reviewed for new failure patterns / security signals.

Information Management & Retention (SI-12) → §4.x

Lifecycle of information stored, processed, or transmitted by the system.

Information categories handled

CUI (Controlled Unclassified Information) PII (Personally Identifiable Information) PHI (Protected Health Information) Payment card data (PCI scope) Federal Tax Information (FTI) Export-controlled data (ITAR / EAR) Trade secret / proprietary Public / open data

Retention schedule reference NARA records schedule, organizational records-retention policy, or contractual reference (e.g., 'NARA GRS 4.2 for security records; per data-sharing-agreement Sec 8 for partner data').

Disposal method How records are destroyed at end of retention. Reference NIST SP 800-88 r1 sanitization requirements + MP-6.

Information quality controls (SI-18) How accuracy / completeness / currency of stored information is maintained, especially for PII (per SI-18).

Integrity Scope and Coverage → §2.x

What's in scope for monitoring, scanning, and integrity protection.

Total endpoints in scope Approximate count of hosts / containers / VMs requiring monitoring + AV/EDR coverage.

External-facing components count Public-facing surface (web servers, APIs, etc.) — typically more frequently scanned.

Data volume protected (approximate) Order of magnitude (e.g., '5 TB application data; ~50M user records').

Integrity Metrics & KPIs → §6.x

Metrics tracked to demonstrate SI control effectiveness.

Tracked metrics

Add item

Suggested: + % Critical vulnerabilities patched within SLA + % High vulnerabilities patched within SLA + Mean time to patch (MTTP) — Critical + % KEV-catalog vulns affecting system + SLA compliance + Endpoint coverage rate (% reporting in last 24h) + Malware detections per quarter (trend) + Malware-to-removal mean time + FIM unauthorized change events (target: 0) + Alert false-positive rate + Open POA&M items linked to SI controls

Monitoring Coverage Verification → §6.x

How the org continuously verifies SI tooling is actually deployed everywhere it should be.

Coverage-gap detection mechanism How assets without required SI agents are detected (CMDB ↔ EDR roster reconciliation; nightly diff job).

Coverage-gap remediation SLA Time from detection to gap closed (e.g., 'Within 24h for production'; '7 days otherwise').

Cross-references to other RMF artifacts → §7

Where this plan plugs into the broader RMF package.

SSP section reference Where in the SSP the SI control implementations are summarized (e.g., 'SSP §13.10').

POA&M ID prefix for SI findings Convention for SI-related POA&M items (e.g., 'POAM-SI-' for general; 'POAM-SI2-' for vuln-specific).

AU event handoff How SI-4 monitoring events flow into the audit pipeline (SIEM index, log sources, retention).

IR signal handoff How SI-3 / SI-4 / SI-7 detections become incidents in the IR plan workflow.

RA-5 vulnerability data consumption How SI-2 flaw remediation consumes RA-5 vulnerability scans. Tooling, frequency, ticket queue.

CM change-workflow integration How patches feed through the CM-3 change-control workflow. Emergency-patch pathway.

CA-7 continuous-monitoring strategy reference Pointer to the CA-7 monitoring strategy document tying SI continuous-monitoring metrics to the broader ConMon plan.